input {
beats {
port => 5044
}
}
filter {
if [type] =~ /nginx_err/ {
grok {
match => [
"message" , "%{DATESTAMP:log_timestamp} \[%WORD:state}\] %{POSINT:pid}#{NUMBER}: %{GREEDYDATA:errormessage}(, client>%{IP}|%{HOSTNAME}))(?:, server: %{IPORHOST:server})(?:, request: %{QS:request})?(?:, upstream: \"%{URI:upstream}\")?(?:, host:%{QS:host})?(?:, referrer: \"%{URI:referrer}\")"
]
}
geoip {
source => "client"
target => "geoip"
add_tag => [ "nginx-geoip" ]
}
date {
match => [ "timestamp" , "YYYY/MM/dd HH:mm:ss" ]
remove_field => ["timestamp" ]
}
}
else {
if [type] =~ /nginx_access/ {
mutate {
gsub => [
"message", "\n", " "
]
}
json {
source => "message"
remove_field => "message"
}
}
}
}
output {
elasticsearch {
hosts => ["http://172.17.12.180:9200"] # Elasticsearch集群的内网VIP地址和端口
sniffing => true
manage_template => false
index => "%{type}-%{localTime}"
document_type => "%{type}"
}
}
日志信息是这个
2018/09/06 11:16:43 [warn] 7655#7655: *22135688 an upstream response is buffered to a temporary file /usr/local/openresty/nginx/proxy_temp/9/93/0001781939 while reading upstream, client: 123.123.123.123, server: asst.tes, request: "GET /middle/19806/c/545/5acf40a0ed7e413797000186/main?v=1523531936 HTTP/1.1", upstream: "http://172.17.11.6:10092/middl ... ot%3B, host: "asst.tes", referrer: "http://xie.t/?preview_theme_id=19806"
这个grok我已经调试过的了,用相同日志可以解析出来
报错日志如下附件,请各位大神帮忙看下 我的是不是写错了~~~
1 个回复
sweetpotato - 90IT男
赞同来自: