GeoIp elasticsearch構築は前ステップELK構築を継続する。
2949 ワード
GeoIP
cd /usr/local/logstash/etc
curl -O "http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz"
gunzip GeoLiteCity.dat.gz
gunzip : yum -y install gzip gunzip(centos) (apt-get install gzip gunzip)
filter {
geoip {
source => "cientIp" # IP
target => "geoip" # geoip
database => "/usr/local/logstash-2.3.2/etc/GeoLiteCity.dat" #IP
}
}
geoip "source" , "client_ip", !geoip IP , , null, logstash geoip null : geoip. 。
input{
file {
path => "/usr/local/logs/access.log" #
start_position => beginning
ignore_older => 0
}
}
filter{
geoip{
source=>"ip"
}
}
output{
elasticsearch{
hosts=>"localhost"
index=>"domain"
document_id => "%{id}" # _id
}
}
{
"mappings": {
"my_type": {
"properties": {
"id": {
"type": "string"
},
"ip": {
"type": "string"
}
}
}
}
}
1
input{
file {
path => "/usr/local/logs/access.log" #
start_position => beginning
ignore_older => 0
}
}
filter{
mutate{
gsub=>["message","\r",""]
}
mutate{
split=>["message",","]
}
mutate{
add_field=>{
"id"=>"%{[message][0]}"
"ip"=>"%{[message][1]}"
}
}
mutate{
remove_field=>"message"
remove_field=>"host"
remove_field=>"path"
}
geoip{
source=>"ip"
}
}
output{
elasticsearch{
hosts=>"localhost"
index=>"domain"
}
}
// echo '50,121.xx.xx.6' > access.log echo '50,121.xx.xx.6' >> access.log
2 logstash
input{
stdin{}
}
filter{
mutate{
gsub=>["message","\r",""]
}
mutate{
split=>["message",","]
}
mutate{
add_field=>{
"id"=>"%{[message][0]}"
"ip"=>"%{[message][1]}"
}
}
mutate{
remove_field=>"message"
remove_field=>"host"
remove_field=>"path"
}
geoip{
source=>"ip"
}
}
output{
elasticsearch{
hosts=>"localhost"
index=>"domain2"
}
}
// ./bin/logstsh
121.xx.xx.xx,10( logstsh )