标签:logstash clientip apachelog grok
今天重新调整了下配置文件,之前的apache_errorlog未匹配到clientip。
1.首先修改shipper.conf
input {
file {
type => "apache-accesslog"
path => "/var/log/httpd/access_log"
}
file {
type => "apache-errorlog"
path => "/var/log/httpd/error_log"
}
}
filter {
if [type] == "apache-accesslog" {
grok {
type => "apache-accesslog"
pattern => "%{COMBINEDAPACHELOG}"
patterns_dir => "/opt/logstash/patterns"
}
}
else if [type] == "apache-errorlog" {
grok {
type => "apache-errorlog"
match => { "message" => "%{APACHEERRORLOG}" }
patterns_dir => [ "/opt/logstash/lib/logstash/grok" ]
#pattern => "%{LOGLEVEL}"
#patterns_dir => "/usr/local/src/logstash-1.4.2/patterns"
}
}
}
output {
redis {
host => ‘192.168.1.101‘
data_type => ‘list‘
key => ‘logstash‘
}
}apache-errorlog匹配的patterns写入一个文件中,也可以直接在后面写。我这里写入文件中,文件内容如下:
HTTPERRORDATE %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}
APACHEERRORLOG \[%{HTTPERRORDATE:timestamp}\] \[%{WORD:severity}\] \[client %{IPORHOST:clientip}\] %{GREEDYDATA:message_remainder}2.下面是indexer.conf
input {
redis {
host => "localhost"
data_type =>"list"
port => "6379"
key => "logstash"
type => "apache-(access|error)log"
codec => "json"
}
}
output {
elasticsearch {
host => "localhost"
}
}3.重启服务
# /bin/logstash -f conf/shipper.conf & # /bin/logstash -f conf/indexer.conf &
4.查看图形,访问日志跟错误日志都能显示客户端IP
本文出自 “charlie_cen” 博客,请务必保留此出处http://charlie928.blog.51cto.com/3741218/1551624
标签:logstash clientip apachelog grok
原文地址:http://charlie928.blog.51cto.com/3741218/1551624
