
# dmidecode|grep "System Information" -A9|egrep "Manufacturer|Product"
Manufacturer: Dell Inc.
Product Name: PowerEdge R630
# uname -a
Linux linux-node2 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
# java -version
openjdk version "1.8.0_171"
OpenJDK Runtime Environment (build 1.8.0_171-b10)
OpenJDK 64-Bit Server VM (build 25.171-b10, mixed mode)
# echo $JAVA_HOME
2.2 rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
curl: (6) Could not resolve host: packages.elastic.co; Unknown error
error: https://packages.elastic.co/GPG-KEY-elasticsearch: import read failed(2).
# vi /etc/yum.repos.d/logstash.repo
name=Elastic repository for 6.x packages
# yum install logstash
Loaded plugins: fastestmirror
base | 3.6 kB 00:00:00
centos-ceph-luminous | 2.9 kB 00:00:00
centos-openstack-queens | 2.9 kB 00:00:00
centos-qemu-ev | 2.9 kB 00:00:00
docker-ce-stable | 2.9 kB 00:00:00
elasticsearch-6.x | 1.3 kB 00:00:00
extras | 3.4 kB 00:00:00
logstash-6.x | 1.3 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/4): logstash-6.x/primary | 67 kB 00:00:04
(2/4): centos-ceph-luminous/7/x86_64/primary_db | 115 kB 00:00:04
centos-qemu-ev/7/x86_64/primar FAILED ============================= ] 48 kB/s | 701 kB 00:00:08 ETA
http://mirror.centos.org/centos/7/virt/x86_64/kvm-common/repodata/2dcd3ba7c05dfc6ae2e1da196d1fa38e6f417b3818f3911edf22ddabf779f273-primary.sqlite.bz2: [Errno 14] curl#7 - "Failed to connect to 2605:9000:401:102::2: Network is unreachable"
Trying other mirror.
(3/4): centos-openstack-queens/x86_64/primary_db | 902 kB 00:00:25
centos-qemu-ev/7/x86_64/primar FAILED
http://mirror.centos.org/centos/7/virt/x86_64/kvm-common/repodata/2dcd3ba7c05dfc6ae2e1da196d1fa38e6f417b3818f3911edf22ddabf779f273-primary.sqlite.bz2: [Errno 14] curl#7 - "Failed to connect to 2605:9000:401:102::2: Network is unreachable"
Trying other mirror.
centos-qemu-ev/7/x86_64/primar FAILED
http://mirror.centos.org/centos/7/virt/x86_64/kvm-common/repodata/2dcd3ba7c05dfc6ae2e1da196d1fa38e6f417b3818f3911edf22ddabf779f273-primary.sqlite.bz2: [Errno 14] curl#7 - "Failed to connect to 2605:9000:401:102::2: Network is unreachable"
Trying other mirror.
centos-qemu-ev/7/x86_64/primar FAILED
http://mirror.centos.org/centos/7/virt/x86_64/kvm-common/repodata/2dcd3ba7c05dfc6ae2e1da196d1fa38e6f417b3818f3911edf22ddabf779f273-primary.sqlite.bz2: [Errno 14] curl#7 - "Failed to connect to 2605:9000:401:102::2: Network is unreachable"
Trying other mirror.
centos-qemu-ev/7/x86_64/primar FAILED
http://mirror.centos.org/centos/7/virt/x86_64/kvm-common/repodata/2dcd3ba7c05dfc6ae2e1da196d1fa38e6f417b3818f3911edf22ddabf779f273-primary.sqlite.bz2: [Errno 14] curl#7 - "Failed to connect to 2605:9000:401:102::2: Network is unreachable"
Trying other mirror.
(4/4): centos-qemu-ev/7/x86_64/primary_db | 44 kB 00:00:03
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
logstash-6.x 180/180
Resolving Dependencies
--> Running transaction check
---> Package logstash.noarch 1:6.2.4-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
Package Arch Version Repository Size
logstash noarch 1:6.2.4-1 elasticsearch-6.x 141 M
Transaction Summary
Install 1 Package
Total download size: 141 M
Installed size: 237 M
Is this ok [y/d/N]: y
Downloading packages:
logstash-6.2.4.rpm | 141 MB 00:10:34
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 1:logstash-6.2.4-1.noarch 1/1
Using provided startup.options file: /etc/logstash/startup.options
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
Successfully created system startup script for Logstash
Verifying : 1:logstash-6.2.4-1.noarch 1/1
logstash.noarch 1:6.2.4-1
# systemctl start logstash.service
# systemctl enable logstash.service
#ln -s /usr/share/logstash/bin/logstash /bin/logstash
2.3 测试logstash, 一个日志存储管道有两个必需的元素,输入和输出,以及一个可选的元素,过滤器。输入插件使用来自源的数据,过滤器插件根据您的指定修改数据,并且输出插件将数据写到目的地。
#/usr/share/logstash/bin/logstash -e 'input { stdin { } } output { stdout {} }'
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2018-05-25 11:30:32.586 [main] scaffold - Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[INFO ] 2018-05-25 11:30:32.617 [main] scaffold - Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[INFO ] 2018-05-25 11:30:32.746 [main] writabledirectory - Creating directory {:setting=>"path.queue", :path=>"/usr/share/logstash/data/queue"}
[INFO ] 2018-05-25 11:30:32.782 [main] writabledirectory - Creating directory {:setting=>"path.dead_letter_queue", :path=>"/usr/share/logstash/data/dead_letter_queue"}
[WARN ] 2018-05-25 11:30:33.954 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2018-05-25 11:30:34.057 [LogStash::Runner] agent - No persistent UUID file found. Generating new UUID {:uuid=>"935e91a7-5807-460e-9b52-ea8687f18356", :path=>"/usr/share/logstash/data/uuid"}
[INFO ] 2018-05-25 11:30:34.530 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"6.2.4"}
[INFO ] 2018-05-25 11:30:34.862 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2018-05-25 11:30:36.620 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>1, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
The stdin plugin is now waiting for input:
[INFO ] 2018-05-25 11:30:36.788 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Pipeline started successfully {:pipeline_id=>"main", :thread=>"#"}
[INFO ] 2018-05-25 11:30:36.828 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] agent - Pipelines running {:count=>1, :pipelines=>["main"]}
"message" => "helloworld",
"host" => "linux-node1",
"@version" => "1",
"@timestamp" => 2018-05-25T03:31:08.872Z
[INFO ] 2018-05-25 11:32:45.550 [[main]-pipeline-manager] pipeline - Pipeline has terminated {:pipeline_id=>"main", :thread=>"#"}
2.4通过Filebeat采集APACHE WEB LOG输入配置logstash解析,logstash默认已经安装FILEBEAT。
下载示例LOG文件: https://download.elastic.co/demos/logstash/gettingstarted/logstash-tutorial.log.gz
如果你要发送跨越多行的事件需要在configuration options available in Filebeat中配置而不是使用Multiline codec plugin,使用codec会导致启动logstash报错。(比如:多行的Java stack traces消息
#/usr/share/logstash/bin/logstash-plugin list可查看系统中已默认安装的插件,如果没有默认安装可以进行手动安装。
/usr/share/logstash/bin/logstash-plugin install logstash-input-beats
LOGSTASH插件参考: https://www.elastic.co/support/matrix#matrix_logstash_plugins
# yum install filebeat -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Resolving Dependencies
--> Running transaction check
---> Package filebeat.x86_64 0:6.2.4-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
Package Arch Version Repository Size
filebeat x86_64 6.2.4-1 elasticsearch-6.x 12 M
Transaction Summary
Install 1 Package
Total download size: 12 M
Installed size: 49 M
Downloading packages:
filebeat-6.2.4-x86_64.rpm | 12 MB 00:00:53
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : filebeat-6.2.4-1.x86_64 1/1
Verifying : filebeat-6.2.4-1.x86_64 1/1
filebeat.x86_64 0:6.2.4-1
2.5配置FILEBEAT yml:
#vim /etc/filebeat/filebeat.yml
- type: log
- /opt/logstash-tutorial.log #这个是下载的APACHE示例日志
hosts: [""]
/usr/share/filebeat/bin/ -e -c /etc/filebeat/filebeat.yml -d "publish" (一直开启)
接下来,创建一个logstash config pipeline,它使用Beats input插件从Beats接收事件。
cat /etc/logstash/first-pipeline.conf
# The # character at the beginning of a line indicates a comment. Use
# comments to describe your configuration.
input {
beats {
port => "5044"
output {
stdout { codec => rubydebug }
#/bin/logstash -f /etc/logstash/first-pipeline.conf --config.test_and_exit
#/bin/logstash -f /etc/logstash/first-pipeline.conf --config.reload.automatic
--config.reload.automatic 支持自动配置重载,这样您就不必每次修改配置文件时停止并重新启动日志存储
当Logstash启动后会看骊很多关于 pipelines.yml的警告信息,它是用于一个logstash实例中创建安多个input pipelines
/bin/logstash -f /etc/logstash/first-pipeline.conf --config.reload.automatic
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2018-05-25 17:08:15.239 [main] scaffold - Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[INFO ] 2018-05-25 17:08:15.256 [main] scaffold - Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[WARN ] 2018-05-25 17:08:16.532 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2018-05-25 17:08:17.162 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"6.2.4"}
[INFO ] 2018-05-25 17:08:17.593 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2018-05-25 17:08:19.537 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>1, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[INFO ] 2018-05-25 17:08:21.015 [[main]-pipeline-manager] beats - Beats inputs: Starting input listener {:address=>""}
[INFO ] 2018-05-25 17:08:21.267 [[main]
[INFO ] 2018-05-25 17:08:21.308 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Pipeline started successfully {:pipeline_id=>"main", :thread=>"#"}
[INFO ] 2018-05-25 17:08:21.599 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] agent - Pipelines running {:count=>1, :pipelines=>["main"]}
"source" => "/opt/logstash-tutorial.log",
"beat" => {
"version" => "6.2.4",
"name" => "linux-node1",
"hostname" => "linux-node1"
"message" => " - - [04/Jan/2015:05:13:42 +0000] \"GET /presentations/logstash-monitorama-2013/images/kibana-search.png HTTP/1.1\" 200 203023 \"http://semicomplete.com/presentations/logstash-monitorama-2013/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
"host" => "linux-node1",
"@timestamp" => 2018-05-25T09:12:06.731Z,
"@version" => "1",
"prospector" => {
"type" => "log"
"tags" => [
[0] "beats_input_codec_plain_applied"
"offset" => 325
# /usr/share/logstash/bin/logstash-plugin install logstash-filter-grok
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
Validating logstash-filter-grok
Installing logstash-filter-grok
Installation successful
# vi first-pipeline.conf
input { beats { port => "5044" } } filter { grok { match => { "message" => "%{COMBINEDAPACHELOG}"} } } output { stdout { codec => rubydebug } }
"agent" => "\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
"verb" => "GET",
"auth" => "-",
"offset" => 325,
"@timestamp" => 2018-05-25T09:53:58.555Z,
"beat" => {
"name" => "linux-node1",
"hostname" => "linux-node1",
"version" => "6.2.4"
"clientip" => "",
"response" => "200",
"host" => "linux-node1",
"message" => " - - [04/Jan/2015:05:13:42 +0000] \"GET /presentations/logstash-monitorama-2013/images/kibana-search.png HTTP/1.1\" 200 203023 \"http://semicomplete.com/presentations/logstash-monitorama-2013/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
"bytes" => "203023",
"@version" => "1",
"source" => "/opt/logstash-tutorial.log",
"ident" => "-",
"timestamp" => "04/Jan/2015:05:13:42 +0000",
"tags" => [
[0] "beats_input_codec_plain_applied"
"httpversion" => "1.1",
"prospector" => {
"type" => "log"
"request" => "/presentations/logstash-monitorama-2013/images/kibana-search.png",
"referrer" => "\"http://semicomplete.com/presentations/logstash-monitorama-2013/\""
# /usr/share/logstash/bin/logstash-plugin install logstash-filter-geoip #空格只能是一个多了不会运行
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
Validating logstash-filter-geoip
Installing logstash-filter-geoip
Installation successful
# vi first-pipeline.conf
input {
beats {
port => "5044"
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}"}
geoip {
source => "clientip"
output {
stdout { codec => rubydebug }
"agent" => "\"Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/24.0 Iceweasel/24.3.0\"",
"verb" => "GET",
"geoip" => {
"continent_code" => "EU",
"city_name" => "Balham",
"country_code2" => "GB",
"region_code" => "LBH",
"latitude" => 51.4434,
"country_code3" => "GB",
"region_name" => "Lambeth",
"postal_code" => "SW12",
"location" => {
"lat" => 51.4434,
"lon" => -0.1468
"ip" => "",
"timezone" => "Europe/London",
"country_name" => "United Kingdom",
"longitude" => -0.1468
"auth" => "-",
"offset" => 24464,
"@timestamp" => 2018-05-25T10:13:03.049Z,
"beat" => {
"name" => "linux-node1",
"hostname" => "linux-node1",
"version" => "6.2.4"
"clientip" => "",
"response" => "200",
"host" => "linux-node1",
"message" => " - - [04/Jan/2015:05:30:37 +0000] \"GET /style2.css HTTP/1.1\" 200 4877 \"http://www.semicomplete.com/projects/xdotool/\" \"Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/24.0 Iceweasel/24.3.0\"",
"bytes" => "4877",
"source" => "/opt/logstash-tutorial.log",
"@version" => "1",
"ident" => "-",
"timestamp" => "04/Jan/2015:05:30:37 +0000",
"tags" => [
[0] "beats_input_codec_plain_applied"
"httpversion" => "1.1",
"prospector" => {
"type" => "log"
"request" => "/style2.css",
"referrer" => "\"http://www.semicomplete.com/projects/xdotool/\""
在上面的测试中已完成了手工测试过程并获取了我们想得到的数据格式,接下来进行在elasticsearch中添加Index, 现在,web日志被分解成特定的字段, Logstash pipeline可以将数据索引到一个弹性搜索集群中。
# vi first-pipeline.conf
output {
stdout { codec => rubydebug }
input {
beats {
port => "5044"
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}"}
geoip {
source => "clientip"
output {
elasticsearch {
hosts => [ "" ]
通过这种配置,Logstash使用http协议来连接到Elasticsearch。上面的例子假设在相同的实例上运行了Logstash和Elasticsearch。您可以通过使用主机配置指定类似于hosts => [ ""之类的东西来指定一个远程弹搜索实例。
测试运行,先CTRL+C停止运行/usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -d "publish"并删除/usr/share/filebeat/bin/data/registry
# curl -XGET ''
"took" : 2510,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"skipped" : 0,
"failed" : 0
"hits" : {
"total" : 40,
"max_score" : 0.09844007,
"hits" : [
"_index" : "logstash-2018.05.25",
"_type" : "doc",
"_id" : "yD_clmMB7ZRkVSxzBppH",
"_score" : 0.09844007,
"_source" : {
"agent" : "\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
"verb" : "GET",
"geoip" : {
"continent_code" : "EU",
"city_name" : "Moscow",
"country_code2" : "RU",
"region_code" : "MOW",
"latitude" : 55.7485,
"country_code3" : "RU",
"region_name" : "Moscow",
"postal_code" : "101194",
"location" : {
"lat" : 55.7485,
"lon" : 37.6184
"ip" : "",
"timezone" : "Europe/Moscow",
"country_name" : "Russia",
"longitude" : 37.6184
"auth" : "-",
"offset" : 3584,
"@timestamp" : "2018-05-25T10:33:05.147Z",
"beat" : {
"name" : "linux-node1",
"hostname" : "linux-node1",
"version" : "6.2.4"
"clientip" : "",
"response" : "200",
"host" : "linux-node1",
"message" : " - - [04/Jan/2015:05:13:46 +0000] \"GET /presentations/logstash-monitorama-2013/images/Dreamhost_logo.svg HTTP/1.1\" 200 2126 \"http://semicomplete.com/presentations/logstash-monitorama-2013/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
"bytes" : "2126",
"@version" : "1",
"source" : "/opt/logstash-tutorial.log",
"ident" : "-",
"timestamp" : "04/Jan/2015:05:13:46 +0000",
"tags" : [
"httpversion" : "1.1",
"prospector" : {
"type" : "log"
"request" : "/presentations/logstash-monitorama-2013/images/Dreamhost_logo.svg",
"referrer" : "\"http://semicomplete.com/presentations/logstash-monitorama-2013/\""
"_index" : "logstash-2018.05.25",
"_type" : "doc",
"_id" : "yj_clmMB7ZRkVSxzBppH",
"_score" : 0.09844007,
"_source" : {
"agent" : "\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
"verb" : "GET",
"geoip" : {
"continent_code" : "EU",
"city_name" : "Moscow",
"country_code2" : "RU",
"region_code" : "MOW",
"latitude" : 55.7485,
"country_code3" : "RU",
"region_name" : "Moscow",
"postal_code" : "101194",
"location" : {
"lat" : 55.7485,
"lon" : 37.6184
"ip" : "",
"timezone" : "Europe/Moscow",
"country_name" : "Russia",
"longitude" : 37.6184
"auth" : "-",
"offset" : 4234,
"@timestamp" : "2018-05-25T10:33:05.148Z",
"beat" : {
"name" : "linux-node1",
"hostname" : "linux-node1",
"version" : "6.2.4"
"clientip" : "",
"response" : "200",
"host" : "linux-node1",
"message" : " - - [04/Jan/2015:05:13:46 +0000] \"GET /presentations/logstash-monitorama-2013/images/apache-icon.gif HTTP/1.1\" 200 8095 \"http://semicomplete.com/presentations/logstash-monitorama-2013/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
"bytes" : "8095",
"@version" : "1",
"source" : "/opt/logstash-tutorial.log",
"ident" : "-",
"timestamp" : "04/Jan/2015:05:13:46 +0000",
"tags" : [
"httpversion" : "1.1",
"prospector" : {
"type" : "log"
"request" : "/presentations/logstash-monitorama-2013/images/apache-icon.gif",
"referrer" : "\"http://semicomplete.com/presentations/logstash-monitorama-2013/\""
"_index" : "logstash-2018.05.25",
"_type" : "doc",
"_id" : "0D_clmMB7ZRkVSxzBppH",
"_score" : 0.09844007,
"_source" : {
"agent" : "\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
"verb" : "GET",
"geoip" : {
"continent_code" : "EU",
"city_name" : "Moscow",
"country_code2" : "RU",
"region_code" : "MOW",
"latitude" : 55.7485,
"country_code3" : "RU",
"region_name" : "Moscow",
"postal_code" : "101194",
"location" : {
"lat" : 55.7485,
"lon" : 37.6184
"ip" : "",
"timezone" : "Europe/Moscow",
"country_name" : "Russia",
"longitude" : 37.6184
"auth" : "-",
"offset" : 6167,
"@timestamp" : "2018-05-25T10:33:05.162Z",
"beat" : {
"name" : "linux-node1",
"hostname" : "linux-node1",
"version" : "6.2.4"
"clientip" : "",
"response" : "200",
"host" : "linux-node1",
"message" : " - - [04/Jan/2015:05:13:47 +0000] \"GET /presentations/logstash-monitorama-2013/css/print/paper.css HTTP/1.1\" 200 4254 \"http://semicomplete.com/presentations/logstash-monitorama-2013/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
"bytes" : "4254",
"@version" : "1",
"source" : "/opt/logstash-tutorial.log",
"ident" : "-",
"timestamp" : "04/Jan/2015:05:13:47 +0000",
"tags" : [
"httpversion" : "1.1",
"prospector" : {
"type" : "log"
"request" : "/presentations/logstash-monitorama-2013/css/print/paper.css",
"referrer" : "\"http://semicomplete.com/presentations/logstash-monitorama-2013/\""
"_index" : "logstash-2018.05.25",
"_type" : "doc",
"_id" : "0T_clmMB7ZRkVSxzBppH",
"_score" : 0.09844007,
"_source" : {
"agent" : "\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
"verb" : "GET",
"geoip" : {
"continent_code" : "EU",
"city_name" : "Moscow",
"country_code2" : "RU",
"region_code" : "MOW",
"latitude" : 55.7485,
"country_code3" : "RU",
"region_name" : "Moscow",
"postal_code" : "101194",
"location" : {
"lat" : 55.7485,
"lon" : 37.6184
"ip" : "",
"timezone" : "Europe/Moscow",
"country_name" : "Russia",
"longitude" : 37.6184
"auth" : "-",
"offset" : 6510,
"@timestamp" : "2018-05-25T10:33:05.162Z",
"beat" : {
"name" : "linux-node1",
"hostname" : "linux-node1",
"version" : "6.2.4"
"clientip" : "",
"response" : "200",
"host" : "linux-node1",
"message" : " - - [04/Jan/2015:05:13:47 +0000] \"GET /presentations/logstash-monitorama-2013/images/1983_delorean_dmc-12-pic-38289.jpeg HTTP/1.1\" 200 220562 \"http://semicomplete.com/presentations/logstash-monitorama-2013/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
"bytes" : "220562",
"@version" : "1",
"source" : "/opt/logstash-tutorial.log",
"ident" : "-",
"timestamp" : "04/Jan/2015:05:13:47 +0000",
"tags" : [
"httpversion" : "1.1",
"prospector" : {
"type" : "log"
"request" : "/presentations/logstash-monitorama-2013/images/1983_delorean_dmc-12-pic-38289.jpeg",
"referrer" : "\"http://semicomplete.com/presentations/logstash-monitorama-2013/\""
"_index" : "logstash-2018.05.25",
"_type" : "doc",
"_id" : "3D_clmMB7ZRkVSxzBppI",
"_score" : 0.09844007,
"_source" : {
"agent" : "\"Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\"",
"verb" : "GET",
"geoip" : {
"continent_code" : "NA",
"city_name" : "Leander",
"country_code2" : "US",
"region_code" : "TX",
"latitude" : 30.5423,
"country_code3" : "US",
"region_name" : "Texas",
"postal_code" : "78641",
"location" : {
"lat" : 30.5423,
"lon" : -97.9176
"ip" : "",
"timezone" : "America/Chicago",
"country_name" : "United States",
"dma_code" : 635,
"longitude" : -97.9176
"auth" : "-",
"offset" : 9295,
"@timestamp" : "2018-05-25T10:33:05.179Z",
"beat" : {
"name" : "linux-node1",
"hostname" : "linux-node1",
"version" : "6.2.4"
"clientip" : "",
"response" : "200",
"host" : "linux-node1",
"message" : " - - [04/Jan/2015:05:15:03 +0000] \"GET /blog/tags/ipv6 HTTP/1.1\" 200 12251 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\"",
"bytes" : "12251",
"@version" : "1",
"source" : "/opt/logstash-tutorial.log",
"ident" : "-",
"timestamp" : "04/Jan/2015:05:15:03 +0000",
"tags" : [
"httpversion" : "1.1",
"prospector" : {
"type" : "log"
"request" : "/blog/tags/ipv6",
"referrer" : "\"-\""
"_index" : "logstash-2018.05.25",
"_type" : "doc",
"_id" : "4z_clmMB7ZRkVSxzBppI",
"_score" : 0.09844007,
"_source" : {
"agent" : "\"Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0\"",
"verb" : "GET",
"geoip" : {
"continent_code" : "AS",
"city_name" : "Kudus",
"country_code2" : "ID",
"region_code" : "JT",
"latitude" : -6.8048,
"country_code3" : "ID",
"region_name" : "Central Java",
"location" : {
"lat" : -6.8048,
"lon" : 110.8405
"ip" : "",
"timezone" : "Asia/Jakarta",
"country_name" : "Indonesia",
"longitude" : 110.8405
"auth" : "-",
"offset" : 10803,
"@timestamp" : "2018-05-25T10:33:05.180Z",
"beat" : {
"name" : "linux-node1",
"hostname" : "linux-node1",
"version" : "6.2.4"
"clientip" : "",
"response" : "200",
"host" : "linux-node1",
"message" : " - - [04/Jan/2015:05:16:22 +0000] \"GET /favicon.ico HTTP/1.1\" 200 3638 \"-\" \"Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0\"",
"bytes" : "3638",
"@version" : "1",
"source" : "/opt/logstash-tutorial.log",
"ident" : "-",
"timestamp" : "04/Jan/2015:05:16:22 +0000",
"tags" : [
"httpversion" : "1.1",
"prospector" : {
"type" : "log"
"request" : "/favicon.ico",
"referrer" : "\"-\""
"_index" : "logstash-2018.05.25",
"_type" : "doc",
"_id" : "5D_clmMB7ZRkVSxzBppI",
"_score" : 0.09844007,
"_source" : {
"agent" : "\"Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0\"",
"verb" : "GET",
"geoip" : {
"continent_code" : "AS",
"city_name" : "Kudus",
"country_code2" : "ID",
"region_code" : "JT",
"latitude" : -6.8048,
"country_code3" : "ID",
"region_name" : "Central Java",
"location" : {
"lat" : -6.8048,
"lon" : 110.8405
"ip" : "",
"timezone" : "Asia/Jakarta",
"country_name" : "Indonesia",
"longitude" : 110.8405
"auth" : "-",
"offset" : 11021,
"@timestamp" : "2018-05-25T10:33:05.180Z",
"beat" : {
"name" : "linux-node1",
"hostname" : "linux-node1",
"version" : "6.2.4"
"clientip" : "",
"response" : "200",
"host" : "linux-node1",
"message" : " - - [04/Jan/2015:05:16:22 +0000] \"GET /images/jordan-80.png HTTP/1.1\" 200 6146 \"http://www.semicomplete.com/projects/xdotool/\" \"Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0\"",
"bytes" : "6146",
"source" : "/opt/logstash-tutorial.log",
"@version" : "1",
"ident" : "-",
"timestamp" : "04/Jan/2015:05:16:22 +0000",
"tags" : [
"httpversion" : "1.1",
"prospector" : {
"type" : "log"
"request" : "/images/jordan-80.png",
"referrer" : "\"http://www.semicomplete.com/projects/xdotool/\""
"_index" : "logstash-2018.05.25",
"_type" : "doc",
"_id" : "6T_clmMB7ZRkVSxzBppI",
"_score" : 0.09844007,
"_source" : {
"agent" : "\"-\"",
"verb" : "GET",
"geoip" : {
"continent_code" : "NA",
"country_code2" : "GT",
"region_code" : "HU",
"latitude" : 15.4731,
"country_code3" : "GT",
"region_name" : "Departamento de Huehuetenango",
"location" : {
"lat" : 15.4731,
"lon" : -91.3497
"ip" : "",
"timezone" : "America/Guatemala",
"country_name" : "Guatemala",
"longitude" : -91.3497
"auth" : "-",
"offset" : 12114,
"@timestamp" : "2018-05-25T10:33:05.181Z",
"beat" : {
"name" : "linux-node1",
"hostname" : "linux-node1",
"version" : "6.2.4"
"clientip" : "",
"response" : "200",
"host" : "linux-node1",
"message" : " - - [04/Jan/2015:05:17:39 +0000] \"GET /reset.css HTTP/1.1\" 200 1015 \"-\" \"-\"",
"bytes" : "1015",
"@version" : "1",
"source" : "/opt/logstash-tutorial.log",
"ident" : "-",
"timestamp" : "04/Jan/2015:05:17:39 +0000",
"tags" : [
"httpversion" : "1.1",
"prospector" : {
"type" : "log"
"request" : "/reset.css",
"referrer" : "\"-\""
"_index" : "logstash-2018.05.25",
"_type" : "doc",
"_id" : "Az_clmMB7ZRkVSxzBptI",
"_score" : 0.09844007,
"_source" : {
"agent" : "\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.73.11 (KHTML, like Gecko) Version/7.0.1 Safari/537.73.11\"",
"verb" : "GET",
"geoip" : {
"continent_code" : "EU",
"city_name" : "Paris",
"country_code2" : "FR",
"region_code" : "75",
"latitude" : 48.8574,
"country_code3" : "FR",
"region_name" : "Paris",
"postal_code" : "75011",
"location" : {
"lat" : 48.8574,
"lon" : 2.3795
"ip" : "",
"timezone" : "Europe/Paris",
"country_name" : "France",
"longitude" : 2.3795
"auth" : "-",
"offset" : 17730,
"@timestamp" : "2018-05-25T10:33:05.194Z",
"beat" : {
"name" : "linux-node1",
"hostname" : "linux-node1",
"version" : "6.2.4"
"clientip" : "",
"response" : "200",
"host" : "linux-node1",
"message" : " - - [04/Jan/2015:05:24:57 +0000] \"GET /reset.css HTTP/1.1\" 200 1015 \"http://www.semicomplete.com/blog/geekery/ssl-latency.html\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.73.11 (KHTML, like Gecko) Version/7.0.1 Safari/537.73.11\"",
"bytes" : "1015",
"@version" : "1",
"source" : "/opt/logstash-tutorial.log",
"ident" : "-",
"timestamp" : "04/Jan/2015:05:24:57 +0000",
"tags" : [
"httpversion" : "1.1",
"prospector" : {
"type" : "log"
"request" : "/reset.css",
"referrer" : "\"http://www.semicomplete.com/blog/geekery/ssl-latency.html\""
"_index" : "logstash-2018.05.25",
"_type" : "doc",
"_id" : "Dz_clmMB7ZRkVSxzBptI",
"_score" : 0.09844007,
"_source" : {
"agent" : "\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36\"",
"verb" : "GET",
"geoip" : {
"continent_code" : "NA",
"city_name" : "Denver",
"country_code2" : "US",
"region_code" : "CO",
"latitude" : 39.7313,
"country_code3" : "US",
"region_name" : "Colorado",
"postal_code" : "80218",
"location" : {
"lat" : 39.7313,
"lon" : -104.9692
"ip" : "",
"timezone" : "America/Denver",
"country_name" : "United States",
"dma_code" : 751,
"longitude" : -104.9692
"auth" : "-",
"offset" : 20410,
"@timestamp" : "2018-05-25T10:33:05.202Z",
"beat" : {
"name" : "linux-node1",
"hostname" : "linux-node1",
"version" : "6.2.4"
"clientip" : "",
"response" : "200",
"host" : "linux-node1",
"message" : " - - [04/Jan/2015:05:27:34 +0000] \"GET /reset.css HTTP/1.1\" 200 1015 \"http://www.semicomplete.com/projects/xdotool/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36\"",
"bytes" : "1015",
"@version" : "1",
"source" : "/opt/logstash-tutorial.log",
"ident" : "-",
"timestamp" : "04/Jan/2015:05:27:34 +0000",
"tags" : [
"httpversion" : "1.1",
"prospector" : {
"type" : "log"
"request" : "/reset.css",
"referrer" : "\"http://www.semicomplete.com/projects/xdotool/\""
# curl ''
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open logstash-2018.05.25 Pn0ftjJmTBy4139Os72OuA 5 1 100 0 245.3kb 245.3kb

