[elk@www1-n02 bin]$
cat
agent.conf
input {
file
{
type
=>
"www1_access"
path => [
"/data/logs/www1.mangocity.com-access_log"
]
}
file
{
type
=>
"flight1_access"
path => [
"/data/logs/flight1-access_log"
]
}
}
filter {
ruby {
init =>
"@kname = ['http_clientip','http_x_forwarded_for','time_local','request','status','body_bytes_sent','request_body','content_length','http_referer','http_user_agent','http_cookie','remote_addr','hostname','upstream_addr','upstream_response_time','request_time']"
code => "new_event = LogStash::Event.new(Hash[@kname.zip(event.get(
'message'
).
split
(
'|'
))])
new_event.remove(
'@timestamp'
)
event.append(new_event)"
}
if
[request] {
ruby {
init =>
"@kname = ['method','uri','verb']"
code => "new_event = LogStash::Event.new(Hash[@kname.zip(event.get(
'request'
).
split
(
' '
))])
new_event.remove(
'@timestamp'
)
event.append(new_event)
"
}
if
[uri] {
ruby {
init =>
"@kname = ['url_path','url_args']"
code => "new_event = LogStash::Event.new(Hash[@kname.zip(event.get(
'uri'
).
split
(
'?'
))])
new_event.remove(
'@timestamp'
)
event.append(new_event)
"
}
kv {
prefix =>
"url_"
source
=>
"url_args"
field_split =>
"& "
remove_field => [
"url_args"
,
"uri"
,
"request"
]
}
}
}
mutate {
convert => [
"body_bytes_sent"
,
"integer"
,
"content_length"
,
"integer"
,
"upstream_response_time"
,
"float"
,
"request_time"
,
"float"
]
}
date
{
match => [
"time_local"
,
"dd/MMM/yyyy:hh:mm:ss Z"
]
locale =>
"en"
}
grok {
match => {
"message"
=>
"%{IP:clientip}"
}
}
geoip
{
source
=>
"clientip"
}
}
output {
redis {
host =>
"10.10.45.200"
data_type =>
"list"
key =>
"elk_frontend_access:redis"
port=>
"5379"
}
}
