nginx logs to ELK

nginx logs to ELK

1) Add this config to nginx
# cat /etc/nginx/conf.d/03-jsonformat.conf
map $upstream_response_time $temprt {
default $upstream_response_time;
"" 0;
}
log_format json_main escape=json '{ "@timestamp": "$time_iso8601", '
'"nginx_remote_addr": "$remote_addr", '
'"nginx_server_addr": "$server_addr", '
'"nginx_server_port": "$server_port", '
'"nginx_server_name": "$server_name", '
'"nginx_hostname": "$hostname", '
'"nginx_http_host": "$http_host", '
'"nginx_request": "$request", '
'"nginx_request_method": "$request_method", '
'"nginx_server_protocol": "$server_protocol", '
'"nginx_request_url": "$request_uri", '
'"nginx_url": "$uri", '
'"nginx_status": "$status", '
'"nginx_body_bytes_sent": "$body_bytes_sent", '
'"nginx_bytes_sent": "$bytes_sent", '
'"nginx_response_time": "$temprt", '
'"nginx_http_referrer": "$http_referer", '
'"nginx_http_user_agent": "$http_user_agent" }';
log_format json_upstream escape=json '{ "@timestamp": "$time_iso8601", '
'"nginx_remote_addr": "$remote_addr", '
'"nginx_server_addr": "$server_addr", '
'"nginx_server_port": "$server_port", '
'"nginx_server_name": "$server_name", '
'"nginx_hostname": "$hostname", '
'"nginx_http_host": "$http_host", '
'"nginx_request": "$request", '
'"nginx_request_method": "$request_method", '
'"nginx_server_protocol": "$server_protocol", '
'"nginx_request_url": "$request_uri", '
'"nginx_url": "$uri", '
'"nginx_body_bytes_sent": "$body_bytes_sent", '
'"nginx_bytes_sent": "$bytes_sent", '
'"nginx_response_time": "$temprt", '
'"nginx_http_referrer": "$http_referer", '
'"nginx_http_user_agent": "$http_user_agent", '
'"nginx_upstream_addr": "$upstream_addr", '
'"nginx_upstream_status": "$upstream_status", '
'"nginx_upstream_connect_time": "$upstream_connect_time", '
'"nginx_upstream_response_time": "$upstream_response_time" }';

2) Add this line to config

access_log syslog:server=elk1.server:5000,tag=nginx_json json_main;

3) Add this config to logstash

# cat /etc/logstash/conf.d/nginx_json.conf
input {
udp {
port => 5000
type => "nginx_json"
workers => 8
receive_buffer_bytes => 33554432
queue_size => 16384
}
}
filter {
if [type] == "nginx_json" {
mutate {
gsub => [ "message", "^(.*) nginx_json: {", "{" ]
gsub => [ "message"," : ",", " ]
gsub => [ "nginx_upstream_addr", ":\d*", "" ]
gsub => [ "nginx_upstream_addr"," : ",", " ]
gsub => [ "nginx_upstream_status"," : ",", " ]
gsub => [ "nginx_upstream_connect_time"," : ",", " ]
gsub => [ "nginx_upstream_response_time"," : ",", " ]
add_tag => "nginx_json"
convert => [ "nginx_body_bytes_sent", "string"]
convert => [ "nginx_bytes_sent", "string"]
convert => [ "nginx_response_time", "string"]
convert => [ "nginx_upstream_addr", "string"]
convert => [ "nginx_upstream_connect_time", "string"]
convert => [ "nginx_upstream_response_time", "string"]
convert => [ "nginx_upstream_status", "string"]
}
json {
source => "message"
}
geoip {
source => "nginx_remote_addr"
database => "/etc/logstash/GeoLite2-City.mmdb"
}
mutate {
split => { "nginx_upstream_addr" => ", " }
split => { "nginx_upstream_status" => ", " }
split => { "nginx_upstream_connect_time" => ", " }
split => { "nginx_upstream_response_time" => ", " }
}
if [nginx_upstream_addr] {
ruby { code => ' event.get("nginx_upstream_addr").each_with_index { |x, i| event.set( "nginx_upstream_addr#{i+1}" , x) } ' }
}
if [nginx_upstream_status] {
ruby { code => ' event.get("nginx_upstream_status").each_with_index { |x, i| event.set( "nginx_upstream_status#{i+1}" , x) } ' }
}
if [nginx_upstream_connect_time] {
ruby { code => ' event.get("nginx_upstream_connect_time").each_with_index { |x, i| event.set( "nginx_upstream_connect_time#{i+1}" , x) } ' }
}
if [nginx_upstream_response_time] {
ruby { code => ' event.get("nginx_upstream_response_time").each_with_index { |x, i| event.set( "nginx_upstream_response_time#{i+1}" , x) } ' }
}
mutate {
remove_field => "@version"
remove_field => "input_type"
remove_field => "[beat]"
remove_field => "[geoip][continent_code]"
remove_field => "[geoip][country_code3]"
remove_field => "[geoip][ip]"
remove_field => "[geoip][postal_code]"
remove_field => "[geoip][region_code]"
remove_field => "[geoip][region_name]"
remove_field => "[geoip][timezone]"
remove_field => "message"
remove_field => "offset"
remove_field => "timestamp"
remove_field => "nginx_upstream_addr"
remove_field => "nginx_upstream_connect_time"
remove_field => "nginx_upstream_response_time"
remove_field => "nginx_upstream_status"
}
}
}
output {
if [type] == "nginx_json" {
elasticsearch {
hosts => ["localhost:9200"]
index => "nginx-%{+YYYY.MM.dd}"
}
}
}