logstash配置文件

# nginx_log.conf


input {
        file {
                type => "nginx_log"
                path => "/opt/nginx/logs/access.log"
        }
}
  
filter {
  if [type] == "nginx_log" {
    grok {
      match => { "message" => "%{NGINXACCESS}" }
    }
   if ([message] =~ "^*launcher*|^*favicon*") {
      drop {}
   }
    geoip {
      source => "remote_addr"
      target => "geoip"
      database => "/opt/logstash-2.0.0/conf/GeoLiteCity.dat"
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
    }
    mutate {

      convert => [ "[geoip][coordinates]","float", "body_bytes_sent","float", \

          "body_bytes_sent.raw","float"]

    }
  }
}
output {
    stdout { codec => rubydebug }
    elasticsearch {
        hosts => "192.168.0.100:9200"
        index => "ngx_log-%{+YYYY.MM}"
    }
}


NGINXACCESS 定义,可写在patterns/nginx 文件里

NGUSERNAME [a-zA-Z\.\@\-\+_%]+
NGUSER %{NGUSERNAME}
NGINXACCESS %{IPORHOST:remote_addr} - - \[%{HTTPDATE:time_local}\] "%{WORD:method} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{INT:status} %{INT:body_bytes_sent} %{QS:http_referer} %{QS:http_user_agent}

 

kibana 形图展示