Elasticsearch + Fluentd + Kibana

Installation && Configuration

nginx

  • nginx.conf

    1
    2
    3
    4
    5
    6
    7
    8

    http {
    ...
    log_format logdata '$remote_addr [$time_iso8601] '
    '"$request" $status $body_bytes_sent '
    '"$http_user_agent" "$request_body"';
    ...
    }
  • sites/casndy.conf

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    ...

    location /log/push {
    access_log /var/log/nginx/candy_access.log logdata;
    proxy_pass http://127.0.0.1/postdata;
    }

    location = /postdata {
    # turn off logging here to avoid double logging
    access_log off;
    return 200;
    }
    # https://stackoverflow.com/questions/17609472/really-logging-the-post-request-body-instead-of-with-nginx

    ...
    • test
    1
    2
    3
    4
    5
    6
    7
    8
    $ curl -H 'Content-Type: application/json' -X POST http://candylog.local.cd/log/push -d '{"error":"test error"}'
    <html>
    <head><title>404 Not Found</title></head>
    <body>
    <center><h1>404 Not Found</h1></center>
    <hr><center>nginx</center>
    </body>
    </html>
    • access_log
    1
    172.20.0.1 - - [15/Nov/2018:18:10:17 +0000] "POST /log/push HTTP/1.1" 404 146 "-" "curl/7.58.0" "{\x22error\x22:\x22test error\x22}"

fluentd

  • fluent.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

<source>
@type tail
tag nginx.access
format nginx
format /^(?<remote>[0-9\.]{7,17}) \[(?<time>[^ ]+)\] "([^"]+)" [0-9]{3} [0-9]+ "(?<agent>[^"]+)" "(?<message>{.*})"$/
path /var/log/nginx/candy_access.log
pos_file /var/log/nginx/candy_access.log.pos
</source>

<match **>
@type elasticsearch
host elasticsearch
port 9200
logstash_format true
flush_interval 5s
#index_name fluentd
type_name fluentd
</match>