[运维技巧]利用好请求日志

建议在 Nginx 请求日志中加入以下字段:

  • Cookie,NP 使用 Cookie 进行用户认证,记录下来可方便查看请求来自哪个用户。参数是 $http_cookie。
  • 全部请求参数,默认只有 GET 参数,不全面,记录整个请求体。参数是 $request_body。
  • 请求 ID,唯一的请求 ID 可传递给后端,后端日志也会带此 ID,可通过此 ID 批量查出此请求的全部日志。参数是 $request_id。
  • 响应时间,通过响应时间可发现存在瓶颈的接口。参数是 $request_time。

因此建议的 Nginx 日志格式如下(这里将此格式命名为 main):

log_format  main  '$remote_addr - $remote_user [$time_iso8601] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" "$request_body" "$http_cookie" "$request_id" $request_time';

如果是手工安装的 Nginx,主配置文件在 /etc/nginx/nginx.conf,打开后在 http 部分添加。

如果是宝塔安装的 Nginx,打开 Nginx 主配置文件,同样的粘贴上边的代码到 http 部分。

最后使用这个日志格式,在配置中设置 access_log 的地方末尾添加 main,表示使用这个格式。

access_log /var/log/nginx/xxx.com/access.log main;

最后重启 Nginx 生效,请求日志中就有以上 4 个字段了。比如查看请求了 takeconfirm.php 的日志:

grep -a "takeconfirm.php" /var/log/nginx/xxx.com/access-202404* |more
/var/log/nginx/xxx.com/access-20240428.log:172.70.38.164 - - [2024-04-28T20:53:15+08:00] "POST /takeconfirm.php?id=1 HTTP/1.1" 200 247 "-" "qBittorrent" "2a09:bac1:7
6c0:99d8::272:4e" "conusr[]=1&conusr[]=1&[email protected]" "-" "6f4ee6fdc64a7c8231fe0ddfaba29710" 0.007
/var/log/nginx/xxx.com/access-20240428.log:172.70.38.155 - - [2024-04-28T20:59:15+08:00] "POST /takeconfirm.php?id=1 HTTP/1.1" 200 247 "-" "qBittorrent" "2a09:bac1:7
6c0:99d8::272:4e" "conusr[]=1&conusr[]=1&[email protected]" "-" "76d48f58355173be2bf50bec7f6698bb" 0.008
/var/log/nginx/xxx.com/access-20240428.log:172.70.38.249 - - [2024-04-28T23:26:18+08:00] "POST /takeconfirm.php HTTP/1.1" 200 247 "-" "Mozilla/5.0 (Windows NT 10.0; 
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" "2a09:bac5:80cc:188c::272:53" "id=2&conusr[]=a&conusr[]=a&[email protected]" "-" "75
29ecb312b61545bd10a69176bb259e" 0.010
/var/log/nginx/xxx.com/access-20240428.log:172.70.39.133 - - [2024-04-28T23:26:19+08:00] "POST /takeconfirm.php HTTP/1.1" 200 247 "-" "Mozilla/5.0 (Windows NT 10.0; 
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" "2a09:bac5:80cc:188c::272:53" "id=2&conusr[]=1&conusr[]=1&[email protected]" "-" "f4
8a51fae7a27670cef62bae7feb1441" 0.005
/var/log/nginx/xxx.com/access-20240428.log:172.70.39.130 - - [2024-04-28T23:26:21+08:00] "POST /takeconfirm.php HTTP/1.1" 200 247 "-" "Mozilla/5.0 (Windows NT 10.0; 
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" "2a09:bac5:80cc:188c::272:53" "id=2&conusr[]=a&conusr[]=a&[email protected]" 
"-" "b8a090fbcada1d707ba26ee078298961" 0.004
/var/log/nginx/xxx.com/access-20240428.log:172.70.39.119 - - [2024-04-28T23:26:22+08:00] "POST /takeconfirm.php HTTP/1.1" 200 247 "-" "Mozilla/5.0 (Windows NT 10.0; 
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" "2a09:bac5:80cc:188c::272:53" "id=2&conusr[]=1&conusr[]=1&[email protected]" 
"-" "b70800078c789b5510791c0c7356521b" 0.007
/var/log/nginx/xxx.com/access-20240428.log:172.70.39.59 - - [2024-04-28T23:26:24+08:00] "POST /takeconfirm.php HTTP/1.1" 200 247 "-" "Mozilla/5.0 (Windows NT 10.0; W
in64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" "2a09:bac5:80cc:188c::272:53" "id=2&conusr[]=a&conusr[]=a&[email protected]" "
-" "68967b8fda14723a027b7a3f41256181" 0.008
/var/log/nginx/xxx.com/access-20240428.log:172.70.38.164 - - [2024-04-28T23:26:25+08:00] "POST /takeconfirm.php HTTP/1.1" 200 247 "-" "Mozilla/5.0 (Windows NT 10.0; 
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" "2a09:bac5:80cc:188c::272:53" "id=2&conusr[]=1&conusr[]=1&[email protected]" 
"-" "b68884861c10b49094dfc86c087a01ab" 0.005
/var/log/nginx/xxx.com/access-20240428.log:172.70.39.130 - - [2024-04-28T23:26:27+08:00] "POST /takeconfirm.php HTTP/1.1" 200 247 "-" "Mozilla/5.0 (Windows NT 10.0; 
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" "2a09:bac5:80cc:188c::272:53" "id=2&conusr[]=a&conusr[]=a&email=donate.ttg@protonmail.
com" "-" "b714af1ee95df1fb4b064f47658b0174" 0.005
/var/log/nginx/xxx.com/access-20240428.log:172.70.38.32 - - [2024-04-28T23:26:28+08:00] "POST /takeconfirm.php HTTP/1.1" 200 247 "-" "Mozilla/5.0 (Windows NT 10.0; W
in64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" "2a09:bac5:80cc:188c::272:53" "id=2&conusr[]=1&conusr[]=1&[email protected]
om" "-" "040625d8d29f10986253699928449a75" 0.005
/var/log/nginx/xxx.com/access-20240428.log:172.70.38.62 - - [2024-04-28T23:26:29+08:00] "POST /takeconfirm.php HTTP/1.1" 200 247 "-" "Mozilla/5.0 (Windows NT 10.0; W
in64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" "2a09:bac5:80cc:188c::272:53" "id=2&conusr[]=a&conusr[]=a&[email protected]" "-"
 "960be7297ec223882904206c298f7786" 0.007
/var/log/nginx/xxx.com/access-20240428.log:172.70.38.69 - - [2024-04-28T23:26:31+08:00] "POST /takeconfirm.php HTTP/1.1" 200 247 "-" "Mozilla/5.0 (Windows NT 10.0; W
in64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" "2a09:bac5:80cc:188c::272:53" "id=2&conusr[]=1&conusr[]=1&[email protected]" "-"
 "9538d5ba2c231d11c1f61f8cbaad5027" 0.006

倒数第 4 个字段,可以清晰的看到 POST 过来的参数,倒数第 3 个是 Cookie,这里为 – 则是游客状态,并没有传递 Cookie。假如传递了会有 c_secure_uid,这个就是用户的 ID,只是它是经过 base64 和 urlencode 后的结果,解码后得到原值。假如日志中得到的 c_secure_uid 为 MTUyMQ%3D%3D,经 2 步解码后得到 UID 为 1521。

echo base64_decode(urldecode("MTUyMQ%3D%3D")); //1521

前面说的请求 ID,在把请求传递给后端 PHP 时把它也传递过来。在网站配置中添加 fastcgi_param REQUEST_ID $request_id 这么一行:

location ~ \.php {
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param REQUEST_ID $request_id;
    include fastcgi_params;
}

这样,就可以查询某一个请求到达后端后所产生的所有日志了。比如上边的第 1 条 ID 为 6f4ee6fdc64a7c8231fe0ddfaba29710,可使用 grep 命令查询结果:

grep -a 6f4ee6fdc64a7c8231fe0ddfaba29710 /tmp/nexus-xxx.log

发表评论

您的电子邮箱地址不会被公开。 必填项已用 * 标注