• logstash urlencode解码


    [elk@yyjk conf]$ cat viewcode.conf 
    input {
        file {
                    type => "viewcode-10.5.100.232"
                    path => ["/home/admin/tools/logs/gaccess.log"]
                    start_position=>"end"
            }
        
    }
     filter {
          multiline {  
       pattern => "^[0-9]"
      negate=>true  
      what=>"previous"  
     }  
    
    
    }
    
    output {
         elasticsearch {
                    hosts => "10.5.100.232:9200"
                    index => "logstash-viewlog-%{+YYYY.MM.dd}"
            }
       stdout {
       codec=>rubydebug{}
     }
    }
    
    [elk@yyjk conf]$ logstash -f viewcode.conf 
    Settings: Default pipeline workers: 2
    Defaulting pipeline worker threads to 1 because there are some filters that might not work with multiple worker threads {:count_was=>2, :filters=>["multiline"], :level=>:warn}
    Pipeline main started
    
    {
           "message" => "10.5.100.80 - - [07/Sep/2018:15:52:52 +0800] "GET /?phone=17605860662&message=%E8%BF%90%E7%BB%B4%E5%A0%A1%E5%9E%92%E6%9C%BA%E8%AE%BF%E9%97%AE%E6%8E%88%E6%9D%83%E7%94%B3%E8%AF%B7%0A%E6%8E%88%E6%9D%83%E7%A0%81%EF%BC%9A336160%0A%E7%94%B3%E8%AF%B7%E4%BA%BA%EF%BC%9A%E8%B5%B5%E6%9D%A8%E5%81%A5%EF%BC%88015208%EF%BC%89%0A%E8%AE%BF%E9%97%AE%E8%AE%BE%E5%A4%87%EF%BC%9AJJ_ESBAPP_229.101%EF%BC%8810.2.229.101%EF%BC%89%0A%E8%AE%BF%E9%97%AE%E6%9C%8D%E5%8A%A1%EF%BC%9Assh%0A%E7%B3%BB%E7%BB%9F%E8%B4%A6%E5%8F%B7%EF%BC%9Aesb%0A%E7%94%B3%E8%AF%B7%E5%8E%9F%E5%9B%A0%EF%BC%9A%E9%97%AE%E9%A2%98%E6%8E%92%E6%9F%A5 HTTP/1.0" 200 47 "-" "Python-urllib/1.17"",
          "@version" => "1",
        "@timestamp" => "2018-09-07T07:52:53.065Z",
              "path" => "/home/admin/tools/logs/gaccess.log",
              "host" => "yyjk",
              "type" => "viewcode-10.5.100.232"
    }
    {
           "message" => "10.5.100.80 - - [07/Sep/2018:15:53:45 +0800] "GET /?phone=17605861150&message=%E8%BF%90%E7%BB%B4%E5%A0%A1%E5%9E%92%E6%9C%BA%E8%AE%BF%E9%97%AE%E6%8E%88%E6%9D%83%E7%94%B3%E8%AF%B7%0A%E6%8E%88%E6%9D%83%E7%A0%81%EF%BC%9A635367%0A%E7%94%B3%E8%AF%B7%E4%BA%BA%EF%BC%9A%E8%94%A1%E5%88%A9%E6%9D%B0%EF%BC%88006737%EF%BC%89%0A%E8%AE%BF%E9%97%AE%E8%AE%BE%E5%A4%87%EF%BC%9AJJ_ZHDQZDB_120.91%EF%BC%8810.2.120.91%EF%BC%89%0A%E8%AE%BF%E9%97%AE%E6%9C%8D%E5%8A%A1%EF%BC%9Assh%0A%E7%B3%BB%E7%BB%9F%E8%B4%A6%E5%8F%B7%EF%BC%9Aelink%0A%E7%94%B3%E8%AF%B7%E5%8E%9F%E5%9B%A0%EF%BC%9A%E9%97%AE%E9%A2%98%E6%8E%92%E6%9F%A5 HTTP/1.0" 200 47 "-" "Python-urllib/1.17"",
          "@version" => "1",
        "@timestamp" => "2018-09-07T07:53:46.113Z",
              "path" => "/home/admin/tools/logs/gaccess.log",
              "host" => "yyjk",
              "type" => "viewcode-10.5.100.232"
    }
    
    
    
    需要进行urldecode解码;
    
    安装urldecode插件
    [root@node01 bin]# ./logstash-plugin install logstash-filter-urldecode
    Ignoring ffi-1.9.13 because its extensions are not built.  Try: gem pristine ffi --version 1.9.13
    Validating logstash-filter-urldecode
    Installing logstash-filter-urldecode
    Installation successful
    [root@node01 bin]# 
    
    
    [elk@yyjk conf]$ cat viewcode.conf 
    input {
        file {
                    type => "viewcode-10.5.100.232"
                    path => ["/home/admin/tools/logs/gaccess.log"]
                    start_position=>"end"
            }
        
    }
    filter {
      multiline {  
      pattern => "^[0-9]"
      negate=>true  
      what=>"previous"  
     }  
     urldecode{
     field =>message
     }
    }
    
    output {
         elasticsearch {
                    hosts => "10.5.100.232:9200"
                    index => "logstash-viewlog-%{+YYYY.MM.dd}"
            }
       stdout {
       codec=>rubydebug{}
     }
    }
    
    
    [elk@yyjk conf]$ logstash -f viewcode.conf 
    Settings: Default pipeline workers: 2
    Defaulting pipeline worker threads to 1 because there are some filters that might not work with multiple worker threads {:count_was=>2, :filters=>["multiline"], :level=>:warn}
    Pipeline main started
    {
           "message" => "10.5.100.80 - - [07/Sep/2018:17:06:38 +0800] "GET /?phone=17605860662&message=运维堡垒机访问授权申请
    授权码:995523
    申请人:赵杨健(015208)
    访问设备:JJ_ESBAPP_229.101(10.2.229.101)
    访问服务:ssh
    系统账号:esb
    申请原因:问题排查 HTTP/1.0" 200 47 "-" "Python-urllib/1.17"",
          "@version" => "1",
        "@timestamp" => "2018-09-07T09:06:39.428Z",
              "path" => "/home/admin/tools/logs/gaccess.log",
              "host" => "yyjk",
  • 相关阅读:
    jmeter的断言
    Fiddler(五)设置显式IP地址
    学习pycharm----自动化接口
    fidder重复创建数据+模拟接口响应数据+fidder接口测试
    python网络/并发编程部分简单整理
    python面向对象部分简单整理
    python模块与包简单整理
    python函数部分整理
    Python基础部分整理
    Scheme Implementations对比
  • 原文地址:https://www.cnblogs.com/hzcya1995/p/13349077.html
Copyright © 2020-2023  润新知