如何提取Nginx日志中关键字,并通过Telegram Bot告警

首先将Nginx Access日志(/usr/local/nginx/logs/access.log)进行Json处理

http {
...
    log_format json escape=json '{'
        '"time_local":"$time_local",'
        '"remote_addr":"$remote_addr",'
        '"remote_user":"$remote_user",'
        '"request":"$request",'
        '"status":$status,'
        '"body_bytes_sent":$body_bytes_sent,'
        '"http_referer":"$http_referer",'
        '"http_user_agent":"$http_user_agent",'
        '"request_time":$request_time,'
        '"upstream_response_time":"$upstream_response_time"'
    '}';
     access_log /usr/local/nginx/logs/access.log json;
...
}

vim /usr/local/bin/monitor_nginx_access.sh

#!/bin/bash
LOG_FILE="/usr/local/nginx/logs/access.log"
TELEGRAM_BOT_TOKEN="3163456422:AAFOL9n4v4v7RWTCaW2D7SPi0qLlpOFSfSM"
TELEGRAM_CHAT_ID="2413570395"
MONITOR_LOG="/var/log/monitor_nginx_access.log"


# 定义需要监控的关键词列表
declare -a KEYWORDS=("wangqq.iOS" "herui.iOS" "wangqq.yaml" "wangqq.pc" "wangqq.android" "wangqq_work.pc" "chentao.yaml" "220.180.133.62")


tail -n0 -F "$LOG_FILE" | while read line; do
    for keyword in "${KEYWORDS[@]}"; do
        if echo "$line" | grep -E "$keyword" > /dev/null; then
            echo "$(date '+%Y-%m-%d %H:%M:%S') - $line" | tee -a "$MONITOR_LOG"


            # 提取日志中的各个字段
            time_local=$(echo "$line" | jq -r '.time_local')
            ip=$(echo "$line" | jq -r '.remote_addr')
            user_agent=$(echo "$line" | jq -r '.http_user_agent')
            request=$(echo "$line" | jq -r '.request')
            status=$(echo "$line" | jq -r '.status')


            # 获取IP位置信息
            location=$(curl -s https://ipinfo.io/$ip/json)
            country=$(echo "$location" | jq -r '.country')
            city=$(echo "$location" | jq -r '.city')
            org=$(echo "$location" | jq -r '.org')


            # 构建消息
            message="时间: $time_local%0AIP: $ip%0A国家: $country%0A城市: $city%0A运营商: $org%0A客户端: $user_agent%0A请求内容: $request%0A请求状态: $status"


            # 发送消息到Telegram
            curl -s -X POST "https://api.telegram.org/bot$TELEGRAM_BOT_TOKEN/sendMessage" -d "chat_id=$TELEGRAM_CHAT_ID&text=$message"
        fi
    done
done

最后定时执行此脚本 /etc/systemd/system/monitor_nginx_access.service

[Unit]
Description=Monitor Nginx access log and send notifications

[Service]
Type=simple
ExecStart=/usr/local/bin/monitor_nginx_access.sh
Restart=always
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=monitor_nginx_access

[Install]
WantedBy=multi-user.target

 

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据