美文网首页
Logstash过滤插件

Logstash过滤插件

作者: 小李飞刀_lql | 来源:发表于2022-01-15 11:00 被阅读0次

过滤插件

json

输入配置

[root@es2 conf.d]# vi test.conf 
input {
  file {
    path => "/var/log/test/*.log"
    exclude => "error.log"
    tags => "web"
    tags => "nginx"
    type => "access"
    add_field => {
      "project" => "microservice"
      "app" => "product"
    }
  }
}
filter {
  json {
    source => "message"
  }
}
output {
  file {
    path => "/tmp/test.log"
  }
}


-------------
模拟数据:
{"remote_addr": "192.168.1.10","url":"/index","status":"200"}

输出结果

{
    "host": "es2",
    "@version": "1",
    "path": "/var/log/test/1.log",
    "project": "microservice",
    "type": "access",
    "app": "product",
    "status": "200",
    "remote_addr": "192.168.1.10",
    "tags": [
        "web",
        "nginx"
    ],
    "message": "{\"remote_addr\": \"192.168.1.10\",
                 \"url\":\"/index\",
                 \"status\":\"200\"}",
    "@timestamp": "2021-11-04T14:15:49.388Z",
    "url": "/index"
}

输出至ES

input {
  file {
    path => "/var/log/test/*.log"
    exclude => "error.log"
    tags => "web"
    tags => "nginx"
    type => "access"
    add_field => {
      "project" => "microservice"
      "app" => "product"
    }
  }
}
filter {
  json {
    source => "message"
  }
}
output {
  elasticsearch {
    hosts => ["192.168.153.25:9200"]
    index => "test-%{+YYYY.MM.dd}"
  }
}

kibana显示

1636036166459.png 1636036254563.png 1636036576720.png

KV

输入配置

input {
  file {
    path => "/var/log/test/*.log"
    exclude => "error.log"
    tags => "web"
    tags => "nginx"
    type => "access"
    add_field => {
      "project" => "microservice"
      "app" => "product"
    }
  }
}
filter {
  kv {
    field_split => "&?"
  }
}
output {
  elasticsearch {
    hosts => ["192.168.153.25:9200"]
    index => "test-%{+YYYY.MM.dd}"
  }
}

-----------------------------------------------------------------------------
模拟数据:
www.ctnrs.com?id=1&name=aliang&age=30

kibana显示

1636036923256.png

Grok

正则表达式

1636082254273.png

Grok Debugger

1636077090199.png

正则匹配模式

#样例数据
192.168.1.10 GET /index.html 15824 0.043

#Grok 模式
%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}

#结构化数据
{
  "duration": "0.043",
  "request": "/index.html",
  "method": "GET",
  "bytes": "15824",
  "client": "192.168.1.10"
}

#样例数据
192.168.1.10 GET /index.html 15824 0.043

#Grok 模式
(?<ip>\d+\.\d+\.\d+\.\d+) (?<method>\w+) (?<request>/.*) (?<bytes>\d+) (?<duration>\d+\.\d+) 

#结构化数据
{
  "duration": "0.043",
  "request": "/index.html",
  "method": "GET",
  "bytes": "15824",
  "client": "192.168.1.10"
}

自定义模式

#样例数据
192.168.1.10 GET /index.html 15824 0.043 123456

#Grok 模式
%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} %{CID:cid}

#自定义模式
CID [0-9]{5,6}

#结构化数据
{
  "duration": "0.043",
  "request": "/index.html",
  "method": "GET",
  "bytes": "15824",
  "client": "192.168.1.10",
  "cid": "123456"
}

配置文件(自定义)

input {
  file {
    path => "/var/log/test/*.log"
    exclude => "error.log"
    tags => "web"
    tags => "nginx"
    type => "access"
    add_field => {
      "project" => "microservice"
      "app" => "product"
    }
  }
}
filter {
  grok {
    patterns_dir =>"/opt/patterns"
    match => {
      "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} %{CID:cid}"
    }
  }
}
output {
  elasticsearch {
    hosts => ["192.168.153.25:9200"]
    index => "test-%{+YYYY.MM.dd}"
  }
}

---------------------------------------------------------------------------
[root@localhost conf.d]# vi /opt/patterns
CID [0-9]{5,6}

--------------------------------------------------------------------------------

模拟数据:
192.168.1.10 GET /index.html 15824 0.043 123456

配置文件(多格式匹配)

input {
  file {
    path => "/var/log/test/*.log"
    exclude => "error.log"
    tags => "web"
    tags => "nginx"
    type => "access"
    add_field => {
      "project" => "microservice"
      "app" => "product"
    }
  }
}
filter {
  grok {
    patterns_dir =>"/opt/patterns"
    match => [
         "message", "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} %{CID:cid}",
         "message", "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} %{EID:eid} %{TAG:tag}"
        ]
  }
}
output {
  elasticsearch {
    hosts => ["192.168.153.25:9200"]
    index => "test-%{+YYYY.MM.dd}"
  }
}

-------------------------------------------------------------------
[root@localhost conf.d]# vi /opt/patterns
CID [0-9]{5,6}
EID [a-z]{5,6}
TAG \w+

--------------------------------------------------------------------
#192.168.1.10 GET /index.html 15824 0.053 123456
#192.168.1.10 GET /index.html 15824 0.043 abcdef xyz
#两条都能匹配和接收

GeoIP

配置文件

input {
  file {
    path => "/var/log/test/*.log"
    exclude => "error.log"
    tags => "web"
    tags => "nginx"
    type => "access"
    add_field => {
      "project" => "microservice"
      "app" => "product"
    }
  }
}
filter {
  grok {
    patterns_dir =>"/opt/patterns"
    match => [
         "message", "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} %{CID:cid}",
         "message", "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} %{EID:eid} %{TAG:tag}"
        ]
  }
  geoip {
    source => "client"
    database => "/opt/GeoLite2-City.mmdb"
  }
}
output {
  elasticsearch {
    hosts => ["192.168.153.25:9200"]
    index => "test-%{+YYYY.MM.dd}"
  }
}

--------------------------------------------------------------------------
source => "client" client是ip字段(%{IP:client})

测试数据:
8.8.8.8 GET /index.html 15824 0.043 abcdef xyz

kibana显示

1636081310192.png

条件判断

配置文件

input {
  file {
    path => "/var/log/test/test.log"
    add_field => {
    "log_type" => "test"
    }
  }
  file {
    path => "/var/log/test/prod.log"
    add_field => {
    "log_type" => "prod"
    }
  }
}

filter {
  json  {
    source => "message"
  }

  if [log_type] in ["test","dev"] {
    mutate {
      add_field => {
        "[@metadata][target_index]" => "test-%{+YYYY.MM}"
      }
    }
  } else if [log_type] == "prod" {
    mutate {
      add_field => {
        "[@metadata][target_index]" => "prod-%{+YYYY.MM.dd}"
      }
    }
  } else {
    mutate {
      add_field => {
        "[@metadata][target_index]" => "unknown-%{+YYYY}"
      }
    }
  }



}

output {
  elasticsearch {
    hosts => "192.168.153.25:9200"
    index => "%{[@metadata][target_index]}"
  }
}



-------------
模拟数据:
{"remote_addr": "192.168.1.10","url":"/index","status":"789"}

kibana显示

1636098769558.png

相关文章

  • Logstash过滤插件

    过滤插件 json 输入配置 输出结果 输出至ES kibana显示 KV 输入配置 kibana显示 Grok ...

  • logstash DATE过滤插件

    说明 日期过滤器用于解析字段中的日期,然后使用该日期或时间戳作为事件的logstash时间戳。 日期过滤器对于事件...

  • Logstash_过滤插件

    参考文档 1、Grok正则插件 Grok 是 Logstash 最重要的插件。你可以在 grok 里预定义好命名正...

  • ELK记事本

    每个 logstash 过滤插件,都会有四个方法叫 add_tag, remove_tag, add_field ...

  • Logstash GROK过滤器插件

    grok官网地址 grok中文版地址 Grok是将非结构化日志数据解析为结构化和可查询内容的好方法。 该工具非常适...

  • logstash分析nginx的access和error日志

    grok的基本概念 grok是logstash的filter插件,可以实现对日志信息的过滤,详细资料参考官方gro...

  • 停止Logstash

    停止关闭检测 关闭正在运行的Logstash实例包括日下步骤: 停止所有的输入、过滤和输出插件 处理所有的正在被处...

  • logstash + influxdb监控nginx日志

    logstash + influxdb监控nginx日志 1.采用logstash收集/过滤数据 1.1 具体安装...

  • ELK搭建-终极篇

    Logstash 参考 logstash管道有两个必须插件:input和output,还有一个可选插件:filte...

  • 5.Logstash插件—过滤器插件(Filter)

    5.1 Grok 正则捕获 5.1.1 正则表达式语法 可以在 grok 里写标准的正则: 给配置文件添加第一个过...

网友评论

      本文标题:Logstash过滤插件

      本文链接:https://www.haomeiwen.com/subject/ddamcrtx.html

      延伸阅读

      深度阅读

      • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

      栏目导航

      热点阅读

      关于我们|服务条款|联系我们|Logstash过滤插件|投稿指南|网站地图|RSS订阅|排版工具|手机版

      提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

      Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

      备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

      本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

      所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!