今天重新調整了下配置文件,之前的apache_errorlog未匹配到clientip。
1.首先修改shipper.conf
input { file { type => "apache-accesslog" path => "/var/log/httpd/access_log" } file { type => "apache-errorlog" path => "/var/log/httpd/error_log" } } filter { if [type] == "apache-accesslog" { grok { type => "apache-accesslog" pattern => "%{COMBINEDAPACHELOG}" patterns_dir => "/opt/logstash/patterns" } } else if [type] == "apache-errorlog" { grok { type => "apache-errorlog" match => { "message" => "%{APACHEERRORLOG}" } patterns_dir => [ "/opt/logstash/lib/logstash/grok" ] #pattern => "%{LOGLEVEL}" #patterns_dir => "/usr/local/src/logstash-1.4.2/patterns" } } } output { redis { host => '192.168.1.101' data_type => 'list' key => 'logstash' } }
apache-errorlog匹配的patterns寫入一個文件中,也可以直接在後面寫。我這裏寫入文件中,文件內容如下:
HTTPERRORDATE %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR} APACHEERRORLOG \[%{HTTPERRORDATE:timestamp}\] \[%{WORD:severity}\] \[client %{IPORHOST:clientip}\] %{GREEDYDATA:message_remainder}
2.下面是indexer.conf
input { redis { host => "localhost" data_type =>"list" port => "6379" key => "logstash" type => "apache-(access|error)log" codec => "json" } } output { elasticsearch { host => "localhost" } }
3.重啓服務
# /bin/logstash -f conf/shipper.conf & # /bin/logstash -f conf/indexer.conf &
4.查看圖形,訪問日誌跟錯誤日誌都能顯示客戶端IP