打扰各位
Mar 27 23:23:42 192.168.0.96 {"@timestamp": "2017-03-27T23:23:42+08:00","host":"192.168.0.95","clientip":"36.149.14.104","size":420,"responsetime":0.021,"upstreamtime":"0.021","upstreamhost":"192.168.0.209:80","http_host":"www.test.com","url":"/assistant/ass/im/friendinfo.json","xff":"-","referer":"-","agent":"/5.0.7 te; iOS 10.2.1; Scal
e/2.00)","status":"200"}
这是我通过Rsyslog把nginx json日志打到ELK的log。
NGINX配置如下:
logformat json '{"@timestamp":"$time_iso8601",'
'"@version":"1",'
'"host":"$server_addr",'
'"client":"$remote_addr",'
'"size":$body_bytes_sent,'
'"responsetime":$request_time,'
'"domain":"$host",'
'"url":"$uri",'
'"status":"$status"}';
access_log /var/log/nginx/access.log_json json;
然后logstash 配置:
filter {
json {
source => "message"
target => "jsoncontent"
}
}
按道理能output出message的格式化字段啊,为什么我依旧是输出整条message?
