ELK 配置及注意點

時間  2019-11-13
標籤 elk 配置 注意 简体版
原文   原文鏈接

本人寫的基於elk收集nginx日誌,並對接口訪問量統計和響應慢的接口統計

nginx日誌格式:

這裏nginx日誌採用json格式輸出,以下:nginx

'{"@timestamp":"$time_iso8601",'
    '"body_size":$body_bytes_sent,'
    '"token":"$http_token",'
    '"cookie_token":"$cookie_token",'
    '"parameters":"$query_string",'
    '"request_time":$request_time,'
    '"request_length":$request_length,'
    '"server":"$upstream_addr",'
    '"method":"$request_method",'
    '"url":"$uri",'
    '"upstream_header_time":"$upstream_header_time",'
    '"upstream_response_time":"$upstream_response_time",'
    '"upstream_connect_time":"$upstream_connect_time",'
    '"network":"$http_network",'
    '"status":"$status"}'

這裏對幾個特殊的時間進行解釋下json

request_time
    nginx從接收用戶第一個字節開始到發送給用戶最後一個字節結束,能夠粗略看作用戶此次請求總耗時(完整的來講還應該加上創建http鏈接的時間)ruby

upstream_connect_time
    nginx和upstream(nginx代理的服務)創建鏈接的時間cookie

upstream_header_time
    從nginx和upstream創建鏈接到收到upstream響應的第一個字節,能夠簡單理解爲:upstream_header_time=服務處理時間+upstream_connect_timeapp

upstream_response_time
    從nginx和upstream創建鏈接到收到upstream最後一個字節,能夠簡單理解爲:upstream_response_time=upstream_connect_time+服務處理時間+upstream把結果傳輸給nginx時間elasticsearch

須要注意的是,這三個時間有多個,以逗號分割的,由於nginx會有重試,若是重試了,就會存在時間,
例如:"123,23" 說明nginx訪問第一失敗了,重試訪問的第二個url

logstash配置

input{
  file{
    path => "/var/log/nginx/access.log"
    codec => "json"
    add_field => {"nginx" => "nginxip"}
  }
}

filter {
  ruby {
        code => "event['request_time'] = event['request_time'].to_f * 1000;
        event['upstream_header_time'] = event['upstream_header_time'].split(',').first.to_f * 1000;
        event['upstream_response_time'] = event['upstream_response_time'].split(',').first.to_f * 1000;
        event['upstream_connect_time'] = event['upstream_connect_time'].split(',').first.to_f * 1000;
        "
  }

  if [token] == "" or [token] == "-" {
    mutate {
        replace => {
          "token" => "%{cookie_token}"
        }
      remove_field => ["cookie_token"]
    }
  } else {
    mutate {
      remove_field => ["cookie_token"]
    }
  }
}

output {
  elasticsearch {
    hosts => ["es hosts,逗號分隔"]
    index => "logstash-nginx-%{+YYYY.MM}"
  }
}

 Elasticsearch配置

nginx log index template:

{
  "template": "logstash-nginx-*",
  "order": 1,
  "settings": {
    "number_of_shards": 2,
    "number_of_replicas": 0
  },
  "mappings": {
    "logstash-nginx": {
      "_source": {
        "enabled": true
      },
      "_all": {
        "enabled": false
      },
      "properties": {
        "date": {
          "type": "date",
          "index": "not_analyzed",
          "doc_values": true,
          "format": "yyyy-MM-dd'\''T'\''HH:mm:ss.SSS'\''Z'\''"
        },
        "body_size": {
          "type": "integer",
          "index": "not_analyzed",
          "doc_values": true
        },
        "request_time": {
          "type": "integer",
          "index": "not_analyzed",
          "doc_values": true
        },
        "server": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": true
        },
        "method": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": true
        },
        "url": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": true
        },
        "status": {
          "type": "integer",
          "index": "not_analyzed",
          "doc_values": true
        },
        "token": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": true
        },
        "nginx": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": true
        },
        "parameters": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": true
        },
        "request_length": {
          "type": "integer",
          "index": "not_analyzed",
          "doc_values": true
        },
        "upstream_header_time": {
          "type": "integer",
          "index": "not_analyzed",
          "doc_values": true
        },
        "upstream_response_time": {
          "type": "integer",
          "index": "not_analyzed",
          "doc_values": true
        },
        "upstream_connect_time": {
          "type": "integer",
          "index": "not_analyzed",
          "doc_values": true
        },
        "network": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": true
        }
      }
    }
  }
}

grafana

本人沒采用kabana,是由於我比較熟悉grafana,而且grafana支持多種數據源,能夠方便後期切換數據源,也就是擴展性好些.spa

grafana查詢es數據直接採用luence語法便可
例如查詢慢響應接口:upstream_response_time:[600 TO 1000000000] AND status:200代理

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程