自定义nginx的日志格式存储到Filebeat和Logstash

 

vim /etc/nginx/nginx.conf

log_format main '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log main;

nginx -s reload

 

第二步，编写nginx-patterns文件

NGINX_ACCESS %{IPORHOST:remote_addr} - %{USERNAME:remote_user} \[%
{HTTPDATE:time_local}\] \"%{DATA:request}\" %{INT:status} %{NUMBER:bytes_sent} \"%
{DATA:http_referer}\" \"%{DATA:http_user_agent}\"

第三步，修改haoke-pipeline.conf文件

input {
beats {
port => "5044"
}
}
filter {
grok {
patterns_dir => "/haoke/logstash-6.5.4/nginx-patterns"
match => { "message" => "%{NGINX_ACCESS}"}
remove_tag => [ "_grokparsefailure" ]
add_tag => [ "nginx_access" ]
}
}
output {
stdout { codec => rubydebug }
}