logstash得grok可以對收集得數(shù)據(jù)進行過濾沪蓬,geoip可以對過濾后得數(shù)據(jù)字段再進行細分颠通,然后根據(jù)內(nèi)建得geoip庫來得知訪問得ip來自于哪個城市了七扰。官方文檔詳解地址https://www.elastic.co/guide/en/logstash/current/logstash-config-for-filebeat-modules.html#parsing-nginx
首先我們需要去下載地址庫,可以自行選擇城市還是國家腻异。https://dev.maxmind.com/geoip/geoip2/geolite2/
這個數(shù)據(jù)庫因該放在logstash主機上攻人,能夠被過濾器插件訪問和使用取试。
首先將數(shù)據(jù)庫下載至logstash目錄并解壓
wget https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz
tar -xvf GeoLite2-City.tar.gz
將GeoLite2-City.mmdb移動到目錄下,然后將目錄刪了即可
然后我們修改logstash的配置文件
vim /etc/logstash/conf.d/ceshi.conf
input {
redis {
key => "filebeat"
data_type => "list"
password => "lvqing"
}
}
filter {
grok {
match => { "message" => ["%{IPORHOST:[nginx][access][remote_ip]} - %{DATA:[nginx][access][user_name]} \[%{HTTPDATE:[nginx][access][time]}\] \"%{WORD:[nginx][access][method]} %{DATA:[nginx][access][url]} HTTP/%{NUMBER:[nginx][access][http_version]}\" %{NUMBER:[nginx][access][response_code]} %{NUMBER:[nginx][access][body_sent][bytes]} \"%{DATA:[nginx][access][referrer]}\" \"%{DATA:[nginx][access][agent]}\""] }
remove_field => "message"
}
mutate {
add_field => { "read_timestamp" => "%{@timestamp}" }
}
date {
match => [ "[nginx][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
remove_field => "[nginx][access][time]"
}
useragent {
source => "[nginx][access][agent]"
target => "geoip"
remove_field => "[nginx][access][agent]"
}
geoip {
source => "[nginx][access][remote_ip]"
target => "[nginx][access][geoip]"
database => "/etc/logstash/GeoLite2-City.mmdb"
}
}
output {
elasticsearch {
hosts => ["192.168.31.200:9200", "192.168.31.201:9200", "192.168.31.203:9200"]
index => "logstatsh-ngxaccesslog-%{+YYYY.MM.dd}"
}
}
注意:
1怀吻、輸出的日志文件名必須以“l(fā)ogstash-”開頭想括,方可將geoip.location的type自動設定為"geo_point";
2烙博、target => "geoip"
可以看到日志已經(jīng)被成功分切了
image.png
既然geoip可以基于remoteip來分析訪問的客戶端來自于哪個城市,接下來我們測試一下這個場景
用echo命令將自己編寫的日志信息追加到日志文件中
echo '136.11.65.68 - - [17/Jan/2019:11:19:46 +0800] "GET / HTTP/1.1" 404 3650 "-" "curl/7.29.0" "121.1.17.2"' >> /var/log/nginx/access.log
image.png
然后可以用geoip插件展示地圖熱力圖
https://elasticsearch.cn/article/494
image.png
