logstash得grok可以對收集得數據進行過濾,geoip可以對過濾後得數據字段再進行細分,然後根據內建得geoip庫來得知訪問得ip來自於哪個城市了。官方文檔詳解地址https://www.elastic.co/guide/en/logstash/current/logstash-config-for-filebeat-modules.html#parsing-nginx
首先我們需要去下載地址庫,可以自行選擇城市還是國家。https://dev.maxmind.com/geoip/geoip2/geolite2/
這個數據庫因該放在logstash主機上,能夠被過濾器插件訪問和使用。
首先將數據庫下載至logstash目錄並解壓
wget https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz
tar -xvf GeoLite2-City.tar.gz
將GeoLite2-City.mmdb移動到目錄下,然後將目錄刪了即可
然後我們修改logstash的配置文件
vim /etc/logstash/conf.d/ceshi.conf
input {
redis {
key => "filebeat"
data_type => "list"
password => "lvqing"
}
}
filter {
grok {
match => { "message" => ["%{IPORHOST:[nginx][access][remote_ip]} - %{DATA:[nginx][access][user_name]} \[%{HTTPDATE:[nginx][access][time]}\] \"%{WORD:[nginx][access][method]} %{DATA:[nginx][access][url]} HTTP/%{NUMBER:[nginx][access][http_version]}\" %{NUMBER:[nginx][access][response_code]} %{NUMBER:[nginx][access][body_sent][bytes]} \"%{DATA:[nginx][access][referrer]}\" \"%{DATA:[nginx][access][agent]}\""] }
remove_field => "message"
}
mutate {
add_field => { "read_timestamp" => "%{@timestamp}" }
}
date {
match => [ "[nginx][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
remove_field => "[nginx][access][time]"
}
useragent {
source => "[nginx][access][agent]"
target => "geoip"
remove_field => "[nginx][access][agent]"
}
geoip {
source => "[nginx][access][remote_ip]"
target => "[nginx][access][geoip]"
database => "/etc/logstash/GeoLite2-City.mmdb"
}
}
output {
elasticsearch {
hosts => ["192.168.31.200:9200", "192.168.31.201:9200", "192.168.31.203:9200"]
index => "logstatsh-ngxaccesslog-%{+YYYY.MM.dd}"
}
}
注意:
1、輸出的日誌文件名必須以“logstash-”開頭,方可將geoip.location的type自動設定爲"geo_point";
2、target => "geoip"
可以看到日誌已經被成功分切了
image.png
既然geoip可以基於remoteip來分析訪問的客戶端來自於哪個城市,接下來我們測試一下這個場景
用echo命令將自己編寫的日誌信息追加到日誌文件中
echo '136.11.65.68 - - [17/Jan/2019:11:19:46 +0800] "GET / HTTP/1.1" 404 3650 "-" "curl/7.29.0" "121.1.17.2"' >> /var/log/nginx/access.log
image.png
然後可以用geoip插件展示地圖熱力圖
https://elasticsearch.cn/article/494
image.png