[elk@node01 conf]$ cat elk.conf
input {
stdin{}
}
filter {
grok {
match => ["message", "%{HTTPDATE:logdate}s+%{IPORHOST:clientip}"]
}
date {
match => ["logdate", "dd/MMM/yyyy:HH:mm:ss Z"]
}
mutate {
rename => {"logdate" => "curdate"}
}
geoip {
source => "clientip"
target => "geoip"
database => "/usr/local/logstash-2.3.4/etc/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
}
output {
stdout {
codec => rubydebug
}
}
[elk@node01 conf]$ logstash -f elk.conf
Settings: Default pipeline workers: 4
Pipeline main started
12/Sep/2016:21:32:33 +0800 202.101.172.35
{
"message" => "12/Sep/2016:21:32:33 +0800 202.101.172.35",
"@version" => "1",
"@timestamp" => "2016-09-12T13:32:33.000Z",
"host" => "node01",
"clientip" => "202.101.172.35",
"curdate" => "12/Sep/2016:21:32:33 +0800",
"geoip" => {
"ip" => "202.101.172.35",
"country_code2" => "CN",
"country_code3" => "CHN",
"country_name" => "China",
"continent_code" => "AS",
"region_name" => "02",
"city_name" => "Hangzhou",
"latitude" => 30.293599999999998,
"longitude" => 120.16140000000001,
"timezone" => "Asia/Shanghai",
"real_region_name" => "Zhejiang",
"location" => [
[0] 120.16140000000001,
[1] 30.293599999999998
],
"coordinates" => [
[0] 120.16140000000001,
[1] 30.293599999999998
]
}
}
[elk@node01 conf]$ cat elk.conf
input {
stdin{}
}
filter {
grok {
match => ["message", "%{HTTPDATE:logdate}s+%{IPORHOST:clientip}"]
}
date {
match => ["logdate", "dd/MMM/yyyy:HH:mm:ss Z"]
}
mutate {
rename => {"logdate" => "curdate"}
}
geoip {
source => "clientip"
target => "geoip"
database => "/usr/local/logstash-2.3.4/etc/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
add_field =>["xxipyy","%{[geoip][location][0]}"]
}
}
output {
stdout {
codec => rubydebug
}
}
[elk@node01 conf]$ logstash -f elk.conf
Settings: Default pipeline workers: 4
Pipeline main started
12/Sep/2016:21:32:33 +0800 202.101.172.35
{
"message" => "12/Sep/2016:21:32:33 +0800 202.101.172.35",
"@version" => "1",
"@timestamp" => "2016-09-12T13:32:33.000Z",
"host" => "node01",
"clientip" => "202.101.172.35",
"curdate" => "12/Sep/2016:21:32:33 +0800",
"geoip" => {
"ip" => "202.101.172.35",
"country_code2" => "CN",
"country_code3" => "CHN",
"country_name" => "China",
"continent_code" => "AS",
"region_name" => "02",
"city_name" => "Hangzhou",
"latitude" => 30.293599999999998,
"longitude" => 120.16140000000001,
"timezone" => "Asia/Shanghai",
"real_region_name" => "Zhejiang",
"location" => [
[0] 120.16140000000001,
[1] 30.293599999999998
],
"coordinates" => [
[0] 120.16140000000001,
[1] 30.293599999999998
]
},
"xxipyy" => 120.16140000000001
}