使用自定义日志格式为 nginx 配置的 Logwatch 输出为空

tag-icon tag-icon centos nginx centos5 logwatch
使用自定义日志格式为 nginx 配置的 Logwatch 输出为空

问题

我已经配置了 logwatch (CentOS 5.8, x64) 来包含 nginx,使用作为指导方针,并使用 Apache 和 nginx 的日志格式文档。问题是,我使用的是特定的日志格式,即:

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" $scheme:$server_port '
                  '$status $body_bytes_sent "$http_referer" '
                  'Upstream ["$upstream_addr" ($upstream_response_time) $upstream_status : $upstream_cache_status] '
                  '"$http_user_agent" "$http_x_forwarded_for"';

(从/etc/nginx/nginx.conf

我把这个日志格式翻译成:

$LogFormat "%h %l %u %t \"%r\" %H:%p %>s %b \"%{Referer}i\" Upstream [\"%{Upstream-address}e\" (%{Upstream-response-time}e) %{Upstream-status}e : %{Upstream-cache-status}e] \"%{User-Agent}i\" \"%{X-Forwarded-For}e\""

用于 Logwatch。在学习过程中/usr/share/logwatch/scripts/services/http,我发现任何%{...}e未预定义的内容都将被忽略,因此我认为这是包含这些上游变量的最佳方式。

但是,考虑到 nginx,Logwatch 没有提供任何输出。

我做了什么

我已经创建了以下 logwatch 文件 /usr/share/logwatch/default.conf/logfiles/nginx.conf::

########################################################
#   Define log file group for nginx
# http://8bitpipe.com/?p=516
########################################################

# What actual file?  Defaults to LogPath if not absolute path....
LogFile = nginx/*access.log


# If the archives are searched, here is one or more line
# (optionally containing wildcards) that tell where they are...
#If you use a "-" in naming add that as well -mgt
Archive = nginx/archive/*access.log*

# Expand the repeats (actually just removes them now)
*ExpandRepeats

# Keep only the lines in the proper date range...
*ApplyhttpDate

/usr/share/logwatch/default.conf/services/nginx.conf

###########################################################################
# Configuration file for nginx filter
###########################################################################

Title = "nginx"

# Which logfile group...
LogFile = nginx

# Define the log file format
#
# This is now the same as the LogFormat parameter in the configuration file
# for httpd.  Multiple instances of declared LogFormats in the httpd
# configuration file can be declared here by concatenating them with the
# '|' character.  The default, shown below, includes the Combined Log Format,
# the Common Log Format, and the default SSL log format.
#$LogFormat = "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"|%h %l %u %t \"%r\" %>s %b|%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
$LogFormat "%h %l %u %t \"%r\" %H:%p %>s %b \"%{Referer}i\" Upstream [\"%{Upstream-address}e\" (%{Upstream-response-time}e) %{Upstream-status}e : %{Upstream-cache-status}e] \"%{User-Agent}i\" \"%{X-Forwarded-For}e\""

# The following is supported for backwards compatibility, but deprecated:
# Define the log file format
#
#   the only currently supported fields are:
#                       client_ip
#                       request
#                       http_rc
#                       bytes_transfered
#                       agent
#
#$HTTP_FIELDS = "client_ip ident userid timestamp request http_rc bytes_transfered referrer agent"
#$HTTP_FORMAT = "space     space space    brace    quote   space        space       quote   quote"
# Define the field formats
#
#   the only currently supported formats are:
#                       space = space delimited field
#                       quote = quoted ("..") space delimited field
#                       brace = braced ([..]) space delimited field

# Flag to ignore 4xx and 5xx error messages as possible hack attempts
#
# Set flag to 1 to enable ignore
# or set to 0 to disable
$HTTP_IGNORE_ERROR_HACKS = 0

# Ignore requests
# Note - will not do ANY processing, counts, etc... just skip it and go to
# the next entry in the log file.
# Examples:
# 1. Ignore all URLs starting with /model/ and ending with 1 to 10 digits
#   $HTTP_IGNORE_URLS = "^/model/\d{1,10}$"
#
# 2. Ignore all URLs starting with /model/ and ending with 1 to 10 digits and
#   all URLS starting with /photographer and ending with 1 to 10 digits
#   $HTTP_IGNORE_URLS = "^/model/\d{1,10}$|^/photographer/\d{1,10}$"
#   or simply:
#   $HTTP_IGNORE_URLS = "^/(model|photographer)/\d{1,10}$"
#
# vi: shiftwidth=3 tabstop=3 et

我已经符号链接/usr/share/logwatch/scripts/services/http/usr/share/logwatch/scripts/services/nginx

执行 logwatch 时不会出现任何错误,但也不会给出任何输出,尽管肯定有日志文件需要解析。

执行结果logwatch --service nginx --print --range All --debug 7如下,例如:

** lot of blabla about config files **

export LOGWATCH_DATE_RANGE='all'
export LOGWATCH_OUTPUT_TYPE='unformatted'
export LOGWATCH_TEMP_DIR='/var/cache/logwatch/logwatch.vdVyg9y2/'
export LOGWATCH_DEBUG='7'

Preprocessing LogFile: nginx
'/var/log/nginx/www.xxxx1.org-access.log' '/var/log/nginx/www.xxxx2.com-access.log' '/var/log/nginx/www.xxxx3.com-access.log' '/var/log/nginx/www.xxxx4.com-access.log' '/var/log/nginx/www.xxxx5.com-access.log' '/var/log/nginx/www.xxxx6.com-access.log' '/var/log/nginx/www.xxxx7.com-access.log' '/var/log/nginx/www.xxxx8.com-access.log' '/var/log/nginx/www.xxxx9.com-access.log' '/var/log/nginx/www.xxxx10.com-access.log' '/var/log/nginx/www.xxxx11.com-access.log' '/var/log/nginx/www.xxxx12-access.log' '/var/log/nginx/www.xxxx13.nu-access.log' '/var/log/nginx/www.xxxx14.org-access.log'   2>/dev/null | /usr/bin/perl /usr/share/logwatch/scripts/shared/expandrepeats ''| /usr/bin/perl /usr/share/logwatch/scripts/shared/applyhttpdate ''>/var/cache/logwatch/logwatch.vdVyg9y2/nginx

TimeFilter: Period is all

TimeFilter: SearchDate is (../.../....:..:..:..)

TimeFilter: Debug SearchDate is ( / / )
DEBUG: Inside ApplyHTTPDate...
DEBUG: Looking For: (../.../....:..:..:..)
export http_ignore_error_hacks='0'
export logformat "%h %l %u %t \"%r\" %h:%p %>s %b \"%{referer}i\" upstream [\"%{upstream-address}e\" (%{upstream-response-time}e) %{upstream-status}e : %{upstream-cache-status}e] \"%{user-agent}i\" \"%{x-forwarded-for}e\""=''

Processing Service: nginx
 ( cat /var/cache/logwatch/logwatch.vdVyg9y2/nginx  |  /usr/bin/perl /usr/share/logwatch/scripts/services/nginx) 2>&1

为什么我没有得到任何输出?

答案1

我注意到,如果详细级别为low或,logwatch 将不会生成 http/nginx 日志摘要0

使用

  • --detail 1有关错误请求的摘要,
  • --detail 5或者--detail med还包括有关传输的数据量和已记录机器人数量的摘要。
  • --detail 10--detail high显示所有已登录机器人的用户代理。

显示 nginx/http 摘要,详细程度为 0

因为我希望 logwatch 始终显示完整的 http 日志,但不使所有其他日志膨胀,所以我在/etc/

sudo cp /usr/share/logwatch/scripts/services/http /etc/logwatch/scripts/services/

并改变了

my $detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;


my $detail = 10;

在剧本的开头/etc/logwatch/scripts/services/http

请注意,如果 logwatch 包提供新版本/usr/share/logwatch/scripts/services/http,则单个脚本将不会收到任何自动更新。

答案2

我相信您的输出为空是因为*ApplyhttpDate,它使用%d/%b/%Y:%H:%M:%S:如果在日志行的开头找不到此模式,则 logwatch 将不会将其通过管道传输到/usr/share/logwatch/scripts/services/nginx

$SearchDate = TimeFilter('%d/%b/%Y:%H:%M:%S');

if ( $Debug > 5 ) {
   print STDERR "DEBUG: Inside ApplyHTTPDate...\n";
   print STDERR "DEBUG: Looking For: " . $SearchDate . "\n";
}

while (defined($ThisLine = <STDIN>)) {
   if ($ThisLine =~ m/\[$SearchDate/o) {
      print $ThisLine;
   }
}

SourceForge

相关内容