1、设置nginx access_log日志格式
log_format main '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; access_log logs/access.log main;
2、配置logstash.conf
input { file { path => "/usr/local/nginx/logs/access.log" start_position => "beginning" } } filter { grok { match => { "message" => '%{IP:client_ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:http_method} %{URIPATHPARAM:request} HTTP/%{NUMBER:http_version}" %{NUMBER:response_code} %{NUMBER:bytes} (%{QS:referrer}|-) %{QS:user_agent}' } remove_field => ["message"] } geoip { source => "client_ip" target => "geoip" database => "/usr/local/GeoLite2-City_20230623/GeoLite2-City.mmdb" 需要去官网下载所需的数据表 add_field => ["[geoip][coordinates]","%{[geoip][longitude]}"] add_field => ["[geoip][coordinates]","%{[geoip][latitude]}"] } date { match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] } } output { elasticsearch { hosts => ["10.31.233.247:9200"] user => "*****" # 指定 Elasticsearch 的用户名 password => "*****************" # 指定 Elasticsearch 的密码 index => "nginx-access-%{+YYYY.MM.dd}" } stdout { codec => rubydebug } }
3、效果展示(logstash后台数据)
{ "timestamp" => "02/Aug/2023:10:39:00 +0800", "bytes" => "11519", "geoip" => { "ip" => "171.93.134.249", "coordinates" => [ [0] "%{[geoip][longitude]}", [1] "%{[geoip][latitude]}" ], "geo" => { "timezone" => "Asia/Shanghai", "country_name" => "China", "city_name" => "Chengdu", "region_iso_code" => "CN-SC", "country_iso_code" => "CN", "continent_code" => "AS", "region_name" => "Sichuan", "location" => { "lat" => 30.6498, "lon" => 104.0555 } } }, "@version" => "1", "client_ip" => "171.93.134.249", "log" => { "file" => { "path" => "/usr/local/nginx/logs/access.log" } },