今天重新調整了下配置文件,之前的apache_errorlog未匹配到clientip。
1.首先修改shipper.conf
input {
file {
type => "apache-accesslog"
path => "/var/log/httpd/access_log"
}
file {
type => "apache-errorlog"
path => "/var/log/httpd/error_log"
}
}
filter {
if [type] == "apache-accesslog" {
grok {
type => "apache-accesslog"
pattern => "%{COMBINEDAPACHELOG}"
patterns_dir => "/opt/logstash/patterns"
}
}
else if [type] == "apache-errorlog" {
grok {
type => "apache-errorlog"
match => { "message" => "%{APACHEERRORLOG}" }
patterns_dir => [ "/opt/logstash/lib/logstash/grok" ]
#pattern => "%{LOGLEVEL}"
#patterns_dir => "/usr/local/src/logstash-1.4.2/patterns"
}
}
}
output {
redis {
host => '192.168.1.101'
data_type => 'list'
key => 'logstash'
}
}apache-errorlog匹配的patterns寫入一個文件中,也可以直接在後面寫。我這裏寫入文件中,文件內容如下:
HTTPERRORDATE %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}
APACHEERRORLOG \[%{HTTPERRORDATE:timestamp}\] \[%{WORD:severity}\] \[client %{IPORHOST:clientip}\] %{GREEDYDATA:message_remainder}2.下面是indexer.conf
input {
redis {
host => "localhost"
data_type =>"list"
port => "6379"
key => "logstash"
type => "apache-(access|error)log"
codec => "json"
}
}
output {
elasticsearch {
host => "localhost"
}
}3.重啓服務
# /bin/logstash -f conf/shipper.conf & # /bin/logstash -f conf/indexer.conf &
4.查看圖形,訪問日誌跟錯誤日誌都能顯示客戶端IP
