- 1.安装GeoIP数据库
- cd /usr/local/logstash/etc
- curl -O "http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz"
- gunzip GeoLiteCity.dat.gz
- 1
- 2
- 3
- 2.配置logstash使用GeoIP
- 只需要在原来的logstash.conf中添加filter即可
- vim /usr/local/logstash/etc/logstash.conf
- input {
- file {
- path => "/data/nginx/logs/access_java.log"
- type => "nginx-access"
- start_position => "beginning"
- sincedb_path => "/usr/local/logstash/sincedb"
- codec => "json"
- }
- }
- filter {
- if [type] == "nginx-access" {
- geoip {
- source => "clientip"
- target => "geoip"
- database => "/usr/local/logstash/etc/GeoLiteCity.dat"
- add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
- add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
- }
- mutate {
- convert => [ "[geoip][coordinates]", "float"]
- }
- }
- }
- output {
- if [type] == "nginx-access" {
- elasticsearch {
- hosts => ["10.10.20.16:9200"]
- manage_template => true
- index => "nginx-access-%{+YYYY-MM}"
- }
- }
- }
- 注意如果是haproxy 作为代理,nginx需要修改为;
- filter {
- grok {
- match => {
-
"message" => "%{IPORHOST:clientip}
\"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\" \- %{NUMBER:http_status_code} %{NUMBER:bytes} \"(?<http_referer>\S+)\" \"(?<http_user_agent>(\S+\s+)*\S+)\" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)"
- }
- }
- geoip {
- source => "http_x_forwarded_for"
- target => "geoip"
- database => "/usr/local/logstash/etc/GeoLiteCity.dat"
- add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
- add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
- }
- mutate {
- convert => [ "[geoip][coordinates]", "float"]
- }
- }
- 3.重启logstash即可。
扫一扫
3637
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
