请选择 进入手机版 | 继续访问电脑版
 找回密码
 立即注册
搜索

本文来自

安全运维工具

安全运维工具

人已关注

请添加对本版块的简短描述

精选帖子

1770 abc 发表于 2018-6-13 18:34:58
  1. input {
  2.   beats {
  3.     port => 5044
  4.   }
  5. }
  6. filter {
  7. ruby {
  8. init => "@kname = ['http_clientip','http_x_forwarded_for','time_local','request','status','body_bytes_sent','request_body','content_length','http_referer','http_user_agent','http_cookie','remote_addr','hostname','upstream_addr','upstream_response_time','request_time']"
  9. code => "new_event = LogStash::Event.new(Hash[@kname.zip(event.get('message').split(' | '))])
  10. new_event.remove([email protected])
  11. event.append(new_event)"
  12. }
  13. if [request] {
  14. ruby {
  15. init => "@kname = ['method','uri','verb']"
  16. code => "new_event = LogStash::Event.new(Hash[@kname.zip(event.get('request').split(' '))])
  17. new_event.remove([email protected])
  18. event.append(new_event)
  19. "
  20. }
  21. if [uri] {
  22. ruby {
  23. init => "@kname = ['url_path','url_args']"
  24. code => "new_event = LogStash::Event.new(Hash[@kname.zip(event.get('uri').split('?'))])
  25. new_event.remove([email protected])
  26. event.append(new_event)
  27. "
  28. }
  29. kv {
  30. prefix => "url_"
  31. source => "url_args"
  32. field_split => "& "
  33. remove_field => [ "url_args","uri","request" ]
  34. }
  35. }
  36. }
  37. mutate {
  38. convert => ["body_bytes_sent" , "integer", "content_length", "integer", "upstream_response_time", "float","request_time", "float"]
  39. }
  40.         grok {
  41.               match => [
  42. "message", "%{IP:clientip} \| %{USER} \| %{HTTPDATE:timestamp}"
  43. ]
  44. }
  45. date {
  46. match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
  47. locale => "en"
  48. }
  49. #        geoip
  50. #{
  51. #        source => "clientip"
  52. #        }
  53. mutate {   
  54.                 remove_field => "timestamp"      
  55.                 remove_field => "http_clientip"      
  56. }
  57. useragent {
  58.     source => "http_user_agent"
  59.     target => "useragent"
  60.   }
  61. }
  62. output {
  63.   elasticsearch {
  64.       hosts => "127.0.0.1:9200"
  65.       manage_template => true
  66.       template => "/elk/filebeat.template.json"
  67.       index => "logstash-%{+YYYY.MM.dd}"
  68.   }
  69. }
复制代码

  1. 日誌格式:
  2. log_format elk "$http_clientip | $http_x_forwarded_for | $time_local | $request | $status | $body_bytes_sent | "
  3.                   " $request_body | $content_length | $http_referer | $http_user_agent | "
  4.                   "$http_cookie | $remote_addr | $hostname | $upstream_addr | $upstream_response_time | $request_time";
复制代码


游客,本帖隐藏的内容需要积分高于 1000 才可浏览,您当前积分为 0

回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表