5fcb26365f9009918.jpg_fo742.jpg

input {
     file {
           type => "log"
           path => "/usr/local/nginx/logs/gateway_access.log"
     }
 }

filter {
  grok {
    match => {
       "message" => "^%{IPORHOST:clientip} (?:-|%{USER:ident}) (?:-|%{USER:auth}) \[%{HTTPDATE:[@metadata]timestamp}\] %{NOTSPACE:method} %{NOTSPACE:url}" 
    }
    remove_field => ["message"]
  }
  mutate {
   split => ["url", "?"]
   add_field => ["url_params", "%{url[1]}"]
   remove_field => ["url"]
  }

  mutate {
   split => ["url_params","&"]
   add_field => ["cdid_info", "%{url_params[0]}"]
   add_field => ["elapsedTime_info", "%{url_params[1]}"]
   add_field => ["os_info", "%{url_params[2]}"]
   add_field => ["time_info", "%{url_params[3]}"]
   add_field => ["uid_info", "%{url_params[4]}"]
   add_field => ["wt_info", "%{url_params[5]}"]
   remove_field => ["url_params"]
  }

  mutate {
   split => ["cdid_info", "="]
   add_field => ["cdid", "%{cdid_info[1]}"]
   remove_field => ["cdid_info"]
  }

  mutate {
   split => ["elapsedTime_info", "="]
   add_field => ["elapsedTime", "%{elapsedTime_info[1]}"]
   remove_field => ["elapsedTime_info"]
  }

  mutate {
   split => ["os_info", "="]
   add_field => ["os", "%{os_info[1]}"]
   remove_field => ["os_info"]
  }

  mutate {
   split => ["time_info", "="]
   add_field => ["time", "%{time_info[1]}"]
   remove_field => ["time_info"]
  }

  mutate {
   split => ["uid_info", "="]
   add_field => ["uid", "%{uid_info[1]}"]
   remove_field => ["uid_info"]
  }

  mutate {
   split => ["wt_info", "="]
   add_field => ["wt", "%{wt_info[1]}"]
   remove_field => ["wt_info"]
  }

}

output {
   elasticsearch {
     hosts  => "elasticsearch:9200"   #ElasticSearch host, can be array
     index  => "gateway_access_nginx01"         #index
   }
   # 该命令是将结果输出到控制台
   #stdout { codec => rubydebug } 
}

cd 到 conf 文件目录下 
 检查配置是否正确

../bin/logstash -f ./nginx.conf -t
../bin/logstash -f ./nginx.conf

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注

Captcha Code