https://logz.io/blog/nginx-log-analysis/
A sample NGINX access log entry:
- 109.65.122.142 - - [10/Nov/2015:07:06:59 +0000] "POST /kibana/elasticsearch/_msearch?timeout=30000&ignore_unavailable=true&preference=1447070343481 HTTP/1.1" 200 8352 "https://app.logz.io/kibana/index.html" "Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/45.0.2454.101 Chrome/45.0.2454.101 Safari/537.36" 0.465 0.454
The Logstash configuration to parse that NGINX access log entry:
- grok {
- match => [ "message" , "%{COMBINEDAPACHELOG}+%{GREEDYDATA:extra_fields}"]
- overwrite => [ "message" ]
- }
- mutate {
- convert => ["response", "integer"]
- convert => ["bytes", "integer"]
- convert => ["responsetime", "float"]
- }
- geoip {
- source => "clientip"
- target => "geoip"
- add_tag => [ "nginx-geoip" ]
- }
- date {
- match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
- remove_field => [ "timestamp" ]
- }
- useragent {
- source => "agent"
- }
A sample NGINX error log:
- 2015/11/10 06:49:59 [warn] 10#0: *557119 an upstream response is buffered to a temporary file /var/lib/nginx/proxy/4/80/0000003804 while reading upstream, client: 66.249.88.173, server: 0.0.0.0, request: "GET /kibana/index.js?_b=1273 HTTP/1.1", upstream: "http://172.17.0.30:9000/kibana/index.js?_b=1273", host: "app.logz.io", referrer: "https://app.logz.io/kibana/index.html"
The Logstash configuration to parse that NGINX error log:
- grok {
- match => [ "message" , "(?
%{YEAR}[./-]%{MONTHNUM}[./-]%{MONTHDAY}[- ]%{TIME}) \[%{LOGLEVEL:severity}\] %{POSINT:pid}#%{NUMBER}: %{GREEDYDATA:errormessage}(?:, client: (? ]%{IP}|%{HOSTNAME}))(?:, server: %{IPORHOST:server})(?:, request: %{QS:request})?(?:, upstream: \"%{URI:upstream}\")?(?:, host: %{QS:host})?(?:, referrer: \"%{URI:referrer}\")" - overwrite => [ "message" ]
- }
- geoip {
- source => "client"
- target => "geoip"
- add_tag => [ "nginx-geoip" ]
- }
- date {
- match => [ "timestamp" , "YYYY/MM/dd HH:mm:ss" ]
- remove_field => [ "timestamp" ]
- }
No comments:
Post a Comment