1.安装GeoIP数据库
cd /usr/local/logstash/etc
curl -O "http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz"
gunzip GeoLiteCity.dat.gz
1
2
3
2.配置logstash使用GeoIP
只需要在原来的logstash.conf中添加filter即可
vim /usr/local/logstash/etc/logstash.conf
input {
file {
path => "/data/nginx/logs/access_java.log"
type => "nginx-access"
start_position => "beginning"
sincedb_path => "/usr/local/logstash/sincedb"
codec => "json"
}
}
filter {
if [type] == "nginx-access" {
geoip {
source => "clientip"
target => "geoip"
database => "/usr/local/logstash/etc/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
}
output {
if [type] == "nginx-access" {
elasticsearch {
hosts => ["10.10.20.16:9200"]
manage_template => true
index => "nginx-access-%{+YYYY-MM}"
}
}
}
注意如果是haproxy 作为代理,nginx需要修改为;
filter {
grok {
match => {
"message" => "%{IPORHOST:clientip} [%{HTTPDATE:time}] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" - %{NUMBER:http_status_code} %{NUMBER:bytes} "(?<http_referer>S+)" "(?<http_user_agent>(S+s+)*S+)" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)"
}
}
geoip {
source => "http_x_forwarded_for"
target => "geoip"
database => "/usr/local/logstash/etc/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
3.重启logstash即可。