logstash配置文件
# nginx_log.conf
input { file { type => "nginx_log" path => "/opt/nginx/logs/access.log" }} filter { if [type] == "nginx_log" { grok { match => { "message" => "%{NGINXACCESS}" } } if ([message] =~ "^*launcher*|^*favicon*") { drop {} } geoip { source => "remote_addr" target => "geoip" database => "/opt/logstash-2.0.0/conf/GeoLiteCity.dat" add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ] } mutate { convert => [ "[geoip][coordinates]","float", "body_bytes_sent","float", \
"body_bytes_sent.raw","float"]
} }}output { stdout { codec => rubydebug } elasticsearch { hosts => "192.168.0.100:9200" index => "ngx_log-%{+YYYY.MM}" }}NGINXACCESS 定义,可写在patterns/nginx 文件里
NGUSERNAME [a-zA-Z\.\@\-\+_%]+
NGUSER %{NGUSERNAME}
NGINXACCESS %{IPORHOST:remote_addr} - - \[%{HTTPDATE:time_local}\] "%{WORD:method} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{INT:status} %{INT:body_bytes_sent} %{QS:http_referer} %{QS:http_user_agent}
kibana 形图展示
原文:http://cqfish.blog.51cto.com/622299/1789823