#nginx_log.conf


input {
        file {
                type => "nginx_log"
                path => "/opt/nginx/logs/access.log"
        }
}
   
filter {
  if [type] == "nginx_log" {
    grok {
      match => { "message" => "%{NGINXACCESS}" }
    }
   if ([message] =~ "^*launcher*|^*favicon*") {
      drop {}
   }
    geoip {
      source => "remote_addr"
      target => "geoip"
      database => "/opt/logstash-1.4.2/conf/GeoLiteCity.dat"
      add_field => [ "[geoip][coordinates]""%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]""%{[geoip][latitude]}"  ]
    }
    mutate {
      convert => [ "[geoip][coordinates]","float""body_bytes_sent","float""body_bytes_sent.raw","float"]
    }
  }
}
output {
        stdout { codec => rubydebug }
        elasticsearch {
                host => "192.168.0.100:9200"
                index => "ngxlog-%{+YYYY.MM.dd}"
        }
}


#syslog.conf

input {
        file {
                type => "syslog"
                path => "/var/log/messages"
        }
        file {
                type => "seclog"
                path => "/var/log/secure"
        }
        file {
                type => "nginx_error_log"
                path => "/opt/nginx/logs/error.log"
        }
}
  
  
filter {
  if [type] == "syslog" or [type] == "nginx_error_log"  {
    grok {
      match => { "message" => "%{SYSLOGBASE2}" }
    }
if [type] == "seclog" {
    grok {
          match => { "message" => "%{SYSLOGPAMSESSION}" }
          match => { "message" => "%{SECURELOG}" }
  }
}
 geoip {
        source => "IP"
        fields => ["city_name"]
        database => "/opt/logstash-2.0.0/conf/GeoLiteCity.dat"
 }
if ([status] == "Accepted") {
        mutate {
                add_tag => ["Success"]
      }
}
else if ([status] == "Failed") {
        mutate {
                add_tag => ["Failed"]
        }
}
}
  
  if [type] == "nginx_error_log" {
    if ([message] =~ "^*temp*") {
      drop {}
    }
  }
  
}
  
output {
        stdout { codec => rubydebug }
        elasticsearch {
                host => "192.168.0.100:9200"
                index => "syslog-%{+YYYY.MM}"
        }
}


#SECURELOG  定义,可写在patterns/linux-syslog 文件里

SECURELOG %{WORD:program}\[%{DATA:pid}\]: %{WORD:status} password for ?(invalid user)? %{WORD:USER} from %{DATA:IP} port

可获取到SSH 登陆用户名,IP,登陆状态,IP地区


Kibana ssh登陆监控-图形展示