Graylog服务配置
//
# Graylog服务配置
# 采集服务nxlog
# 安装nxlog
# nglog文件配置
版本切换,点击左下角
nxlog配置官方文档 (opens new window)
nxlog主要分为三个模块
1.input:第一个是读取日志的路径
2.output:将数据送到Remote Server
3.path:定义input和output的映射
- /etc/nxlog.conf
[root@basic ~]# cat /etc/nxlog.conf
User nxlog
Group nxlog
LogFile /var/log/nxlog/nxlog.log
LogLevel INFO
<Extension _gelf>
Module xm_gelf
ShortMessageLength 65536
</Extension>
<Extension charconv>
Module xm_charconv
AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2, GBK
</Extension>
<Extension multiline>
Module xm_multiline
HeaderLine /^\[\d+-\w+-\d+\s\d+:\d+:\d+\s\w+\]/
</Extension>
include /etc/nxlog.d/nginx_php.conf
#include /etc/nxlog.d/kafka.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
注意Output 里面的端口,需要对应 graylog-server 配置里面的input端口
- /etc/nxlog.d/nginx_php.conf
点击展开查看文件内容
<Input in1>
Module im_file
File "/opt/logs/nginx/access.log"
SavePos True
ReadFromLast True
Recursive True
RenameCheck False
PollInterval 1
Exec $app = "nginx_access";
Exec $group = "sdk";
Exec $filename = file_name();
</Input>
<Input in2>
Module im_file
File "/opt/logs/nginx/php_errors.log"
InputType multiline
SavePos True
ReadFromLast True
Recursive True
RenameCheck False
PollInterval 1
Exec $app = "php_error";
Exec $group = "sdk";
Exec $filename = file_name();
</Input>
<Output out1>
Module om_tcp
Host 192.168.108.253
Port 8161
OutputType GELF_TCP
</Output>
<Output out2>
Module om_tcp
Host 192.168.108.253
Port 8162
OutputType GELF_TCP
</Output>
<Route 1>
Path in1 => out1
</Route>
<Route 2>
Path in2 => out2
</Route>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
- /etc/nxlog.d/kafka.conf
点击展开查看文件内容
<Input in101>
Module im_file
File "/opt/logs/stat/gift/stat"+strftime(now(),"%Y%m%d")+".log"
SavePos True
ReadFromLast True
Recursive True
RenameCheck False
PollInterval 1
</Input>
<Input in103>
Module im_file
File "/opt/logs/stat/show/stat*.log"
SavePos True
ReadFromLast True
Recursive True
RenameCheck False
PollInterval 1
Exec $app = "billgift";
Exec $group = "game1";
Exec $filename = file_name();
</Input>
<output outKafka1>
Module om_kafka
BrokerList 192.168.108.253:9092
Topic gift
#-- Partition - defaults to RD_KAFKA_PARTITION_UA
#-- Compression, one of none, gzip, snappy
Compression snappy
#Partition 6
</output>
<output outKafka3>
Module om_kafka
BrokerList 192.168.108.253:9092
Topic show
Compression snappy
</output>
<Route 101>
Path in101 => outKafka1
</Route>
<Route 103>
Path in103 => outKafka3
</Route>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# 配置graylog数据流(Input)
- 添加input
- 配置GELF TCP input端口
注意端口不能是已经存在的,nxlog配置里面的Output 对应这个端口,
添加完,点击右边的 "start input"
# 添加规则
- 手动配置
- 指定列分割,比如message里面的数据是按空格分割
- 也可以导入json配置
System/Inputs =》 game-研发 =》 Manage extractors =》 Actions =》 Import extractors =》 写入json
- nginx 日志格式
log_format main '$server_name ' '$remote_addr ' '$remote_port ' '[$time_local] ' '$request_time ' '$upstream_response_time ' '$status $body_bytes_sent ' '$request $request_body $http_referer ' '"$http_x_forwarded_for" ' '"$http_user_agent" ';
1
点击展开Nginx-版本:3.1.2
{
"extractors": [
{
"title": "http_x_forwarded_for",
"extractor_type": "split_and_index",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "http_x_forwarded_for",
"extractor_config": {
"index": 2,
"split_by": "\""
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "request_uri",
"extractor_type": "split_and_index",
"converters": [],
"order": 0,
"cursor_strategy": "cut",
"source_field": "message",
"target_field": "request_uri",
"extractor_config": {
"index": 11,
"split_by": " "
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "domain",
"extractor_type": "split_and_index",
"converters": [],
"order": 0,
"cursor_strategy": "cut",
"source_field": "message",
"target_field": "domain",
"extractor_config": {
"index": 1,
"split_by": " "
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "body_bytes_sent",
"extractor_type": "split_and_index",
"converters": [
{
"type": "numeric",
"config": {}
}
],
"order": 0,
"cursor_strategy": "cut",
"source_field": "message",
"target_field": "body_bytes_sent",
"extractor_config": {
"index": 9,
"split_by": " "
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "request_time",
"extractor_type": "split_and_index",
"converters": [
{
"type": "numeric",
"config": {}
}
],
"order": 0,
"cursor_strategy": "cut",
"source_field": "message",
"target_field": "request_time",
"extractor_config": {
"index": 6,
"split_by": " "
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "upstream_response_time",
"extractor_type": "split_and_index",
"converters": [],
"order": 0,
"cursor_strategy": "cut",
"source_field": "message",
"target_field": "upstream_response_time",
"extractor_config": {
"index": 7,
"split_by": " "
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "request_body",
"extractor_type": "split_and_index",
"converters": [],
"order": 0,
"cursor_strategy": "cut",
"source_field": "message",
"target_field": "request_body",
"extractor_config": {
"index": 13,
"split_by": " "
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "http_referer",
"extractor_type": "split_and_index",
"converters": [],
"order": 0,
"cursor_strategy": "cut",
"source_field": "message",
"target_field": "http_referer",
"extractor_config": {
"index": 14,
"split_by": " "
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "http_method",
"extractor_type": "split_and_index",
"converters": [],
"order": 0,
"cursor_strategy": "cut",
"source_field": "message",
"target_field": "http_method",
"extractor_config": {
"index": 10,
"split_by": " "
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "server_ip",
"extractor_type": "split_and_index",
"converters": [],
"order": 0,
"cursor_strategy": "cut",
"source_field": "message",
"target_field": "remote_addr",
"extractor_config": {
"index": 2,
"split_by": " "
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "http_code",
"extractor_type": "split_and_index",
"converters": [],
"order": 0,
"cursor_strategy": "cut",
"source_field": "message",
"target_field": "http_code",
"extractor_config": {
"index": 8,
"split_by": " "
},
"condition_type": "none",
"condition_value": ""
}
],
"version": "3.1.2"
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
# 配置graylog索引(Indices)
- 创建索引,默认有三个索引
- 配置索引名
# 配置graylog流(Streams)
# 创建streams
配置完,点击"start stream"
# 管理Streams规则,根据日志标签做匹配
# 查看Stream数据
Nxlog Input新写入数据到对应的"/opt/logs/nginx/access.log",如果配置正常会看到 右上角 in /out 数值有变化
个人觉得3.1.2的版本查看流更直观
- 3.1.2版本
- 4.2.XX版本
- 按条件查询
message:000000000000000000000002
message:000000000000000000000002 and server_ip:192.168.108.253
message:000000000000000000000002 and NOT _exists_:body_bytes_sent
1
2
3
2
3
3.1------查询示例 (opens new window)
# 收集Nginx pod日志
简单描述一下过程
重新定制nginx镜像,添加 access_log 指定到某个目录(/opt 说明:新增一行nginx日志生成路径,默认的不改动)
通过边车模式,把nginx容器和nxlog容器运行在一个pod里面,同时共享 /opt 目录
修改nxlog的路由配置
可以借鉴这个deployment的卷挂载方式:emptyDir: {}
# 制作 Nxlog 镜像
nxlog 启动用户id 101 ,需要和nginx用户id 101 一致
FROM nxlog/nxlog-ce:latest
#FROM nxlog/nxlog-ce:3.2.2329 #nxlog版本
USER root
RUN usermod -u 101 nxlog && chown -R 101.101 /var/log/nxlog /run/nxlog /var/spool/nxlog
USER 101
1
2
3
4
5
6
2
3
4
5
6
# 制作 Nginx 镜像
点击展开Dockerfile制作基础nginx镜像
FROM nginx:1.23.2
ARG DEBIAN_FRONTEND=noninteractive
ENV TZ=Asia/Shanghai
COPY ./logrotate-nginx.conf /etc/logrotate-nginx.conf
ADD ./docker-entrypoint.sh /docker-entrypoint.sh
RUN rm /etc/apt/sources.list \
&& echo "deb https://mirrors.tuna.tsinghua.edu.cn/debian/ bullseye main contrib non-free" >> /etc/apt/sources.list \
&& echo "deb https://mirrors.tuna.tsinghua.edu.cn/debian/ bullseye-updates main contrib non-free" >> /etc/apt/sources.list \
&& echo "deb https://mirrors.tuna.tsinghua.edu.cn/debian/ bullseye-backports main contrib non-free" >> /etc/apt/sources.list \
&& echo "deb https://security.debian.org/debian-security bullseye-security main contrib non-free" >> /etc/apt/sources.list \
&& apt-get update --fix-missing \
&& apt-get install --no-install-recommends -y tzdata \
&& apt install -y --no-install-recommends cron logrotate \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* \
&& ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone \
&& echo '5 0 * * * /usr/sbin/logrotate -f /etc/logrotate-nginx.conf >/var/log/cutnginx.log &' > /etc/cron.d/nginx \
&& crontab /etc/cron.d/nginx \
&& chmod +x /docker-entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
点击展开docker-entrypoint.sh
#!/bin/sh
# vim:sw=4:ts=4:et
set -e
entrypoint_log() {
if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
echo "$@"
fi
}
if [ "$1" = "nginx" -o "$1" = "nginx-debug" ]; then
if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/"
find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
case "$f" in
*.envsh)
if [ -x "$f" ]; then
entrypoint_log "$0: Sourcing $f";
. "$f"
else
# warn on shell scripts without exec bit
entrypoint_log "$0: Ignoring $f, not executable";
fi
;;
*.sh)
if [ -x "$f" ]; then
entrypoint_log "$0: Launching $f";
"$f"
else
# warn on shell scripts without exec bit
entrypoint_log "$0: Ignoring $f, not executable";
fi
;;
*) entrypoint_log "$0: Ignoring $f";;
esac
done
entrypoint_log "$0: Configuration complete; ready for start up"
else
entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration"
fi
fi
#新增行,启动定时任务,定期清理日志
/usr/sbin/cron
exec "$@"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
点击展开logrotate-nginx.conf
daily
rotate 1
create
dateext
missingok
notifempty
delaycompress
/var/log/nginx/*.log /opt/*.log {
su root nginx
create 640 nginx nginx
sharedscripts
postrotate
[ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
endscript
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 配置nxlog 日志采集路由模块
<Input in1>
Module im_file
File "/opt/*.log"
SavePos True
ReadFromLast True
Recursive True
RenameCheck False
PollInterval 1
Exec $filename = file_name();
Exec $app = "nginx_access";
Exec $group = "mes_hr";
Exec if ($raw_event =~ /LOAD_COUNT_BY_USER/) drop();
# InputType multiline_nginx
</Input>
<Output out1>
Module om_tcp
Host 10.203.3.89
Port 40020 #与inputs对应端口
OutputType GELF_TCP
</Output>
<Route 1>
Path in1 => out1
</Route>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
//
如果此文章对您有帮助,点击 -->> 请博主喝咖啡 (opens new window)
上次更新: 2023/11/03, 11:36:48