需求
初步想法是用Nginx將所有服務的請求輸出到日志,再由收集器將日志 收集起來->解析->存儲。收集所有服務的請求日志,存儲以供后續使用。
使用ES家族的 filebeat 收集NG日志,可是收集到的日志不太好解析,而且還增加個時間字段,轉換某些字段等操作,后來想法是再寫個服務(或Logstash)吧 Filebeat調這個服務,由這個服務做處理解析。但是又感覺太重了,偶然發現 ES 原生 已經支持數據處理(filter)了。
于是花了半天研究了下,下面把坑、和使用方法都記一下。
具體參考了優秀的這篇文章:
關于 Ingest Node/Pipeline 的詳解。贊!
https://www.felayman.com/articles/2017/11/24/1511527532643.html
還有官方文檔:
https://www.elastic.co/guide/en/elasticsearch/reference/current/handling-failure-in-pipelines.html
先看下效果吧:
【源】NG log
61.50.98.62 - [08/Jan/2019:13:11:09 +0800] "GET /images/index/img05_11.jpg HTTP/1.1" 200 312473 "http://vipcode.cn/" - 0.210 0.052 100.118.58.9:80 200 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3494.0 Safari/537.36
要做的事情:
- 增加 gmt_create 記錄數據時間。
- 將以空格分隔的NG日志 解析為 圖中的K->V
解決過程:
- create index ... 略過。
- 創建pipeline(processor)增加gmt_create
- 創建pipeline(processor)解析 ng log
2、3步最終是要合一起的,一個processor即增加了時間也解析了格式;可我初次試驗的時候是分開調試的。
其中用到了 set 和 grok (在上面的連接中有介紹)
_ingest/pipeline/nglogproc
這里坑有兩個,
- {{_ingest.timestamp}} 存到ES里的時間是UTC0的時間,晚于國內8小時。
- grok 的調試比較煩人,雖說寫比較容易,比對數據是最耗時的。
最后,post ES 處理保存數據:解決方案:
- 因為 _ingest.timestamp 是ES生成的,沒有找到通過哪個配置能修改,想了一晚上最后想編譯源碼解決去了。還好,不用管,Kibana會正常顯示、檢索。
- Grok語法和內置的表達式網上有很多,熟悉一下然后 根據這個調試器
http://grokdebug.herokuapp.com,一點點來吧。
沒有出錯就是文章開始的效果圖了,_ingest.timestamp 不會出錯,會出問題的多半出在grok和源數據不匹配的問題里,錯誤里會有部分提示。
One more thing, 貼出我的 grok
Log1:
112.17.88.223 - [08/Jan/2019:10:49:08 +0800] "GET /open_008/08_img6.png HTTP/1.1" 200 1445 "https://www.vipcd.com/_zh/open_008.min.css" - 0.005 0.004 59.110.185.113:80 200 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Log2:
39.104.152.143 - [08/Jan/2019:17:34:18 +0800] "GET / HTTP/1.1" 200 9262 "-" - 0.032 0.031 172.17.231.247:8080 200 Go-http-client/1.1
Log3:
39.82.11.241 - [22/Jan/2019:16:53:04 +0800] "GET /v1?uuid=vipcode2165376223244&uid=154814718762578s5dfaco&project=act&logType=pv&logVersion=1.0&refer=&ua=Mozilla%2F5.0%20(iPad%3B%20U%3B%20CPU%20OS%205_0%20like%20Mac%20OS%20X%3B%20en-us)%20AppleWebKit%2F534.46%20(KHTML%2C%20like%20Gecko)%20Version%2F5.1%20Mobile%2F9A334%20Safari%2F7534.48.3&subType=guangdiantong%7C%7ChasCode&screensize=w800||h1280&url=http%3A%2F%2Fact.vipcode.com%2Fmps%2Fproduce%2F1545381467902%2Fpc%2Findex.html%3FstClId%3D7%26sLClId%3D0%26plId%3D0%26unId%3D0%26kwd%3D%26lGPId%3D150%26acId%3D0%26pSId%3D28%26acPFlag%3D0%26sFFlag%3D0%26remark%3D113Lllq122105%26qz_gdt%3Df7mumxf7aaaoaehyrkya HTTP/1.1" 200 1 "http://act.vipcode.com/mps/produce/1545381467902/pc/index.html?stClId=7&sLClId=0&plId=0&unId=0&kwd=&lGPId=150&acId=0&pSId=28&acPFlag=0&sFFlag=0&remark=113Lllq122105&qz_gdt=f7mumxf7aaaoaehyrkya" - 0.000 - - - Mozilla/5.0 (iPad; U; CPU OS 5_0 like Mac OS X; en-us) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3
Grok:
%{IP:client} %{USER:user} \[%{HTTPDATE:http_date}\] \"%{WORD:method} %{NOTSPACE:http_uri} HTTP/%{NUMBER:http_ver}\" %{NUMBER:http_st_ng} %{NUMBER:bytes} \"(?<referer>https?://[^ ]+|-)\" (?<x_forwarded_for>[0-9]+(\.[0-9]+){3}(?:, [0-9]+(\.[0-9]+){3})*|-) %{NUMBER:rsp_time1} (?:%{NUMBER:rsp_time2}|-) (?<target_server>[0-9]+(\.[0-9]+){3}(:[0-9]+)?|-) (?:%{NUMBER:http_st_server}|-) (?<u_agent>.*$)
nglogproc Pipleline:
{
"description": "nginx log processor",
"processors": [
{
"grok": {
"field": "message",
"patterns": [
"%{IP:client} %{USER:user} \\[%{HTTPDATE:http_date}\\] \"%{WORD:method} %{NOTSPACE:http_uri} HTTP/%{NUMBER:http_ver}\" %{NUMBER:http_st_ng} %{NUMBER:bytes} \"(?<referer>[^\"]+|-)\" (?<x_forwarded_for>[0-9]+(\\.[0-9]+){3}(?:, [0-9]+(\\.[0-9]+){3})*|-) %{NUMBER:rsp_tn} (?<rsp_ts>[0-9.]+(, [0-9.]+)*|-) (?<tar_server>[0-9]+(\\.[0-9]+){3}(:[0-9]+)?(, ([0-9]+(\\.[0-9]+){3}(:[0-9]+)?))*|-) (?<http_st_server>[0-9]+(, [0-9]+)*|-) (?<u_agent>.*$)"
],
"on_failure": [
{
"set": {
"field": "g_err0",
"value": "{{_ingest.on_failure_message }}"
}
}
]
}
},
{
"set": {
"field": "gmt_create",
"value": "{{_ingest.timestamp}}"
}
},
{
"grok": {
"field": "http_uri",
"patterns": [
"/v\\d+\\?uuid=(?<uuid>[^&]*+)&uid=(?<uid>[^&]*+)&project=(?<project>[^&]*+)&logType=(?<logType>[^&]*+)&logVersion=(?<logVersion>[^&]*+)&refer=(?<refer>[^&]*+)&ua=(?<ua>[^&]*+)&subType=(?<subType>[^&]*+)&screensize=(?<screensize>[^&]*+)&url=(?<url>.*+$)"
],
"on_failure": [
{
"set": {
"field": "g_err1",
"value": "{{_ingest.on_failure_message }}"
}
}
]
}
},
{
"urldecode": {
"field": "ua",
"on_failure": [
{
"set": {
"field": "g_err2",
"value": "{{_ingest.on_failure_message }}"
}
}
]
}
},
{
"urldecode": {
"field": "url",
"on_failure": [
{
"set": {
"field": "g_err2",
"value": "{{_ingest.on_failure_message }}"
}
}
]
}
},
{
"urldecode": {
"field": "screensize",
"on_failure": [
{
"set": {
"field": "g_err2",
"value": "{{_ingest.on_failure_message }}"
}
}
]
}
},
{
"urldecode": {
"field": "subType",
"on_failure": [
{
"set": {
"field": "g_err2",
"value": "{{_ingest.on_failure_message }}"
}
}
]
}
}
]
}
這種方式的好處是非常簡便,缺點是容錯率非常低對格式有著嚴格的要求。
不過慶幸的是其提供了“當錯誤發生時你要做的事情 —— on_failure ”
Filebeat 使用 Pipeline
http://www.axiaoxin.com/article/236/
在FB配置文件中增加配置即可。
