Logstash Geoip 插件使用

GeoIP 库可以根据 IP 地址提供对应的大洲，国家，省市，经纬度等地域信息。

配置文件

input {
    stdin {
    }
}

filter {
    geoip {
            source => "message"
    }
}

output {
    stdout {
        codec => rubydebug
    }
}

运行结果

启动 logstash 后我们输入 183.60.92.253，得到信息如下，geoip 下的就是地区信息。

{
       "message" => "183.60.92.253",
         "geoip" => {
        "continent_code" => "AS",
             "longitude" => 113.25,
             "city_name" => "Guangzhou",
              "timezone" => "Asia/Shanghai",
                    "ip" => "183.60.92.253",
          "country_name" => "China",
         "country_code3" => "CN",
           "region_name" => "Guangdong",
              "location" => {
            "lon" => 113.25,
            "lat" => 23.1167
        },
         "country_code2" => "CN",
           "region_code" => "44",
              "latitude" => 23.1167
    },
      "@version" => "1",
    "@timestamp" => 2018-11-26T02:00:07.753Z,
          "host" => "localhost.localdomain"
}

其他操作

如果觉得信息太多，可以通过 fileds 选项选择自己需要的信息

filter {
    geoip {
        fields => ["city_name", "continent_code", "country_code2", "country_code3", "country_name", "dma_code", "ip", "latitude", "longitude", "postal_code", "region_name", "timezone"]
    }
}

修改配置为

input {
    stdin {
    }
}

filter {
    geoip {
        source => "message"
        # 指定需要的字段
        fields => ["country_name", "continent_code", "region_name", "city_name", "latitude", "longitude"]
    }
}

output {
    stdout {
        codec => rubydebug
    }
}

启动 logstash，输入 183.60.92.253 返回的结果

{
       "message" => "183.60.92.253",
      "@version" => "1",
    "@timestamp" => 2018-11-26T02:26:37.333Z,
          "host" => "localhost.localdomain",
         "geoip" => {
             "longitude" => 113.25,
        "continent_code" => "AS",
              "latitude" => 23.1167,
             "city_name" => "Guangzhou",
          "country_name" => "China",
           "region_name" => "Guangdong"
    }
}

还可以通过 remove_field 删除字段

filter {
    geoip {
        source => "message"
        # 删除经纬度信息
        remove_field => ["[geoip][latitude]", "[geoip][longitude]"
    }
}

重命名 geoip 字段

filter {
    geoip {
        source => "message"
        fields => ["country_name", "continent_code", "region_name", "city_name", "latitude", "longitude"]
        target => "location"
    }
}

重命名后结果：

183.60.92.253
{
      "location" => {
        "continent_code" => "AS",
              "latitude" => 23.1167,
          "country_name" => "China",
           "region_name" => "Guangdong",
             "city_name" => "Guangzhou",
             "longitude" => 113.25
    },
    "@timestamp" => 2018-11-26T02:51:35.604Z,
      "@version" => "1",
          "host" => "localhost.localdomain",
       "message" => "183.60.92.253"
}

提示

source 可以是任意处理后的字段，需要注意的是 IP 必须是公网 IP，否者 logstash 返回空的信息，像这样

127.0.0.1
{
       "message" => "127.0.0.1",
    "@timestamp" => 2018-11-26T02:30:53.190Z,
          "host" => "localhost.localdomain",
         "geoip" => {},
      "@version" => "1",
          "tags" => [
        [0] "_geoip_lookup_failure"
    ]
}

Logstash Geoip 插件使用

配置文件

运行结果

其他操作

提示

你可能感兴趣的:(Logstash Geoip 插件使用)