日志默认位置
/usr/local/nginx/logs
配置文件的log_format配置变量(常用的)
$request 请求的URI和HTTP协议
$http_host 请求地址,即浏览器中你输入的地址(IP或域名)
$status HTTP请求状态
$upstream_status upstream状态
$body_bytes_sent 发送给客户端文件内容大小
$http_referer url跳转来源
$http_user_agent 用户终端浏览器等信息
$ssl_protocol SSL协议版本
$ssl_cipher 交换数据中的算法
$upstream_addr 后台upstream的地址,即真正提供服务的主机地址
$request_time 整个请求的总时间
$upstream_response_time 请求过程中,upstream响应时间
$time_local 请求本地时间
$time_iso8601 请求时间iso8601
$http_x_real_ip
$remote_addr 代表客户端的IP,但它的值不是由客户端提供的,而是服务端根据客户端的ip指定的
设置日志格式
设置日志格式为json
log_format log_json '{"@timestamp": "$time_local","user_ip":"$http_x_real_ip","lan_ip":"$remote_addr",
"log_time":"$time_iso8601","user_req":"$request","http_code":"$status",
"body_bytes_sents":"$body_bytes_sent","req_time":"$request_time","user_ua":"$http_user_agent"}';
log_format log_json '{"@time": "$time_iso8601",' #时间
'"http_code":"$status",' #状态
'"method":"$request_method",' #请求方法
'"req_time":"$request_time",' #请求时间
'"user_ip":"$http_x_real_ip",'#ip客户
'"lan_ip":"$remote_addr",' #ip代理
'"user_req":"$request",' #请求uri及方法
'"body_bytes_sents":"$body_bytes_sent",' #用户请求字节数
'"send_b":"$bytes_sent",' # 响应数据大小
'"ua":"$http_user_agent"}'; #浏览器标识
设置格式为filebeat预定义的
log_format oo '$time_iso8601 ' #时间
'$status ' #状态
'$request_method ' #请求方法
'$request_time ' #请求时间
'$http_x_real_ip ' #ip客户
'$remote_addr ' #ip代理
'"$request" ' #请求uri及方法
'$body_bytes_sent ' #用户请求字节数
'$bytes_sent ' # 响应数据大小
'"$http_user_agent" '; #浏览器标识
日志定时切割
计划任务
* * * * * sh /nginx.sh >> /root/nginxcron.log 2>&1
切割脚本
#!/bin/bash
#rotate nginx logs
if [ ! -d /usr/local/nginx/logs/log_old ];then
mkdir /usr/local/nginx/logs/log_old
#else
# echo dir exist
fi
PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
logs_path=/usr/local/nginx/logs
#t=$(date -d "-1 day" +%F)
t=$(date -d "-1 day" +%Y%m%d)
cd ${logs_path}
for logs in <code>ls *.log</code>
do
mv $logs log_old/$logs-$t
done
#向nginx主进程发送USR1信号重新打开日志文件也可以:/bin/kill -HUP <code>cat $nginx_pid</code>
kill -USR1 $(cat /usr/local/nginx/logs/nginx.pid)
syslog发送日志到远程
通过修改配置文件,将日志通过网络发送到本地或远程
配置示例
access_log syslog:server=192.168.1.137:88 main; //访问日志
access_log syslog:server=unix:/var/log/nginx.sock,nohostname;
access_log syslog:server=[2001:db8::1]:12345,facility=local7,tag=nginx,severity=info combined;
error_log syslog:server=192.168.1.137:88; main //错误日志
error_log syslog:server=192.168.1.1 debug;
rsyslog监听的时514端口如果再配置 syslog:server的时候没有指定port那么将会通过514的udp端口进行发送数据
远程接收到的内容示例
<190>Aug 28 16:32:32 desktop-2bg6llp nginx: {"@time": "2020-08-28T16:32:32+08:00","http_code":"404","method":"GET","req_time":"0.000",
user_ip:"-","lan_ip":"192.168.0.137","user_req":"GET /ff HTTP/1.1","body_bytes_sents":"555","send_b":"705","ua":"Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36"}
日志分析工具
yum install -y epel-release
yum install -y python-pip
pip install ngxtop
日志特征分析 (个人测试出来的无参考意义)
win远程桌面连接
{"A": "2020-09-01T12:17:32+08:00","B":"400","C":"-","D":"0.308","E":"-","F":"5.188.206.18","G":"\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr","H":"150","I":"295"}
ssh 连接
{"A": "2020-09-01T18:10:31+08:00","B":"400","C":"-","D":"0.001","E":"-","F":"192.186.12.175","G":"SSH-2.0-OpenSSH_7.4","H":"150","I":"295"}
