Nxlog 配置总结
生活随笔
收集整理的這篇文章主要介紹了
Nxlog 配置总结
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
Nxlog
nxlog基本架構
nxlog是事件驅動的多線程App。nxlog內核只負責配置文件解析/文件和Socket監控/內部事件管理,任何module可以dispatch事件到內核。內核會有選擇性分發到對應處理module。
nxlog Config文件基本結構
配置引入
用include引入其他地方的配置,對實際功能無影響。與Apache配置類似,不研究
宏定義
用這個定義一些宏,對實際功能無影響。與C的宏類似,不研究
全局指令
內置的一些指令
Module
一個ConfigBlock如下
<Input instancename>Module im_module... </Input>頂級ConfigBlock可以分為四種,Input, Processor, Output and Extension tags.ConfigBlock必須由上面四個類型+命名。命名規則 [a-zA-Z0-9_-]。有一些通用Block可以在多種類型的模塊中使用。以下列舉一些。
| FlowControl | Input, Processor | 順序控制,但有可能照成消息丟失 |
| Schedule | All | 通過When,Every,First,Exec四個子指令實現篩選,頻率,開始時間 |
| Processors | 作廢了 | |
| InputType | Input | LineBased,Dgram,Binary |
| OutputType | Output | LineBased,Dgram,Binary |
Nxlog 語言
類似perl語法,出錯可能丟消息。復雜的處理程序可以通過自己編寫一個module或者xm_perl模塊來實現。 語言是強類型的,不支持Dict,正則只支持=~ 和!~。明確定義以下 "boolean", "integer", "string", "datetime", "ip4addr", "ip6addr", "regexp", "binary".這幾種類型。自己有類型推導。同時函數支持多態。
Bool操作
- if 1 + 1 == (1 + 1) log_info("2");
- if $Message =~ /^Test (\S+)/ log_info("captured: " + $1);
- $EventTime = 2000-01-02 03:04:05;
一元操作
- if not $success log_error("failure");
- if - -1 != 1 log_error("this should never be printed");
- if defined(2) log_info("2");
- if defined undef log_info("never printed");
String =~, !~.
- 返回True如果匹配上,if $Message =~ /^Test message/ log_info("matched");
- Captured substrings are accessible through a numeric reference such as $1. The full subject string is placed into $0. 不知道支持不支持$#
- replace用g ,例子if $SourceName =~ s/\s/_/g log_info("removed all whitespace in SourceName");
- 換行匹配s,例子if $Message =~ /failure/s log_info("failure string present in the message");
- 大小寫忽略i
- if $Message !~ /^Test message/ log_info("didn't match");
二元操作
- ==
- undef == undef = TRUE
- string == string = boolean
- integer == integer = boolean
- boolean == boolean = boolean
- datetime == datetime = boolean
- ip4addr == ip4addr = boolean
- ip4addr == string = boolean
- string == ip4addr = boolean
- !=
- undef != undef = FALSE
- string != string = boolean
- integer != integer = boolean
- boolean != boolean = boolean
- datetime != datetime = boolean
- ip4addr != ip4addr = boolean
- ip4addr != string = boolean
- string != ip4addr = boolean
- <=
- integer <= integer = boolean
- datetime <= datetime = boolean
- +
- integer + integer = integer
- string + undef = string
- undef + string = string
- undef + undef = undef
- string + string = string Concatenate two strings.
- datetime + integer = datetime Add the number of seconds in the right value to the datetime stored in the left value.
- integer + datetime = datetime Add the number of seconds in the left value to the datetime stored in the right value.
- -
- integer - integer = integer
- datetime - datetime = integerSubtract two datetime types. The result is the difference between to two expressed in microseconds.
- datetime - integer = datetimeSubtract the number of seconds from the datetime stored in the left value.
- IN NOT IN
- if $EventID IN (1000, 1001, 1004, 4001) log_info("EventID found");
Function(Return值的函數)
- string lc(string arg); Convert a string to lower case.
- string uc(string arg); Convert a string to upper case.
- string substr(string src, integer from, integer to);
- string replace(string subject, string src, string dst, integer count); 替換count次,如果count無則全部替換
- datetime now();
- string type(unknown arg);Returns the type of a variable. Can be "boolean", "integer", "string", "datetime", "ip4addr", "ip6addr", "regexp", "binary". For values with the unknown type, it returns undef.
- integer year(datetime datetime); Return the year part from the datetime value.還有mouth day hour minute second
- string string(unknown arg); 強制類型轉換
- integer integer(unknown arg); 強制類型轉換,如果參數是時間類型的,轉成時間戳
- datetime parsedate(string arg); 強制類型轉換,如果轉化錯誤,return當前時間
- string hostname();
- ip4addr host_ip();
- dropped(); Return TRUE if the currently processed event has been already dropped.
Procedures(不Return的函數)
- delete(unknown arg);Delete the field from the event
- rename_field(string old, string new); 重命名field
Nxlog Module
主要分為四種模塊Extension, Input, Processor, Output
Extension
- CSV模塊
- XML模塊
- JSON模塊 Nxlog不支持像二維數組/MAP這種數據類型,所以accessing nested JSON fields is not possible. 另外xm_json 是可以自動識別datetime values的。不用顯式的調用parseDate()
- 多行解析xm_multiline
- Perl腳本模塊Perl (xm_perl)
- 外部腳本模塊xm_exec。實驗了一下如何用python腳本處理log。可以做到。但有一些性能上的考慮
Input
Nxlog中在Input中有4個內置值$raw_event, $EventReceivedTime, $SourceModuleName, $SourceModuleType
- DBI 從數據庫里面讀數據
- File 從文件中讀日志。可以通過設置SavePos TRUE ReadFromLast FALSE 重啟nxlog重復從頭讀取的問題,但是有可能會出現異常,因為SavePos和nxlog內置cache相關,改變cache有可能導致SavePos失敗
- MS EventLog for Windows 2008/Vista and later im_msvistalog
- TCPim_tcp
- UDPim_udp
- Unix Domain Socket (im_uds)
Processor
- Filter(pm_filter)
- Message deduplicator(pm_norepeat)
- Message Format converter (pm_transformer)
Output modules
我們只有一種方式,就是寫tcpout寫到logstash里面
- UDS(om_uds)
總結
以上是生活随笔為你收集整理的Nxlog 配置总结的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: x79主板bios设置中文_新买的电脑不
- 下一篇: 《微信小程序-进阶篇》组件封装-Icon