You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
61 lines
1.6 KiB
61 lines
1.6 KiB
3 years ago
|
input {
|
||
|
|
# 来源beats
|
||
|
|
beats {
|
||
|
|
# 端口
|
||
|
|
port => "5044"
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
#input {
|
||
|
|
# 来源文件
|
||
|
|
# file {
|
||
|
|
# path => ["/var/log/logstash/nginx.log"]
|
||
|
|
# start_position => "beginning"
|
||
|
|
# sincedb_path => "nul"
|
||
|
|
# type => "nginx"
|
||
|
|
# codec => "json"
|
||
|
|
# }
|
||
|
|
#}
|
||
|
|
|
||
|
|
# 分析、过滤插件,可以多个
|
||
|
|
filter {
|
||
|
|
if[fields][log_source] == "nginx" {
|
||
|
|
#grok{
|
||
|
|
#match => { "message" => "%{IPORHOST:http_host} %{IPORHOST:clientip} - %{USERNAME:remote_user} \[%{HTTPDATE:timestamp}\]\"(?:%{WORD:http_verb} %{NOTSPACE:http_request}(?: HTTP/%{NUMBER:http_version})?|%{DATA:raw_http_request})\" %{NUMBER:response} (?:%{NUMBER:bytes_read}|-) %{QS:referrer} %{QS:agent} %{QS:xforwardedfor} %{NUMBER:request_time:float}"}
|
||
|
|
#}
|
||
|
|
json {
|
||
|
|
source => "message"
|
||
|
|
remove_field => "message"
|
||
|
|
}
|
||
|
|
}
|
||
|
|
if[fields][log_source] == "laravel" {
|
||
|
|
grok {
|
||
|
|
match => [ "message","\[%{TIMESTAMP_ISO8601:logtime}\] %{WORD:env}\.%{LOGLEVEL:level}\: %{GREEDYDATA:msg}" ]
|
||
|
|
}
|
||
|
|
}
|
||
|
|
geoip {
|
||
|
|
source => "clientip"
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
output {
|
||
|
|
if[fields][log_source] == "nginx" {
|
||
|
|
# 输出选择elasticsearch
|
||
|
|
elasticsearch {
|
||
|
|
hosts => ["http://es-master:9200"]
|
||
|
|
index => "nginx-%{+YYYY.MM.dd}"
|
||
|
|
user => "elastic"
|
||
|
|
password => "123456"
|
||
|
|
}
|
||
|
|
}
|
||
|
|
if[fields][log_source] == "laravel" {
|
||
|
|
#if [level] == "ERROR" {
|
||
|
|
elasticsearch {
|
||
|
|
hosts => ["http://es-master:9200"]
|
||
|
|
index => "laravel-%{+YYYY.MM.dd}"
|
||
|
|
user => "elastic"
|
||
|
|
password => "123456"
|
||
|
|
}
|
||
|
|
#}
|
||
|
|
}
|
||
|
|
}
|