美文网首页ELK文集
logstash geoip 库测试

logstash geoip 库测试

作者: awker | 来源:发表于2018-06-01 23:22 被阅读3次

    1. nginx access log 测试文件

    # cat /usr/share/logstash/nginx_access_geoip_test.log
33.55.69.101 - - [24/May/2018:01:50:26 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36"
222.174.69.101 - - [24/May/2018:01:52:11 +0800] "GET /abc HTTP/1.1" 404 3652 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36"

    2. logstash 配置

    input {
    file {
        # 指定文件路径
        path => "/usr/share/logstash/nginx_access_geoip_test.log"
        type => "nginx_access"
        start_position => "beginning"
    }
}

filter {
  grok {
    # 匹配日志内容,分割字段
    match => {
      "message" => '%{IPORHOST:remote_ip} - %{DATA:user_name} \[%{HTTPDATE:time}\] "%{WORD:method} %{DATA:uri} HTTP/%{NUMBER:http_version}" %{NUMBER:response_code} %{NUMBER:bytes} "%{DATA:referrer}" "%{DATA:agent}"'
    }
  }
  mutate { 
    # bytes 字段由 string 类型转换为 number 类型,以便可以做 sum 之类的统计分析 
    convert => { "bytes" => "integer" }
  }  

  date {
    # 用 time 字段展示日志原来的北京时间
    match => [ "time", "dd/MMM/YYYY:HH:mm:ss Z" ]
    locale => en
  }

  geoip {
    # 对 来源 IP 做 geoip 查询归类
    source => "remote_ip"
    target => "geoip"
  }

  useragent {
    source => "agent"
    target => "user_agent"
  }
}

output {
    stdout { codec => "rubydebug" }
}

    3. 测试结果

    # /usr/share/logstash/bin/logstash -f /usr/share/logstash/geoip.conf
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2018-06-01 23:17:06.036 [main] scaffold - Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[INFO ] 2018-06-01 23:17:06.044 [main] scaffold - Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[WARN ] 2018-06-01 23:17:06.529 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2018-06-01 23:17:06.814 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"6.2.3"}
[INFO ] 2018-06-01 23:17:07.111 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9601}
[INFO ] 2018-06-01 23:17:09.025 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[INFO ] 2018-06-01 23:17:09.134 [[main]-pipeline-manager] geoip - Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"}
[INFO ] 2018-06-01 23:17:10.125 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Pipeline started succesfully {:pipeline_id=>"main", :thread=>"#<Thread:0x2610db05@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:246 sleep>"}
[INFO ] 2018-06-01 23:17:10.180 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] agent - Pipelines running {:count=>1, :pipelines=>["main"]}
{
              "uri" => "/",
            "bytes" => 0,
         "@version" => "1",
           "method" => "GET",
             "host" => "devops-01",
            "geoip" => {
                    "ip" => "33.55.69.101",
         "country_code3" => "US",
              "latitude" => 37.751,
         "country_code2" => "US",
             "longitude" => -97.822,
        "continent_code" => "NA",
              "location" => {
            "lon" => -97.822,
            "lat" => 37.751
        },
          "country_name" => "United States"
    },
     "http_version" => "1.1",
             "time" => "24/May/2018:01:50:26 +0800",
          "message" => "33.55.69.101 - - [24/May/2018:01:50:26 +0800] \"GET / HTTP/1.1\" 304 0 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36\"",
       "@timestamp" => 2018-05-23T17:50:26.000Z,
        "remote_ip" => "33.55.69.101",
    "response_code" => "304",
        "user_name" => "-",
            "agent" => "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36",
             "type" => "nginx_access",
             "path" => "/usr/share/logstash/nginx_access_geoip_test.log",
         "referrer" => "-",
       "user_agent" => {
         "device" => "Other",
        "os_name" => "Windows 10",
          "major" => "64",
          "patch" => "3282",
          "build" => "",
           "name" => "Chrome",
          "minor" => "0",
             "os" => "Windows 10"
    }
}
{
              "uri" => "/abc",
            "bytes" => 3652,
         "@version" => "1",
           "method" => "GET",
             "host" => "devops-01",
            "geoip" => {
                    "ip" => "222.174.69.101",
             "city_name" => "Jinan",
              "location" => {
            "lon" => 116.9972,
            "lat" => 36.6683
        },
          "country_name" => "China",
         "country_code3" => "CN",
           "region_name" => "Shandong",
              "latitude" => 36.6683,
         "country_code2" => "CN",
             "longitude" => 116.9972,
              "timezone" => "Asia/Shanghai",
        "continent_code" => "AS",
           "region_code" => "37"
    },
     "http_version" => "1.1",
             "time" => "24/May/2018:01:52:11 +0800",
          "message" => "222.174.69.101 - - [24/May/2018:01:52:11 +0800] \"GET /abc HTTP/1.1\" 404 3652 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36\"",
       "@timestamp" => 2018-05-23T17:52:11.000Z,
        "remote_ip" => "222.174.69.101",
    "response_code" => "404",
        "user_name" => "-",
            "agent" => "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36",
             "type" => "nginx_access",
             "path" => "/usr/share/logstash/nginx_access_geoip_test.log",
         "referrer" => "-",
       "user_agent" => {
         "device" => "Other",
        "os_name" => "Windows 10",
          "major" => "64",
          "patch" => "3282",
          "build" => "",
           "name" => "Chrome",
          "minor" => "0",
             "os" => "Windows 10"
    }
}

    相关文章

      网友评论

        本文标题:logstash geoip 库测试

        本文链接:https://www.haomeiwen.com/subject/ccrlsftx.html

        延伸阅读

        深度阅读

        • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

        栏目导航

        热点阅读

        ELK文集

        关于我们|服务条款|联系我们|logstash geoip 库测试|投稿指南|网站地图|RSS订阅|排版工具|手机版

        提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

        Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

        备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

        本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

        所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!