log_format main '$remote_addr [$time_local] "$request" ' '$request_body $status $body_bytes_sent "$http_referer" "$http_user_agent" ' '$request_time $upstream_response_time'; zjtest7-frontend:/usr/local/logstash-2.3.4/config# cat loguat.cof input { file { type => "uat_nginx_access" path => ["/rsyslog/data/nginx/uat/nginx_access0*_log.*"] } } filter { grok { match =>{ "message" => " %{IPORHOST:clientip} [%{HTTPDATE:time}] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" - %{NUMBER:http_status_code} %{NUMBER:bytes} "(?<http_referer>S+)" "(?<http_user_agent>(S+s+)*S+)".*" } } } output { elasticsearch { hosts => "192.168.32.80:9200" index => "logstash-uat-test" } stdout { codec => rubydebug } } { "message" => " 121.40.205.143 [29/Aug/2016:17:35:30 +0800] "GET /wechat/hold_history.html HTTP/1.1" - 200 2567 "https://uatest.winfae.com/wechat/account_hold.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13F69 MicroMessenger/6.3.16 NetType/WIFI Language/zh_CN" 0.000 -", "@version" => "1", "@timestamp" => "2016-08-29T09:38:14.182Z", "path" => "/rsyslog/data/nginx/uat/nginx_access01_log.2016-08-29", "host" => "0.0.0.0", "type" => "uat_nginx_access", "clientip" => "121.40.205.143", "time" => "29/Aug/2016:17:35:30 +0800", "verb" => "GET", "request" => "/wechat/hold_history.html", "httpversion" => "1.1", "http_status_code" => "200", "bytes" => "2567", "http_referer" => "https://uatest.winfae.com/wechat/account_hold.html", "http_user_agent" => "Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13F69 MicroMessenger/6.3.16 NetType/WIFI Language/zh_CN" }