【发布时间】:2025-12-19 18:45:11
【问题描述】:
我用fluentd代替logstash,我用in-tail插件拖尾nginx access日志,访问日志格式如下:
log_format main '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" $request_time';
fluentd conf 就像
format /^(?<host>\S+)\s-\s(?<user>\S+)\s\[(?<time>[^\]]*)\]\s(?<method>\S+)\s(?<url>\S+)\s(?<http_version>\S+)\s"(?<status>[^\"]+)"\s(?<bytes>\d+)\s"(?<rfc>[^\"]+)"\s"(?<agent>[^\"]+)"\s"(?<x_forward>[^\"]+)"\s(?<time_spent>\S+).*$/
请求正确时可以正常工作,但请求错误时会报错,如下所示:
172.31.33.157 - - [08/May/2017:16:30:20 +0800] - "400" 0 "-" "-" "-" 0.000
错误的请求错过了method 和rfc 字段,所以fluentd 运行错误。如何修改format,让我不关心请求是错误的还是正确的?
任何答案将不胜感激
遇到另一种情况,agent或rfc字段为none,运行错误。就像
172.31.44.196 - - [08/May/2017:18:47:31 +0800] GET /click?mb_pl=ios&version=1.1 HTTP/1.1 "302" 5 "-" "" "100.38.38.149, 54.224.136.60" 0.004
或
172.31.44.196 - - [08/May/2017:18:47:31 +0800] GET /click?mb_pl=ios&version=1.1 HTTP/1.1 "302" 5 "" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Mobile/14E304" "100.38.38.149, 54.224.136.60" 0.004
如何解决这种情况?
【问题讨论】:
-
正确的请求是什么样的?
-
172.31.44.196 - - [08/May/2017:18:47:31 +0800] GET /click?mb_pl=ios&version=1.1 HTTP/1.1 "302" 5 "-" "Mozilla/ 5.0 (iPhone; CPU iPhone OS 10_3_1 像 Mac OS X) AppleWebKit/603.1.30 (KHTML, 像 Gecko) Mobile/14E304" "100.38.38.149, 54.224.136.60" 0.004