I want send nginx log files(on one server) to redis(on 2nd server) in order to process it later using logstash(on 3rd server), but I am kinda lost
I am using redis as buffer not to lose any data in case logstash server gone down for maintenance or any other reason
So this is how I solved it,
I made nginx to log to syslog server and from syslog-ng to redis
here is my configuration
in nginx http directive
log_format xxx_log_format '$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" "$gzip_ratio"';
in nginx server directive
access_log syslog:server=127.0.0.1:601 xxx_log_format;
in syslog-ng config
source s_syslog {
udp(
port(601)
);
};
destination d_redis {
redis(
host("REDIS-IP")
port(6379)
command("LPUSH", "access_logs", "${MESSAGE}")
);
};
log {
source(s_syslog);
destination(d_redis);
};
Take a look to the docs, there is an example for managing spikes with message queueing:
Logstash input and output plugins should help.
I use a small logstash instance to receive events and write them to redis, and then a second one to read from redis, do all the magic processing, and write to elasticsearch.
I only send events that might normally be lost to the first instance - syslog, snmptrap, etc (where the sender is just blindly sending events). I send filebeat traffic directly to the second logstash instance, as filebeat will stop sending if it's down. (As long as logstash isn't down during a client-side log file rotation, you'll be OK).
if you want to log real time to redis you can use redis module for nginx - https://www.nginx.com/resources/wiki/modules/redis2/
if you want to just delay the redis call to background to preserve fast response time - use undocumeted directive of nginx called post_action - google it.
This is in case that you are not trusting logstash and want to solve it using redis.
I can suggest alternatives that you can have a look on:
