首先将Nginx Access日志(/usr/local/nginx/logs/access.log)进行Json处理
http { ... log_format json escape=json '{' '"time_local":"$time_local",' '"remote_addr":"$remote_addr",' '"remote_user":"$remote_user",' '"request":"$request",' '"status":$status,' '"body_bytes_sent":$body_bytes_sent,' '"http_referer":"$http_referer",' '"http_user_agent":"$http_user_agent",' '"request_time":$request_time,' '"upstream_response_time":"$upstream_response_time"' '}'; access_log /usr/local/nginx/logs/access.log json; ... }
vim /usr/local/bin/monitor_nginx_access.sh
#!/bin/bash LOG_FILE="/usr/local/nginx/logs/access.log" TELEGRAM_BOT_TOKEN="3163456422:AAFOL9n4v4v7RWTCaW2D7SPi0qLlpOFSfSM" TELEGRAM_CHAT_ID="2413570395" MONITOR_LOG="/var/log/monitor_nginx_access.log" # 定义需要监控的关键词列表 declare -a KEYWORDS=("wangqq.iOS" "herui.iOS" "wangqq.yaml" "wangqq.pc" "wangqq.android" "wangqq_work.pc" "chentao.yaml" "220.180.133.62") tail -n0 -F "$LOG_FILE" | while read line; do for keyword in "${KEYWORDS[@]}"; do if echo "$line" | grep -E "$keyword" > /dev/null; then echo "$(date '+%Y-%m-%d %H:%M:%S') - $line" | tee -a "$MONITOR_LOG" # 提取日志中的各个字段 time_local=$(echo "$line" | jq -r '.time_local') ip=$(echo "$line" | jq -r '.remote_addr') user_agent=$(echo "$line" | jq -r '.http_user_agent') request=$(echo "$line" | jq -r '.request') status=$(echo "$line" | jq -r '.status') # 获取IP位置信息 location=$(curl -s https://ipinfo.io/$ip/json) country=$(echo "$location" | jq -r '.country') city=$(echo "$location" | jq -r '.city') org=$(echo "$location" | jq -r '.org') # 构建消息 message="时间: $time_local%0AIP: $ip%0A国家: $country%0A城市: $city%0A运营商: $org%0A客户端: $user_agent%0A请求内容: $request%0A请求状态: $status" # 发送消息到Telegram curl -s -X POST "https://api.telegram.org/bot$TELEGRAM_BOT_TOKEN/sendMessage" -d "chat_id=$TELEGRAM_CHAT_ID&text=$message" fi done done
最后定时执行此脚本 /etc/systemd/system/monitor_nginx_access.service
[Unit] Description=Monitor Nginx access log and send notifications [Service] Type=simple ExecStart=/usr/local/bin/monitor_nginx_access.sh Restart=always StandardOutput=syslog StandardError=syslog SyslogIdentifier=monitor_nginx_access [Install] WantedBy=multi-user.target