将Nginx日志导入Elasticsearch可以通过多种方式实现,以下是几种常见的方法:
安装Filebeat
# 对于Debian/Ubuntu
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.x.x-amd64.deb
sudo dpkg -i filebeat-8.x.x-amd64.deb
# 对于RHEL/CentOS
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.x.x-x86_64.rpm
sudo rpm -vi filebeat-8.x.x-x86_64.rpm
配置Filebeat
编辑 /etc/filebeat/filebeat.yml:
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
- /var/log/nginx/error.log
fields:
log_type: nginx
fields_under_root: true
output.elasticsearch:
hosts: ["your-elasticsearch-host:9200"]
indices:
- index: "nginx-access-%{+yyyy.MM.dd}"
when.equals:
log_type: "nginx"
启动并启用Filebeat
sudo systemctl enable filebeat
sudo systemctl start filebeat
安装Logstash
# 对于Debian/Ubuntu
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list
sudo apt-get update && sudo apt-get install logstash
# 对于RHEL/CentOS
sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
sudo vi /etc/yum.repos.d/logstash.repo
# 添加以下内容:
[logstash-8.x]
name=Elastic repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
sudo yum install logstash
创建Logstash配置文件 /etc/logstash/conf.d/nginx.conf
input {
file {
path => "/var/log/nginx/access.log"
start_position => "beginning"
sincedb_path => "/dev/null"
type => "nginx-access"
}
file {
path => "/var/log/nginx/error.log"
start_position => "beginning"
sincedb_path => "/dev/null"
type => "nginx-error"
}
}
filter {
if [type] == "nginx-access" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
locale => en
}
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "nginx-%{+YYYY.MM.dd}"
}
}
启动Logstash
sudo systemctl enable logstash
sudo systemctl start logstash
安装Fluentd
# 使用td-agent(Fluentd的稳定发行版)
curl -L https://toolbelt.treasuredata.com/sh/install-ubuntu-focal-td-agent4.sh | sh
配置Fluentd /etc/td-agent/td-agent.conf
<source>
@type tail
path /var/log/nginx/access.log
pos_file /var/log/td-agent/nginx-access.log.pos
tag nginx.access
format /^(?<remote>[^ ]*) (?<host>[^ ]*) (?<user>[^ ]*) \[(?<time>[^\]]*)\] "(?<method>\S+)(?: +(?<path>[^ ]*) +\S*)?" (?<code>[^ ]*) (?<size>[^ ]*)(?: "(?<referer>[^\"]*)" "(?<agent>[^\"]*)")?$/
time_format %d/%b/%Y:%H:%M:%S %z
</source>
<match nginx.access>
@type elasticsearch
host localhost
port 9200
logstash_format true
logstash_prefix nginx-access
</match>
启动Fluentd
sudo systemctl enable td-agent
sudo systemctl start td-agent
检查Elasticsearch索引
curl -XGET 'http://localhost:9200/_cat/indices?v'
查询Nginx日志数据
curl -XGET 'http://localhost:9200/nginx-*/_search?pretty'
选择哪种方法取决于您的具体需求和技术栈。Filebeat是最轻量级的解决方案,Logstash提供最强大的处理能力,而Fluentd则是介于两者之间的选择。