码迷,mamicode.com
首页 > 其他好文 > 详细

ELKStack实时分析Haproxy访问日志配置

时间:2016-03-26 20:32:39      阅读:234      评论:0      收藏:0      [点我收藏+]

标签:logstash elk

1.Haproxy配置日志规则

在/etc/haproxy/haproxy.conf的frontend下增加

option httplog
option logasap
log LogServerIP local5

capture request header Host len 40
capture request header X-Forwarded-For len 50
#capture request header Accept-Language len 50
capture request header Referer len 200
capture request header User-Agent len 200

2.syslog配置开启远程接收

3.Logstash配置

indexer

input {
        file {
                path => "/var/log/haproxy.log"
                start_position => beginning
                sincedb_write_interval => 0
                type => "HAPROXY_LOG"
                codec => plain {
                        charset => "ISO-8859-1"
                }
        }
}



output {
        #stdout { codec => rubydebug}
        redis {
                data_type => "list"
                key => "logstash:Haproxy_log"
                host => "192.168.1.2"
                port => 6379
        }
}

shipping

input {
    redis {
        data_type => "list"
        key => "logstash:Haproxy_log"
        host => "192.168.1.2"
        port => 6379
        threads => 5
        type => "HAPROXY_LOG"
    }
}

filter {
       grok{
          match => ["message" , "%{SYSLOGTIMESTAMP:syslog_timestamp} %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \[%{MONTHDAY:haproxy_monthday}/%{MONTH:haproxy_month}/%{YEAR:haproxy_year}:(?!<[0-9])%{HOUR:haproxy_hour}:%{MINUTE:haproxy_minute}(?::%{SECOND:haproxy_second})(?![0-9]).%{INT:haproxy_milliseconds}\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/\+%{NOTSPACE:time_duration} %{INT:http_status_code} \+%{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\{%{IPORHOST:Host}\|?(%{IP:X_Forward_For})?\|?(%{URI:Referer})?\|%{GREEDYDATA:User_Agent}\})?( )( )?\"(<BADREQ>|(%{WORD:http_method} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?\""]
      }
        useragent {
                source => "User_Agent"
                target => "ua"
        }
        if [X_Forward_For] =~ "." {
           geoip {
                source => ["X_Forward_For"]
                database => "/usr/local/logstash2.2.2/bin/GeoLiteCity.dat"

          }
        } else {
           geoip {
                source => ["client_ip"]
                database => "/usr/local/logstash2.2.2/bin/GeoLiteCity.dat"

          }
        }
       date{
          match => ["log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
          timezone =>"Etc/UCT"
       }
       mutate{
                remove_field => ["log_timestamp"]
                remove_field => [ "host" ]
                remove_field => [ "path" ]
                remove_field => [ "pid" ]
                remove_field => [ "client_port" ]
                remove_field => [ "program" ]
                remove_field => [ "haproxy_monthday" ]
                remove_field => [ "haproxy_month" ]
                remove_field => [ "haproxy_year" ]
                remove_field => [ "haproxy_hour" ]
                remove_field => [ "haproxy_minute" ]
                remove_field => [ "haproxy_second" ]
                remove_field => [ "haproxy_milliseconds" ]
                remove_field => [ "frontend_name" ]
                remove_field => [ "captured_response_cookie" ]
                remove_field => [ "captured_request_cookie" ]
          convert => [ "timetaken","integer" ]
          convert => [ "http_status_code","integer" ]
          convert => [ "bytes_read","integer" ]
          convert => [ "time_duration","integer" ]
          convert => [ "time_backend_response","integer" ]
          convert => [ "actconn","integer" ]
          convert => [ "feconn","integer" ]
          convert => [ "beconn","integer" ]
          convert => [ "srvconn","integer" ]
          convert => [ "retries","integer" ]
          convert => [ "srv_queue","integer" ]
          convert => [ "backend_queue","integer" ]
          convert => [ "time_request","integer" ]
          convert => [ "time_queue","integer" ]
          convert => [ "time_backend_connect","integer" ]

      }
}
output {
        #stdout { codec => rubydebug}
        elasticsearch {
                hosts => "192.168.1.20:9200"
                index => "logstash-%{+YYYY.MM.dd}"
        }
}


本文出自 “枫林晚” 博客,请务必保留此出处http://fengwan.blog.51cto.com/508652/1755489

ELKStack实时分析Haproxy访问日志配置

标签:logstash elk

原文地址:http://fengwan.blog.51cto.com/508652/1755489

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!