logstash通过rsyslog对nginx的日志收集和分析

本文介绍如何使用rsyslog将Nginx的日志直接同步到Logstash服务器进行分析,无需修改Nginx配置。同时提供了具体的rsyslog配置示例及Logstash配置。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

logstash通过rsyslog对nginx的日志收集和分析

http://bbotte.blog.51cto.com/6205307/1613571 logstash&elasticsearch&kibana的安装和配置

http://bbotte.blog.51cto.com/6205307/1614453   这一篇文章里面是以nginx打补丁的方式实现rsyslog把nginx的日志同步到logstash做分析,不过线上环境种种不一样,下面是把nginx的日志直接通过rsyslog同步到logstash服务器上,不用对nginx做更改,相对来说更简单明了。

nginx服务器端

nginx的配置文件不用改动,例子:

[root@db2 ~]# grep -v ^.*# /usr/local/nginx/conf/nginx.conf|sed '/^$/d' worker_processes 1;
events {  worker_connections 1024;
}
http {  include	   mime.types;  default_type  application/octet-stream;  log_format  main '$remote_addr - $remote_user [$time_local] "$request" '       '$status $body_bytes_sent "$http_referer" '       '"$http_user_agent" "$http_x_forwarded_for"';  sendfile		on;  keepalive_timeout 65;  server {   listen 80;   server_name  localhost; index index.html;
root /var/www;
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log;   error_page 500 502 503 504 /50x.html;   location = /50x.html {    root   html;   }  }
} 

rsyslog的配置

[root@db2 ~]# grep -v ^# /etc/rsyslog.conf|sed '/^$/d' $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imklog # provides kernel logging support (previously done by rklogd) $ModLoad imfile # Load the imfile input module $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log $InputFileName /var/log/nginx/error.log $InputFileTag kibana-nginx-errorlog: $InputFileStateFile state-kibana-nginx-errorlog $InputRunFileMonitor $InputFileName /var/log/nginx/access.log $InputFileTag kibana-nginx-accesslog: $InputFileStateFile state-kibana-nginx-accesslog $InputRunFileMonitor $InputFilePollInterval 10 if $programname == 'kibana-nginx-errorlog' then @192.168.10.1:514 if $programname == 'kibana-nginx-errorlog' then ~ if $programname == 'kibana-nginx-accesslog' then @192.168.10.1:514 if $programname == 'kibana-nginx-accesslog' then ~
*.* @192.168.10.1:514

再把rsyslog服务重启

[root@db2 ~]# service rsyslog restart Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]

现在nginx的日志,已经同步到logstash服务器的/var/log/messages,如下图

logstash.conf 配置

input {
 file {
    type => "syslog" #    path => [ "/var/log/*.log", "/var/log/messages", "/var/log/syslog" ] path => [ "/var/log/messages" ]
    sincedb_path => "/var/sincedb" }
  redis {
    host => "192.168.10.1" type => "redis-input" data_type => "list" key => "logstash" }
  syslog {
    type => "syslog" port => "5544" }
}

filter {
  grok {
    type => "syslog" match => [ "message", "%{SYSLOGBASE2}" ]
    add_tag => [ "syslog", "grokked" ]
  }
}

output {
 elasticsearch { host => "192.168.10.1" }
}

nginx的日志:

Feb 26 14:41:47 db2 kibana-nginx-accesslog: 192.168.10.50 - - [26/Feb/2015:14:41:42 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko LBBROWSER" "-"

logstash界面:

参考:

https://medium.com/@thomasdecaux/exploit-nginx-access-log-with-rsyslog-logstash-elasticsearch-and-kibana-48ab5c71b42d

https://blog.basefarm.com/blog/how-to-install-logstash-with-kibana-interface-on-rhel/

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值