Nxlog
nxlog基本架构
nxlog是事件驱动的多线程App。nxlog内核只负责配置文件解析/文件和Socket监控/内部事件管理,任何module可以dispatch事件到内核。内核会有选择性分发到对应处理module。
nxlog Config文件基本结构
配置引入
用include引入其他地方的配置,对实际功能无影响。与Apache配置类似,不研究
宏定义
用这个定义一些宏,对实际功能无影响。与C的宏类似,不研究
全局指令
内置的一些指令
Module
一个ConfigBlock如下
<Input instancename>
Module im_module
...
</Input>
顶级ConfigBlock可以分为四种,Input, Processor, Output and Extension tags.ConfigBlock必须由上面四个类型+命名。命名规则 [a-zA-Z0-9_-]。有一些通用Block可以在多种类型的模块中使用。以下列举一些。
| 指令 | 模块范围 | 作用 |
|---|---|---|
FlowControl |
Input, Processor |
顺序控制,但有可能照成消息丢失 |
Schedule |
All |
通过When,Every,First,Exec四个子指令实现筛选,频率,开始时间 |
Processors |
作废了 |
|
InputType |
Input |
LineBased,Dgram,Binary |
OutputType |
Output |
LineBased,Dgram,Binary |
Nxlog 语言
类似perl语法,出错可能丢消息。复杂的处理程序可以通过自己编写一个module或者xm_perl模块来实现。 语言是强类型的,不支持Dict,正则只支持=~ 和!~。明确定义以下 "boolean", "integer", "string", "datetime", "ip4addr", "ip6addr", "regexp", "binary".这几种类型。自己有类型推导。同时函数支持多态。
Bool操作
if 1 + 1 == (1 + 1) log_info("2");if $Message =~ /^Test (\S+)/ log_info("captured: " + $1);$EventTime = 2000-01-02 03:04:05;
一元操作
if not $success log_error("failure");if - -1 != 1 log_error("this should never be printed");if defined(2) log_info("2");if defined undef log_info("never printed");
String =~, !~.
- 返回True如果匹配上,
if $Message =~ /^Test message/ log_info("matched"); - Captured substrings are accessible through a numeric reference such as
$1. The full subject string is placed into$0. 不知道支持不支持$# - replace用
g,例子if $SourceName =~ s/\s/_/g log_info("removed all whitespace in SourceName"); - 换行匹配
s,例子if $Message =~ /failure/s log_info("failure string present in the message"); - 大小写忽略
i if $Message !~ /^Test message/ log_info("didn't match");
二元操作
-
==- undef == undef = TRUE
- string == string = boolean
- integer == integer = boolean
- boolean == boolean = boolean
- datetime == datetime = boolean
- ip4addr == ip4addr = boolean
- ip4addr == string = boolean
- string == ip4addr = boolean
-
!=- undef != undef = FALSE
- string != string = boolean
- integer != integer = boolean
- boolean != boolean = boolean
- datetime != datetime = boolean
- ip4addr != ip4addr = boolean
- ip4addr != string = boolean
- string != ip4addr = boolean
-
<=- integer <= integer = boolean
- datetime <= datetime = boolean
-
+- integer + integer = integer
- string + undef = string
- undef + string = string
- undef + undef = undef
-
string + string = stringConcatenate two strings. -
datetime + integer = datetimeAdd the number of seconds in the right value to the datetime stored in the left value. -
integer + datetime = datetimeAdd the number of seconds in the left value to the datetime stored in the right value.
-
-integer - integer = integer-
datetime - datetime = integerSubtract two datetime types. The result is the difference between to two expressed in microseconds. -
datetime - integer = datetimeSubtract the number of seconds from the datetime stored in the left value.
-
IN NOT INif $EventID IN (1000, 1001, 1004, 4001) log_info("EventID found");
Function(Return值的函数)
-
string lc(string arg);Convert a string to lower case. -
string uc(string arg);Convert a string to upper case. string substr(string src, integer from, integer to);-
string replace(string subject, string src, string dst, integer count);替换count次,如果count无则全部替换 datetime now();-
string type(unknown arg);Returns the type of a variable. Can be "boolean", "integer", "string", "datetime", "ip4addr", "ip6addr", "regexp", "binary". For values with the unknown type, it returns undef. -
integer year(datetime datetime);Return the year part from the datetime value.还有mouth day hour minute second -
string string(unknown arg);强制类型转换 -
integer integer(unknown arg);强制类型转换,如果参数是时间类型的,转成时间戳-
datetime parsedate(string arg);强制类型转换,如果转化错误,return当前时间 string hostname();ip4addr host_ip();
-
-
dropped();Return TRUE if the currently processed event has been already dropped.
Procedures(不Return的函数)
-
delete(unknown arg);Delete the field from the event -
rename_field(string old, string new);重命名field
Nxlog Module
主要分为四种模块Extension, Input, Processor, Output
Extension
- CSV模块
- XML模块
- JSON模块 Nxlog不支持像二维数组/MAP这种数据类型,所以
accessing nested JSON fields is not possible. 另外xm_json是可以自动识别datetime values的。不用显式的调用parseDate() - 多行解析
xm_multiline - Perl脚本模块
Perl (xm_perl) - 外部脚本模块
xm_exec。实验了一下如何用python脚本处理log。可以做到。但有一些性能上的考虑
Input
Nxlog中在Input中有4个内置值$raw_event, $EventReceivedTime, $SourceModuleName, $SourceModuleType
- DBI 从数据库里面读数据
- File 从文件中读日志。可以通过设置
SavePos TRUE ReadFromLast FALSE重启nxlog重复从头读取的问题,但是有可能会出现异常,因为SavePos和nxlog内置cache相关,改变cache有可能导致SavePos失败 - MS EventLog for Windows 2008/Vista and later
im_msvistalog - TCP
im_tcp - UDP
im_udp - Unix Domain Socket (im_uds)
Processor
- Filter(pm_filter)
- Message deduplicator(pm_norepeat)
- Message Format converter (pm_transformer)
Output modules
我们只有一种方式,就是写tcpout写到logstash里面
- UDS(om_uds)
