Question

我通过rsyslog将日志发送到elasticsearch。为了解析这些日志，我使用了liblognorm规则。

我想创建nginx日志字段，

这是一个日志条目，

version=2

rule=:%clientip:ipv4% - %user:word% [%timestamp:char-to:]%] %auth:word% "%verb:alpha% %request:word%" %response:number% %bytes:number% "%referrer:word"%" "%agent:char-to:{"extradata":"("}"

这是模式文件，

func applicationDidFinishLaunching(_ application: UIApplication) {
    let storyboard = UIStoryboard(name: "Main", bundle: nil)
    let navigationController = storyboard.instantiateViewController(withIdentifier: "navigationController") // here you should insert your identifier (storyboard -> navigationcontroller -> Identity -> Storyboard ID) 

    window!.rootViewController = navigationController
    window!.makeKeyAndVisible()
}

由于日期时间格式，我认为解析失败的原因。

有人可以帮助创建解析nginx日志的规则吗？

Answer 1

对于上述Nginx访问日志行，您需要这样的规则：

version=2

rule=:%clientip:ipv4%%-:whitespace%-%-:whitespace%%user:word%%-:whitespace%[%timestamp:char-to{"extradata":"]"}%]%-:whitespace%"%verb:word%%-:whitespace%%request:word%%-:whitespace%%protocol:char-to{"extradata":"\""}%"%-:whitespace%%response_code:number{"format":"number"}%%-:whitespace%%bytes:number{"format":"number"}%%-:whitespace%"%referrer:char-to{"extradata":"\""}%"%-:whitespace%"%agent:char-to{"extradata":"\""}%"

产生以下输出（漂亮印刷）：

{
    "agent": "Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko\/20100101 Firefox\/53.0",
    "referrer": "-",
    "bytes": 0,
    "response_code": 304,
    "protocol": "HTTP\/1.1",
    "request": "\/ui\/favicons\/favicon-32x32.png",
    "verb": "GET",
    "timestamp": "13\/Jun\/2017:14:18:17 +0530",
    "user": "kibanaadmin",
    "clientip": "127.0.0.1"
}

要更轻松地测试日志文件以及Liblognorm规则文件，可以为规则创建nginx.rule文件并运行命令：

 lognormalizer -H -p -r nginx.rule < nginx.log

您可以找到有关lognormalizer命令here的更多信息。

nginx日志的liblognorm规则

1 个答案: