堆栈内存溢出
  简体   繁体   English

如何在Logstash中正确使用Nginx自定义日志

[英]How to use nginx custom log with logstash properly

 原文  2013-08-30 06:08:15       nginx/ logstash

问题描述

I've found the good article about using of nginx custom log format for logstash. 我找到了有关将nginx自定义日志格式用于logstash的好文章 In one on topic comment there is: 在一个关于主题的评论中,有:

Be careful: Between two (referrer, user agent) and four (request method, remote_user) can be set by the end-user and thus can cause the JSON to be invalid (ie set the user-agent to "}). 注意:最终用户可以在两个(引用人,用户代理)和四个(请求方法,remote_user)之间进行设置,因此可能导致JSON无效(即,将用户代理设置为“}”)。

As long as nginx doesn't have explicit JSON support, I would recommend against manually >building JSON and stick to combined log which is well-supported by logstack. 只要nginx没有显式的JSON支持,我建议您不要手动>构建JSON,并坚持使用logstack很好支持的组合日志。

How should I use custom log format to prevent this issue? 我应该如何使用自定义日志格式来防止此问题?

3 个解决方案

解决方案1
 3  2014-12-01 02:25:18

Create grok with content 用内容创造古怪 

NGUSERNAME [a-zA-Z\.\@\-\+_%]+
NGUSER %{NGUSERNAME}
NGINXACCESS %{IPORHOST:clientip} %{NGUSER:ident} %{NGUSER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:"(?:%{URI:referrer}|-)"|%{QS:referrer}) %{QS:agent}

And filter 和过滤器 

filter {
    grok {
        patterns_dir => ["Grok_DIR"]
        match => { "message" => "%{NGINXACCESS}" }
    }
}

解决方案2
 1  2015-12-16 11:05:43

It is not bulletproof in any version of nginx to hand craft the JSON - \\xXX is not valid JSON encoding, it should be \\u00XX. 这是以任何版本的nginx的手工工艺的JSON防弹- \\ XXX是无效的JSON编码,它应该是\\ u00XX。 Any proper JSON parser will reject the JSON string if nginx escapes with \\xXX. 如果nginx以\\ xXX转义,则任何适当的JSON解析器都将拒绝JSON字符串。

If you do this with LogStash you will mostly be OK but expect json parse failures from time to time. 如果您使用LogStash进行此操作,则通常会很好,但会时不时地遇到json解析失败的情况。

解决方案3
 0  2014-07-14 18:15:27

I think it's fine in recent versions of nginx: 我认为在最新版本的Nginx中还可以:

Changes with nginx 1.1.6 17 Oct 2011 Nginx 1.1.6的更改2011年10月17日 

*) Change: now the 0x7F-0x1F characters are escaped as \xXX in an
   access_log.

Changes with nginx 0.7.0 19 May 2008 nginx 0.7.0的更改2008年5月19日 

*) Change: now the 0x00-0x1F, '"' and '\' characters are escaped as \xXX
   in an access_log.
   Thanks to Maxim Dounin.

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 用于自定义 nginx 访问日志的 Logstash grok 模式 - Logstash grok pattern for custom nginx access log nginx 错误日志的 Logstash 模式 - Logstash pattern for nginx error log 如何在 nginx 中正确使用摩根? - How to properly use morgan with nginx? 在logstash或elasticsearch中更改nginx访问日志数据 - Change nginx access log data in logstash or elasticsearch RegEx用于nginx上的fail2ban,带有wordpress和自定义日志格式 - RegEx for use with fail2ban on nginx with wordpress and custom log format Goaccess自定义nginx日志格式 - Goaccess custom nginx log format nginx:如何记录http响应标头的多个值(自定义) - nginx: How to log multiple values of a http response header (custom) 如何使用自定义Nginx配置官方nginx Docker镜像? - How to use custom Nginx config for official nginx Docker image? 如何在K8S ingress-nginx指标中正确记录“路径” - How to properly log the “Path” in K8S ingress-nginx metrics 按自定义模式过滤 Nginx 登录 ELK - Filter Nginx log in ELK by custom pattern
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM