yum install httpd-tools -y
# -n 总共发送多少条请求,注意,最后"/"一定要写,否则命令无法执行
# -c 多少条请求发送一次
ab -c 10 -n 100 http://10.0.0.100:80/
[root@node01 log]# tail -f /var/log/nginx/access.log
10.0.0.100 - - [16/Apr/2020:19:03:40 +0800] "GET / HTTP/1.0" 200 612 "-" "ApacheBench/2.3" "-"
10.0.0.100 - - [16/Apr/2020:19:03:40 +0800] "GET / HTTP/1.0" 200 612 "-" "ApacheBench/2.3" "-"
10.0.0.100 - - [16/Apr/2020:19:03:40 +0800] "GET / HTTP/1.0" 200 612 "-" "ApacheBench/2.3" "-"
10.0.0.100 - - [16/Apr/2020:19:03:40 +0800] "GET / HTTP/1.0" 200 612 "-" "ApacheBench/2.3" "-"
10.0.0.100 - - [16/Apr/2020:19:03:40 +0800] "GET / HTTP/1.0" 200 612 "-" "ApacheBench/2.3" "-"
10.0.0.100 - - [16/Apr/2020:19:03:40 +0800] "GET / HTTP/1.0" 200 612 "-" "ApacheBench/2.3" "-"
10.0.0.100 - - [16/Apr/2020:19:03:40 +0800] "GET / HTTP/1.0" 200 612 "-" "ApacheBench/2.3" "-"
10.0.0.100 - - [16/Apr/2020:19:03:40 +0800] "GET / HTTP/1.0" 200 612 "-" "ApacheBench/2.3" "-"
10.0.0.100 - - [16/Apr/2020:19:03:40 +0800] "GET / HTTP/1.0" 200 612 "-" "ApacheBench/2.3" "-"
10.0.0.100 - - [16/Apr/2020:19:03:40 +0800] "GET / HTTP/1.0" 200 612 "-" "ApacheBench/2.3" "-"
ab工具用于批量发送HTTP请求到指定的URL,是一个压力测试工具,这里使用它来生成Nginx的日志
/etc/filebeat/filebeat.yml
# 我们只留下最精简的部分 # 定义数据源 filebeat.inputs: # 数据源为普通日志文件 - type: log # 启用 enabled: true # 日志文件的位置 paths: - /var/log/nginx/access.log # 定义输出类型 # 输出到elasitcsearch output.elasticsearch: hosts: ["10.0.0.100:9200","10.0.0.101:9200","10.0.0.102:9200"]
systemctl start filebeat
systemctl start filebeat
DELETE filebeat-6.6.0-2020.04.16
> /var/log/nginx/access.log
/etc/filebeat/filebeat.yml
filebeat.inputs: - type: log enabled: true paths: - /var/log/nginx/access.log # 以下两行设置将nginx日志存储为json格式 json.keys_under_root: true json.overwrite_keys: true output.elasticsearch: hosts: ["10.0.0.100:9200","10.0.0.101:9200","10.0.0.102:9200"] # 设置index名,通常按月滚动 index: "nginx-%{+yyyy.MM}" # 当index被重写后,以下4个配置也必须重写 # 设置自定义的配置模板的名称 setup.template.name: "nginx" # 保存到哪个index的时候使用此模板 setup.template.pattern: "nginx-*" # 设置默认配置模板不可用 setup.template.enabled: false # 设置自定义的配置模板可用 setup.template.overwrite: true
systemctl start filebeat
# 使用3个服务器发送请求
[root@node01 ~]# ab -c 5 -n 5 http://10.0.0.101:80/test
[root@node01 ~]# ab -c 5 -n 5 http://10.0.0.102:80/test
[root@node02 ~]# ab -c 5 -n 5 http://10.0.0.100:80/test
[root@node02 ~]# ab -c 5 -n 5 http://10.0.0.102:80/test
[root@node03 ~]# ab -c 5 -n 5 http://10.0.0.100:80/test
[root@node03 ~]# ab -c 5 -n 5 http://10.0.0.101:80/test
GET _cat/indices
# 数据增加了30条
green open nginx-2020.04 2l7iUDU9SpWDxN96ui2DhQ 5 1 630 0 1.8mb 921.4kb
host.name
,并过滤出指定的主机收集到的日志filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["access"]
- type: log
enabled: true
# 错误日志不需要使用json格式,因为我们很少对错误日志进行聚合分析
paths:
- /var/log/nginx/error.log
tags: ["error"]
output.elasticsearch:
hosts: ["10.0.0.100:9200","10.0.0.101:9200","10.0.0.102:9200"]
indices:
- index: "nginx-access-%{+yyyy.MM}"
when.contains:
tags: "access"
- index: "nginx-error-%{+yyyy.MM}"
when.contains:
tags: "error"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true
setup.template.settings:
# 设置目标index的shard个数
index.number_of_shards: 3
# 设置kibana的IP和端口
setup.kibana:
host: "10.0.0.100:5601"
GET _cat/indices
green open nginx-error-2020.04 723oaOL3SamTcJId6E--9Q 5 1 1011 0 1.5mb 738.8kb
green open nginx-access-2020.04 v-9G7VLeREKvfh9kg-Wi3g 5 1 30 0 394.6kb 197.3kb
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: true
reload.period: 10s
output.elasticsearch:
hosts: ["10.0.0.100:9200","10.0.0.101:9200","10.0.0.102:9200"]
indices:
- index: "nginx_access-%{+yyyy.MM}"
when.contains:
fileset.name: "access"
- index: "nginx_error-%{+yyyy.MM}"
when.contains:
fileset.name: "error"
setup.template.name: "nginx"
setup.template.pattern: "nginx_*"
setup.template.enabled: false
setup.template.overwrite: true
setup.template.settings:
index.number_of_shards: 3
setup.kibana:
host: "10.0.0.100:5601"
[root@node01 ~]# filebeat modules list
Enabled:
Disabled:
apache2
auditd
elasticsearch
haproxy
icinga
iis
kafka
kibana
logstash
mongodb
mysql
nginx
osquery
postgresql
redis
suricata
system
traefik
[root@node01 ~]# cat /etc/filebeat/modules.d/nginx.yml.disabled
- module: nginx
access:
enabled: true
var.paths: ["/var/log/nginx/access.log"]
error:
enabled: true
var.paths: ["/var/log/nginx/error.log"]
激活后原来的配置文件nginx.yml.disabled
变为了nginx.yml
[root@node01 ~]# filebeat modules enable nginx
Enabled nginx
[root@node01 ~]# filebeat modules list
Enabled:
nginx
Disabled:
apache2
auditd
elasticsearch
haproxy
icinga
iis
kafka
kibana
logstash
mongodb
mysql
osquery
postgresql
redis
suricata
system
traefik
access_log /var/log/nginx/access.log main;
/usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-user-agent
/usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-geoip
wget https://artifacts.elastic.co/downloads/elasticsearch-plugins/ingest-user-agent/ingest-user-agent-6.6.0.zip
wget https://artifacts.elastic.co/downloads/elasticsearch-plugins/ingest-geoip/ingest-geoip-6.6.0.zip
/usr/share/elasticsearch/bin/elasticsearch-plugin install file:///root/ingest-geoip-6.6.0.zip
/usr/share/elasticsearch/bin/elasticsearch-plugin install file:///root/ingest-user-agent-6.6.0.zip
[root@node03 ~]# /usr/share/elasticsearch/bin/elasticsearch-plugin install file:///root/ingest-user-agent-6.6.0.zip
-> Downloading file:///root/ingest-user-agent-6.6.0.zip
[=================================================] 100%
-> Installed ingest-user-agent
[root@node03 ~]# /usr/share/elasticsearch/bin/elasticsearch-plugin install file:///root/ingest-geoip-6.6.0.zip
-> Downloading file:///root/ingest-geoip-6.6.0.zip
[=================================================] 100%
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: plugin requires additional permissions @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.lang.RuntimePermission accessDeclaredMembers
* java.lang.reflect.ReflectPermission suppressAccessChecks
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.
Continue with installation? [y/N]y
-> Installed ingest-geoip
说明:
GET _cat/indices
green open nginx_access-2020.04 7ibKAbFGQx66-a86s_53SQ 5 1 25 0 568.9kb 284.4kb
green open nginx_error-2020.04 bt-yYMQBTbqyZdBvmAzkRQ 5 1 15 0 275.9kb 145kb
注意,给nginx_error创建index pattern时,Time Filter field name 选择read_timestamp,而nginx_access选择@timestamp
可以看到,filebeat内置的nginx模块配合解析User-agent的插件ingest-user-agent-6.6.0.zip
以及解析IP的插件ingest-geoip-6.6.0.zip
帮我们把nginx的普通日志做了很细力度的解析,并且自动保存成JSON格式,但是error日志还是使用message来表示一整行日志