Bootstrap

grafana监控nginx日志

先展示下grafana 的一张大图。

看图还是比较炫酷的,那怎么才能够展示这样的大屏,咱们一步一步拆解 

用到组件:nginx ,filebeat,logstash,elasticsearch,grafana

流程图如下:

 

1、nginx代理设置 


    log_format  elklog '$remote_addr - $remote_user [$time_local] "$host" $server_port "$request" '
                        '$status $body_bytes_sent $bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for" $request_time '
                        '"$upstream_response_time" "$upstream_addr" "$upstream_status" ';

2、filebeat 将nginx日志发往logstash,编辑filebeat.yml 

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /opt/servers/nginx/logs/access.portal.*.log
    - /opt/servers/nginx/logs/access.*.log
  fields:
    filetype: nginx   #这一行的key:value都可以自己定义
    fields_under_root: true

output.logstash:
  hosts: ["logstash001:5044"]

3、logstash解析nginx日志写入elasticsearch


input {
      beats {
          port => 5044 #设置专用端口用于接受filebeat的日志
      }
}
filter {    
    # nginx 日志
    if ([fields][filetype] == "nginx") or ([fields][filetype] == "nginx-records") {
              grok {
                 match => {
                        "message" => "%{IP:remote_addr} - (?:%{DATA:remote_user}|-) \[%{HTTPDATE:timestamp}\] \"%{DATA:host}\" %{NUMBER:server_port} \"%{WORD:request_method} %{DATA:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:status} %{NUMBER:body_bytes_sent} %{NUMBER:bytes_sent} \"(?:%{DATA:http_referer}|-)\" \"%{DATA:http_user_agent}\" \"(?:%{DATA:http_x_forwarded_for}|-)\" (?:%{DATA:request_time}|-) \"%{DATA:upstream_response_time}\" \"%{DATA:upstream_addr}\" \"%{NUMBER:upstream_status}\""
                    }
              }
             urldecode{

                     field => [ "request" ]
               }
           #解析request
              mutate {
                    add_field => { "http_request" => "%{request}" } #先随便创建一个字段,把request的值传给它。
              }
              #分割http_request
              mutate {
                  split  => [ "http_request"  , "?" ]   #http_request以问号为切割点
                  add_field => [ "url" ,  "%{[http_request][0]}" ]    #取出数组中第一个值,同时添加url为新的field
              }
              #存在 [http_request][1] 机型解析参数
              if[http_request][1] {
                    mutate {
                         add_field => [ "args" ,  "%{[http_request][1]}" ]    #取出http_request数组中第一个值,同时添加args为新的field
                    }
                    kv {
                        source => "args"
                        field_split => "&"
                        target => "query"
                    }
                    #删除args字段
                    mutate {
                        remove_field => [ "args" ]
                    }
              }
              #删除http_request字段
              mutate {
                  remove_field => [ "http_request" ]
              }
           geoip {
                #multiLang => "zh-CN"
                target => "geoip"
                source => "remote_addr"
                database => "/home/hadoop/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-6.0.5-java/vendor/GeoLite2-City.mmdb"    #指定库的位置
                add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
                add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
                # 去掉显示 geoip 显示的多余信息
                remove_field => ["[geoip][latitude]", "[geoip][longitude]", "[geoip][country_code]", "[geoip][country_code2]", "[geoip][country_code3]", "[geoip][timezone]", "[geoip][continent_code]", "[geoip][region_code]"]
            }
            mutate {
                  #重名字段改名
                  rename  => { "remote_addr" => "client_ip" } #将key字段改名。
                  rename  => { "http_x_forwarded_for" => "xff" } #将key字段改名。
                 # rename  => { "host" => "domain" } #将key字段改名。
                  rename  => { "http_referer" => "referer" } #将key字段改名。
                  rename  => { "request_time" => "responsetime" } #将key字段改名。
                  rename  => { "upstream_response_time" => "upstreamtime" } #将key字段改名。
                  rename  => { "body_bytes_sent" => "size" } #将key字段改名。
                  rename  => { "upstream_addr" => "upstreamhost" } #将key字段改名。

                  #copy字段
                  copy => { "host" => "domain" } #copy _ProductID字段改名。
                  copy => { "client_ip" => "server_ip" }
            }

            mutate {
                convert => [ "size", "integer" ]
                convert => [ "status", "integer" ]
                convert => [ "responsetime", "float" ]
                convert => [ "upstreamtime", "float" ]
                convert => [ "[geoip][coordinates]", "float" ]
                # 过滤 filebeat 没用的字段,这里过滤的字段要考虑好输出到es的,否则过滤了就没法做判断
                remove_field => [ "ecs","agent","cloud","@version","input","logs_type","message" ]
            }
            # 根据http_user_agent来自动处理区分用户客户端系统与版本
            useragent {
                source => "http_user_agent"
                target => "ua"
                # 过滤useragent没用的字段
                remove_field => [ "[ua][minor]","[ua][major]","[ua][build]","[ua][patch]","[ua][os_minor]","[ua][os_major]" ]
            }
             #创建索引日期字段
            ruby{
                code => "event.set('index_day', (event.get('@timestamp').time.localtime + 0*60*60).strftime('%Y.%m.%d'))"
            }

   }   

}
filter {
        if "_grokparsefailure" in [tags] {
          drop {}
         }
}

output {
    if [fields][filetype] == "nginx" {
      elasticsearch {
           hosts => ["elasticsearch001:9200"]
           index => "logstash-nginx-log-%{index_day}"
      }
       # file {
       #path => "/home/hadoop/logstash-nginx-log-%{+YYYY.MM.dd}"
       #path => "/home/hadoop/logstash-nginx-log-%{index_day}"
       #}
   }
}

4、在kibana中查看elasticsearch数据 

5、在grafana配置elasticsearch数据源

 需要注意的是最新的dashboard需要选择7.10+的elasticsearch,保存数据源后

AKA ES Nginx Logs | Grafana Labs 查看dashboard id:11190

在grafana中导入

 完工。

本人喜欢研究新技术,并有丰富的大数据经验,希望和各位小伙伴探讨技术。

;