过滤插件
json
输入配置
[root@es2 conf.d]# vi test.conf
input {
file {
path => "/var/log/test/*.log"
exclude => "error.log"
tags => "web"
tags => "nginx"
type => "access"
add_field => {
"project" => "microservice"
"app" => "product"
}
}
}
filter {
json {
source => "message"
}
}
output {
file {
path => "/tmp/test.log"
}
}
-------------
模拟数据:
{"remote_addr": "192.168.1.10","url":"/index","status":"200"}
输出结果
{
"host": "es2",
"@version": "1",
"path": "/var/log/test/1.log",
"project": "microservice",
"type": "access",
"app": "product",
"status": "200",
"remote_addr": "192.168.1.10",
"tags": [
"web",
"nginx"
],
"message": "{\"remote_addr\": \"192.168.1.10\",
\"url\":\"/index\",
\"status\":\"200\"}",
"@timestamp": "2021-11-04T14:15:49.388Z",
"url": "/index"
}
输出至ES
input {
file {
path => "/var/log/test/*.log"
exclude => "error.log"
tags => "web"
tags => "nginx"
type => "access"
add_field => {
"project" => "microservice"
"app" => "product"
}
}
}
filter {
json {
source => "message"
}
}
output {
elasticsearch {
hosts => ["192.168.153.25:9200"]
index => "test-%{+YYYY.MM.dd}"
}
}
kibana显示
KV
输入配置
input {
file {
path => "/var/log/test/*.log"
exclude => "error.log"
tags => "web"
tags => "nginx"
type => "access"
add_field => {
"project" => "microservice"
"app" => "product"
}
}
}
filter {
kv {
field_split => "&?"
}
}
output {
elasticsearch {
hosts => ["192.168.153.25:9200"]
index => "test-%{+YYYY.MM.dd}"
}
}
-----------------------------------------------------------------------------
模拟数据:
www.ctnrs.com?id=1&name=aliang&age=30
kibana显示
Grok
正则表达式
Grok Debugger
正则匹配模式
#样例数据
192.168.1.10 GET /index.html 15824 0.043
#Grok 模式
%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}
#结构化数据
{
"duration": "0.043",
"request": "/index.html",
"method": "GET",
"bytes": "15824",
"client": "192.168.1.10"
}
#样例数据
192.168.1.10 GET /index.html 15824 0.043
#Grok 模式
(?\d+\.\d+\.\d+\.\d+) (?\w+) (?/.*) (?\d+) (?\d+\.\d+)
#结构化数据
{
"duration": "0.043",
"request": "/index.html",
"method": "GET",
"bytes": "15824",
"client": "192.168.1.10"
}
自定义模式
#样例数据
192.168.1.10 GET /index.html 15824 0.043 123456
#Grok 模式
%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} %{CID:cid}
#自定义模式
CID [0-9]{5,6}
#结构化数据
{
"duration": "0.043",
"request": "/index.html",
"method": "GET",
"bytes": "15824",
"client": "192.168.1.10",
"cid": "123456"
}
配置文件(自定义)
input {
file {
path => "/var/log/test/*.log"
exclude => "error.log"
tags => "web"
tags => "nginx"
type => "access"
add_field => {
"project" => "microservice"
"app" => "product"
}
}
}
filter {
grok {
patterns_dir =>"/opt/patterns"
match => {
"message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} %{CID:cid}"
}
}
}
output {
elasticsearch {
hosts => ["192.168.153.25:9200"]
index => "test-%{+YYYY.MM.dd}"
}
}
---------------------------------------------------------------------------
[root@localhost conf.d]# vi /opt/patterns
CID [0-9]{5,6}
--------------------------------------------------------------------------------
模拟数据:
192.168.1.10 GET /index.html 15824 0.043 123456
配置文件(多格式匹配)
input {
file {
path => "/var/log/test/*.log"
exclude => "error.log"
tags => "web"
tags => "nginx"
type => "access"
add_field => {
"project" => "microservice"
"app" => "product"
}
}
}
filter {
grok {
patterns_dir =>"/opt/patterns"
match => [
"message", "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} %{CID:cid}",
"message", "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} %{EID:eid} %{TAG:tag}"
]
}
}
output {
elasticsearch {
hosts => ["192.168.153.25:9200"]
index => "test-%{+YYYY.MM.dd}"
}
}
-------------------------------------------------------------------
[root@localhost conf.d]# vi /opt/patterns
CID [0-9]{5,6}
EID [a-z]{5,6}
TAG \w+
--------------------------------------------------------------------
#192.168.1.10 GET /index.html 15824 0.053 123456
#192.168.1.10 GET /index.html 15824 0.043 abcdef xyz
#两条都能匹配和接收
GeoIP
配置文件
input {
file {
path => "/var/log/test/*.log"
exclude => "error.log"
tags => "web"
tags => "nginx"
type => "access"
add_field => {
"project" => "microservice"
"app" => "product"
}
}
}
filter {
grok {
patterns_dir =>"/opt/patterns"
match => [
"message", "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} %{CID:cid}",
"message", "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} %{EID:eid} %{TAG:tag}"
]
}
geoip {
source => "client"
database => "/opt/GeoLite2-City.mmdb"
}
}
output {
elasticsearch {
hosts => ["192.168.153.25:9200"]
index => "test-%{+YYYY.MM.dd}"
}
}
--------------------------------------------------------------------------
source => "client" client是ip字段(%{IP:client})
测试数据:
8.8.8.8 GET /index.html 15824 0.043 abcdef xyz
kibana显示
条件判断
配置文件
input {
file {
path => "/var/log/test/test.log"
add_field => {
"log_type" => "test"
}
}
file {
path => "/var/log/test/prod.log"
add_field => {
"log_type" => "prod"
}
}
}
filter {
json {
source => "message"
}
if [log_type] in ["test","dev"] {
mutate {
add_field => {
"[@metadata][target_index]" => "test-%{+YYYY.MM}"
}
}
} else if [log_type] == "prod" {
mutate {
add_field => {
"[@metadata][target_index]" => "prod-%{+YYYY.MM.dd}"
}
}
} else {
mutate {
add_field => {
"[@metadata][target_index]" => "unknown-%{+YYYY}"
}
}
}
}
output {
elasticsearch {
hosts => "192.168.153.25:9200"
index => "%{[@metadata][target_index]}"
}
}
-------------
模拟数据:
{"remote_addr": "192.168.1.10","url":"/index","status":"789"}
kibana显示