文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >分析nginx错误日志的grok模式的问题

分析nginx错误日志的grok模式的问题
EN

Stack Overflow用户
提问于 2018-05-15 16:41:06
回答 1查看 1.5K关注 0票数 0

你好,我在日志文件中有下面一行

代码语言:javascript
复制
2018/05/11 23:08:28 [error] 53734#53734: *621532077 upstream prematurely closed connection while reading response header from upstream, client: 192.168.22.10, server: www.testserver.pt, request: "GET /methods/userinfo.ashx/getUserOpenBetsData? HTTP/2.0", upstream: "https://188.11.2.3:443/methods/userinfo.ashx/getUserOpenBetsData?", host: "www.testserver.pt", referrer: "https://www.testserver.pt/"

我正在尝试使用下面的grok来解析它

代码语言:javascript
复制
input {
    beats {
        port => "5044"
    }
}
 filter {
        grok{
        match => {"message" => '%{F_TIMESTAMP: timestamp} \[%{DATA:Message_type}\] %{DATA:EventId}\: \*%{NUMBER:Secondaryid} %{GREEDYDATA:Message}, client: %{IP:origin}, server: %{URIHOST:domain}, request: "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}", upstream: %{QS:userRequest}, host: "%{URIHOST:host}", referrer: %{QS:referrer}'}
        }
        date{
        locale => "en"
        match => ["timestamp", "YYYY/MM/dd HH:mm:ss"]
        target => "@timestamp"
        }
}
output {
    elasticsearch {
        hosts => [ "localhost:9200" ]
        index => "logstash-%{+YYYY.MM.dd.HH}"
        user => "elastic"
        password => "changeme"

不是在耍把戏。

logstash
logstash-grok
EN

回答 1

Stack Overflow用户

回答已采纳

发布于 2018-05-15 22:03:32

一个简单的Google搜索显示了它的NGINX日志,

您可以使用下面的grok模式,

代码语言:javascript
复制
(?<timestamp>%{YEAR}[./]%{MONTHNUM}[./]%{MONTHDAY} %{TIME}) \[%{LOGLEVEL:severity}\] %{POSINT:pid}#%{NUMBER:threadid}\: \*%{NUMBER:connectionid} %{GREEDYDATA:errormessage}, client: %{IP:client}, server: %{GREEDYDATA:server}, request: %{GREEDYDATA:request}

输出

代码语言:javascript
复制
{
  "timestamp": [
    [
      "2018/05/11 23:08:28"
    ]
  ],
  "YEAR": [
    [
      "2018"
    ]
  ],
  "MONTHNUM": [
    [
      "05"
    ]
  ],
  "MONTHDAY": [
    [
      "11"
    ]
  ],
  "TIME": [
    [
      "23:08:28"
    ]
  ],
  "HOUR": [
    [
      "23"
    ]
  ],
  "MINUTE": [
    [
      "08"
    ]
  ],
  "SECOND": [
    [
      "28"
    ]
  ],
  "severity": [
    [
      "error"
    ]
  ],
  "pid": [
    [
      "53734"
    ]
  ],
  "threadid": [
    [
      "53734"
    ]
  ],
  "BASE10NUM": [
    [
      "53734",
      "621532077"
    ]
  ],
  "connectionid": [
    [
      "621532077"
    ]
  ],
  "errormessage": [
    [
      "upstream prematurely closed connection while reading response header from upstream"
    ]
  ],
  "client": [
    [
      "192.168.22.10"
    ]
  ],
  "IPV6": [
    [
      null
    ]
  ],
  "IPV4": [
    [
      "192.168.22.10"
    ]
  ],
  "server": [
    [
      "www.testserver.pt"
    ]
  ],
  "request": [
    [
      ""GET /methods/userinfo.ashx/getUserOpenBetsData? HTTP/2.0", upstream: "https://188.11.2.3:443/methods/userinfo.ashx/getUserOpenBetsData?", host: "www.testserver.pt", referrer: "https://www.testserver.pt/""
    ]
  ]
}

你可以在这里测试一下

还请查看github上的以下解析nginx错误日志的示例

希望能帮上忙。

票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/50355320

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档