ELK—Nginx日志收集

自定义nginx日志格式为json

log_format access_json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"size":$body_bytes_sent,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamhost":"$upstream_addr",'
'"http_host":"$host",'
'"url":"$uri",'
'"domain":"$host",'
'"xff":"$http_x_forwarded_for",'
'"referer":"$http_referer",'
'"status":"$status"}';

access_log /var/log/nginx/access.log access_json;

配置 logstash  收集 nginx  访问日志

input {
  file {
    path => "/var/log/nginx/access.log"
    start_position => "end"
    type => "nginx-accesslog"
    codec => json
  }
}

output {
  if [type] == "nginx-accesslog" {
    elasticsearch {
    hosts => ["192.168.15.11:9200"]
    index => "logstash-nginx-accesslog-1516-%{+YYYY.MM.dd}"
    }
  }
}