架構很簡單:
filebeat的配置沒啥可說的就是直接發(fā)nginx的access.log給logstash
logstash的配置文件如下
input {
beats {
port => 5044
host => "0.0.0.0"
}
}
filter {
if [fileset][module] == "nginx" {
if [fileset][name] == "access" {
grok {
match => { "message" => ["%{IPORHOST:[nginx][access][remote_ip]} - %{DATA:[nginx][access][user_name]} \[%{HTTPDATE:[nginx][access][time]}\] \"%{WORD:[nginx][access][method]} %{DATA:[nginx][access][url]} HTTP/%{NUMBER:[nginx][access][http_version]}\" %{NUMBER:[nginx][access][response_code]} %{NUMBER:[nginx][access][body_sent][bytes]} \"%{DATA:[nginx][access][referrer]}\" \"%{DATA:[nginx][access][agent]}\""] }
remove_field => "message"
}
mutate {
add_field => { "read_timestamp" => "%{@timestamp}" }
}
date {
match => [ "[nginx][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
remove_field => "[nginx][access][time]"
}
useragent {
source => "[nginx][access][agent]"
target => "[nginx][access][user_agent]"
remove_field => "[nginx][access][agent]"
}
geoip {
source => "[nginx][access][remote_ip]"
database => "../GeoLite2-City.mmdb"
target => "[nginx][access][geoip]"
}
}
else if [fileset][name] == "error" {
grok {
match => { "message" => ["%{DATA:[nginx][error][time]} \[%{DATA:[nginx][error][level]}\] %{NUMBER:[nginx][error][pid]}#%{NUMBER:[nginx][error][tid]}: (\*%{NUMBER:[nginx][error][connection_id]} )?%{GREEDYDATA:[nginx][error][message]}"] }
remove_field => "message"
}
mutate {
rename => { "@timestamp" => "read_timestamp" }
}
date {
match => [ "[nginx][error][time]", "YYYY/MM/dd H:m:s" ]
remove_field => "[nginx][error][time]"
}
}
}
}
output {
elasticsearch {
hosts => ['127.0.0.1:9200']
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
}elasticsearch的索引模板如下
"filebeat-6.2.2": {
"order": 1,
"index_patterns": [
"filebeat-6.2.2-*"
],
"settings": {
"index": {
"number_of_routing_shards": "30",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"refresh_interval": "5s"
}
},
"mappings": {
"doc": {
"properties": {
"auditd": {
"properties": {
"log": {
"properties": {
"new_ses": {
"type": "keyword",
"ignore_above": 1024
},
"pid": {
"type": "keyword",
"ignore_above": 1024
},
"a0": {
"type": "keyword",
"ignore_above": 1024
},
"record_type": {
"type": "keyword",
"ignore_above": 1024
},
"old_auid": {
"ignore_above": 1024,
"type": "keyword"
},
"new_auid": {
"type": "keyword",
"ignore_above": 1024
},
"old_ses": {
"type": "keyword",
"ignore_above": 1024
},
"acct": {
"type": "keyword",
"ignore_above": 1024
},
"ppid": {
"type": "keyword",
"ignore_above": 1024
},
"items": {
"type": "keyword",
"ignore_above": 1024
},
"geoip": {
"properties": {
"continent_name": {
"type": "keyword",
"ignore_above": 1024
},
"city_name": {
"type": "keyword",
"ignore_above": 1024
},
"region_name": {
"type": "keyword",
"ignore_above": 1024
},
"country_iso_code": {
"type": "keyword",
"ignore_above": 1024
},
"location": {
"type": "geo_point"
}
}
},
"sequence": {
"type": "long"
},
"item": {
"type": "keyword",
"ignore_above": 1024
},
"res": {
"type": "keyword",
"ignore_above": 1024
}
}
}
}
},
"osquery": {
"properties": {
"result": {
"properties": {
"action": {
"type": "keyword",
"ignore_above": 1024
},
"host_identifier": {
"type": "keyword",
"ignore_above": 1024
},
"unix_time": {
"type": "long"
},
"calendar_time": {
"type": "keyword",
"ignore_above": 1024
},
"name": {
"type": "keyword",
"ignore_above": 1024
}
}
}
}
},
"redis": {
"properties": {
"slowlog": {
"properties": {
"args": {
"type": "keyword",
"ignore_above": 1024
},
"cmd": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"properties": {
"us": {
"type": "long"
}
}
},
"id": {
"type": "long"
},
"key": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"log": {
"properties": {
"pid": {
"type": "long"
},
"role": {
"type": "keyword",
"ignore_above": 1024
},
"level": {
"type": "keyword",
"ignore_above": 1024
},
"message": {
"type": "text",
"norms": false
}
}
}
}
},
"beat": {
"properties": {
"hostname": {
"type": "keyword",
"ignore_above": 1024
},
"timezone": {
"type": "keyword",
"ignore_above": 1024
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"@timestamp": {
"type": "date"
},
"tags": {
"type": "keyword",
"ignore_above": 1024
},
"prospector": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"icinga": {
"properties": {
"debug": {
"properties": {
"facility": {
"type": "keyword",
"ignore_above": 1024
},
"severity": {
"type": "keyword",
"ignore_above": 1024
},
"message": {
"type": "text",
"norms": false
}
}
},
"main": {
"properties": {
"facility": {
"type": "keyword",
"ignore_above": 1024
},
"severity": {
"type": "keyword",
"ignore_above": 1024
},
"message": {
"type": "text",
"norms": false
}
}
},
"startup": {
"properties": {
"severity": {
"type": "keyword",
"ignore_above": 1024
},
"message": {
"type": "text",
"norms": false
},
"facility": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"nginx": {
"properties": {
"access": {
"properties": {
"url": {
"type": "keyword",
"ignore_above": 1024
},
"response_code": {
"type": "long"
},
"body_sent": {
"properties": {
"bytes": {
"type": "long"
}
}
},
"referrer": {
"ignore_above": 1024,
"type": "keyword"
},
"agent": {
"type": "text",
"norms": false
},
"user_agent": {
"properties": {
"name": {
"type": "keyword",
"ignore_above": 1024
},
"os_minor": {
"type": "long"
},
"patch": {
"type": "keyword",
"ignore_above": 1024
},
"os": {
"ignore_above": 1024,
"type": "keyword"
},
"os_major": {
"type": "long"
},
"os_name": {
"type": "keyword",
"ignore_above": 1024
},
"device": {
"type": "keyword",
"ignore_above": 1024
},
"major": {
"type": "long"
},
"minor": {
"type": "long"
}
}
},
"geoip": {
"properties": {
"continent_name": {
"type": "keyword",
"ignore_above": 1024
},
"country_iso_code": {
"type": "keyword",
"ignore_above": 1024
},
"location": {
"type": "geo_point"
},
"region_name": {
"type": "keyword",
"ignore_above": 1024
},
"city_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"remote_ip": {
"type": "keyword",
"ignore_above": 1024
},
"user_name": {
"type": "keyword",
"ignore_above": 1024
},
"method": {
"type": "keyword",
"ignore_above": 1024
},
"http_version": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"error": {
"properties": {
"level": {
"type": "keyword",
"ignore_above": 1024
},
"pid": {
"type": "long"
},
"tid": {
"type": "long"
},
"connection_id": {
"type": "long"
},
"message": {
"type": "text",
"norms": false
}
}
}
}
},
"error": {
"properties": {
"message": {
"type": "text",
"norms": false
},
"code": {
"type": "long"
},
"type": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"meta": {
"properties": {
"cloud": {
"properties": {
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"instance_id": {
"type": "keyword",
"ignore_above": 1024
},
"instance_name": {
"type": "keyword",
"ignore_above": 1024
},
"machine_type": {
"type": "keyword",
"ignore_above": 1024
},
"availability_zone": {
"type": "keyword",
"ignore_above": 1024
},
"project_id": {
"type": "keyword",
"ignore_above": 1024
},
"region": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"message": {
"type": "text",
"norms": false
},
"mysql": {
"properties": {
"error": {
"properties": {
"timestamp": {
"type": "keyword",
"ignore_above": 1024
},
"thread_id": {
"type": "long"
},
"level": {
"type": "keyword",
"ignore_above": 1024
},
"message": {
"type": "text",
"norms": false
}
}
},
"slowlog": {
"properties": {
"user": {
"type": "keyword",
"ignore_above": 1024
},
"query_time": {
"properties": {
"sec": {
"type": "float"
}
}
},
"rows_examined": {
"type": "long"
},
"timestamp": {
"type": "long"
},
"id": {
"type": "long"
},
"host": {
"type": "keyword",
"ignore_above": 1024
},
"ip": {
"type": "keyword",
"ignore_above": 1024
},
"lock_time": {
"properties": {
"sec": {
"type": "float"
}
}
},
"rows_sent": {
"type": "long"
},
"query": {
"type": "keyword",
"ignore_above": 1024
}
}
}
}
},
"traefik": {
"properties": {
"access": {
"properties": {
"user_agent": {
"properties": {
"patch": {
"type": "keyword",
"ignore_above": 1024
},
"name": {
"type": "keyword",
"ignore_above": 1024
},
"os_minor": {
"type": "long"
},
"os_name": {
"type": "keyword",
"ignore_above": 1024
},
"device": {
"type": "keyword",
"ignore_above": 1024
},
"minor": {
"type": "long"
},
"os_major": {
"type": "long"
},
"major": {
"type": "long"
},
"os": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"request_count": {
"type": "long"
},
"response_code": {
"type": "long"
},
"body_sent": {
"properties": {
"bytes": {
"type": "long"
}
}
},
"frontend_name": {
"type": "text",
"norms": false
},
"backend_url": {
"type": "text",
"norms": false
},
"remote_ip": {
"ignore_above": 1024,
"type": "keyword"
},
"method": {
"type": "keyword",
"ignore_above": 1024
},
"url": {
"type": "keyword",
"ignore_above": 1024
},
"referrer": {
"ignore_above": 1024,
"type": "keyword"
},
"user_name": {
"type": "keyword",
"ignore_above": 1024
},
"http_version": {
"type": "keyword",
"ignore_above": 1024
},
"agent": {
"type": "text",
"norms": false
},
"geoip": {
"properties": {
"continent_name": {
"type": "keyword",
"ignore_above": 1024
},
"country_iso_code": {
"type": "keyword",
"ignore_above": 1024
},
"location": {
"type": "geo_point"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"city_name": {
"type": "keyword",
"ignore_above": 1024
}
}
}
}
}
}
},
"fields": {
"type": "object"
},
"logstash": {
"properties": {
"log": {
"properties": {
"thread": {
"type": "text",
"norms": false
},
"log_event": {
"type": "object"
},
"message": {
"type": "text",
"norms": false
},
"level": {
"type": "keyword",
"ignore_above": 1024
},
"module": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"slowlog": {
"properties": {
"message": {
"type": "text",
"norms": false
},
"level": {
"type": "keyword",
"ignore_above": 1024
},
"event": {
"type": "text",
"norms": false
},
"plugin_type": {
"type": "keyword",
"ignore_above": 1024
},
"took_in_millis": {
"type": "long"
},
"took_in_nanos": {
"type": "long"
},
"plugin_params_object": {
"type": "object"
},
"module": {
