input {
beats {
host => "10.10.51.166"
port => 5000
type => "logs"
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
filter {
if [type] == "nginx-access" {
grok {
patterns_dir => "/usr/share/logstash/patterns"
match => { "message" => "%{NGINX_ACCESSLOG}"}
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
urldecode {
all_fields => true
}
geoip {
source => "clientip"
}
syslog_pri {}
date {
match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
}
} else if [type] == "nginx-error" {
grok {
patterns_dir => "/usr/share/logstash/patterns"
match => { "message" => "%{NGINX_ACCESSLOG}"}
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
geoip {
source => "clientip"
}
syslog_pri {}
date {
match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
}
} else if [type] == "sys-messages" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
geoip {
source => "clientip"
}
syslog_pri {}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
if [type] == "nginx-access" {
elasticsearch {
hosts => ["10.10.51.166:9200"]
manage_template => true
index => "logstash-nginx-access-%{+YYYY-MM-dd}"
}
} else if [type] == "nginx-access" {
elasticsearch {
hosts => ["10.10.51.166:9200"]
manage_template => true
index => "logstash-nginx-error-%{+YYYY-MM-dd}"
}
} else if [type] == "sys-messages" {
elasticsearch {
hosts => ["10.10.51.166:9200"]
manage_template => true
index => "logstash-sys-messages-%{+YYYY-MM-dd}"
}
}
stdout { codec => rubydebug }
}
网友评论