Skip to content

Nginx配置日志格式

初始化配置

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

配置为JSON格式并添加字段

    log_format  main escape=json  '{ "@timestamp": "$time_local", '
                            '"remote_addr": "$remote_addr",'
                            '"remote_port": "$remote_port",'
                            '"scheme": "$scheme",'
                            '"request_uri": "$request_uri",'
                            '"request_method": "$request_method",'
                            '"request_time": "$request_time",'
                            '"request_length": "$request_length",'
                            '"response_status": "$status",'
                            '"body_bytes_sent": "$body_bytes_sent",'
                            '"http_referer": "$http_referer",'
                            '"http_user_agent": "$http_user_agent",'
                            '"http_x_forwarded_for": "$http_x_forwarded_for",'
                            '"upstream_addr": "$upstream_addr",'
                            '"upstream_response_time": "$upstream_response_time"}';

Nginx日志字段含义

字段 含义 示例
- 占位符 -
body_bytes_sent 响应body字节数 3650
bytes_sent 响应总字节数 175
host IP或域名(不包括端口) 10.10.10.14
http_host IP或域名(包括端口) 10.10.10.14:81
http_referer referer信息 http://10.10.10.14/
http_user_agent UA信息 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36
http_x_forwarded_for XFF信息 192.168.1.1
remote_addr 客户端地址 10.10.10.1
remote_user 客户端认证用户名 admin
request 请求URI和协议 GET /favicon.ico HTTP/1.1
request_body 请求的body
request_length 请求长度 571
request_method 请求方法 GET
request_time 请求处理时间 0.000
response_body 返回的body
response_header_data 响应头数据
schema 协议 http
server_name 虚拟主机名称
server_port 服务器端口
server_protocol 服务器协议
ssl_cipher 交换数据中的算法
ssl_protocol SSL协议版本
status 返回状态码 404
time_local 时间戳 16/Jun/2019:23:29:50 -0400
upstream_addr 后端提供服务地址
upstream_connect_time 与服务器连接所花费的时间
upstream_response_time 后端处理时间
upstream_status upstream状态 200

打印body信息

打印request_body

    # web_server配置
    # The variable’s value is made available in locations processed by the proxy_pass, fastcgi_pass, uwsgi_pass, and scgi_pass directives when the request body was read to a memory buffer.
    # 意味着:只有location中用到proxy_pass、fastcgi_pass、scgi_pass命令时,request_body才有值。

    log_format main $request_body # 我这里是简写

    location ~ \.php$ {
        root           /usr/share/nginx/html;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

打印response_body

    # web_server配置
    log_format main $response_body # 我这里是简写
    server {
        listen       80;
        server_name  localhost;
        lua_need_request_body on;
        set $response_body "";
        body_filter_by_lua '
            local response_body = string.sub(ngx.arg[1],1,1000)
            ngx.ctx.buffered = (ngx.ctx.buffered or "") ..  response_body
            if ngx.arg[2] then
                ngx.var.response_body = ngx.ctx.buffered
            end
        ';
        location ~ \.php$ {
            root           /usr/local/nginx/html;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }
    }

完整的Nginx日志配置

    log_format  main escape=json  '{ "@timestamp": "$time_local", '
                        '"remote_addr": "$remote_addr",'
                        '"remote_port": "$remote_port",'
                        '"scheme": "$scheme",'
                        '"request_uri": "$request_uri",'
                        '"request_method": "$request_method",'
                        '"request_time": "$request_time",'
                        '"request_length": "$request_length",'
                        '"response_status": "$status",'
                        '"body_bytes_sent": "$body_bytes_sent",'
                        '"http_referer": "$http_referer",'
                        '"http_user_agent": "$http_user_agent",'
                        '"http_x_forwarded_for": "$http_x_forwarded_for",'
                        '"upstream_addr": "$upstream_addr",'
                        '"upstream_response_time": "$upstream_response_time",'
                        '"request_body": "$request_body", '
                        '"response_body": "$response_body" }';

注意事项

  • request_body与response_body如果在上传文件或者下载文件时,body内容会很大,需要考虑对性能和存储的影响。
  • 对于timestamp参数,可以不使用time_local而使用time_iso8601。
  • 如果运维对于网络的性能有要求,可以考虑使用$tcpinfo_rtt, $tcpinfo_rttvar, $tcpinfo_snd_cwnd, $tcpinfo_rcv_space。

Nginx日志直接输出到Logstash

    log_format  logstash  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  syslog:server=127.0.0.1:514,nohostname,tag=nginx_access_log logstash;

Logstash配置

input {
    udp {
        host => "127.0.0.1"
        port => 514
    }
}
output {
    stdout {}
}

nginx_logstash_1