Logstash基础操作-Filter
admin
2023-02-28 10:02:15
0次
Grok配置案例:
##启动文件配置:
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
stdin{}
}
filter {
grok {
match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\
%{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"]
}
}
output {
stdout{
codec => "rubydebug"
}
}
##输出文件内容
172.16.213.132 [07/Feb/2018:16:24:19 +0800] "GET / HTTP/1.1" 403 5039
##显示内容
{
"@version" => "1",
"@timestamp" => 2019-11-10T06:02:42.865Z,
"host" => "localhost.localdomain",
"message" => "172.16.213.132 [07/Feb/2018:16:24:19 +0800] \"GET / HTTP/1.1\" 403 5039",
"timestamp" => "07/Feb/2018:16:24:19 +0800",
"bytes" => "5039",
"response" => "403",
"clientip" => "172.16.213.132",
"referrer" => "\"GET / HTTP/1.1\""
}Grok 过滤重复字段
## 配置文件
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
stdin{
}
}
filter {
grok {
match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\
%{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"]
remove_field => ["message"]
}
}
output {
stdout{
codec => "rubydebug"
}
}Grok搭配Date时间插件配置
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
stdin{
}
}
filter {
grok {
match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\
%{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"]
remove_field => ["message"]
}
date {
match => ["timestamp", "dd/MMMM/yyyy:HH:mm:ss Z"]
}
}
output {
stdout{
codec => "rubydebug"
}
}Date 过滤重复得字段配置
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
stdin{
}
}
filter {
grok {
match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\
%{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"]
remove_field => ["message"]
}
date {
match => ["timestamp", "dd/MMMM/yyyy:HH:mm:ss Z"]
}
mutate {
remove_field => [ "timestamp" ]
}
}
output {
stdout{
codec => "rubydebug"
}
}综合练习配置参数
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
stdin{
}
}
filter {
grok {
match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\
%{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"]
remove_field => ["message"]
}
date {
match => ["timestamp", "dd/MMMM/yyyy:HH:mm:ss Z"]
}
mutate{
rename => {"response" => "response_new"}
gsub => ["referrer", "\"", ""]
remove_field => [ "timestamp" ]
split => ["clientip", "."]
}
}
output {
stdout{
codec => "rubydebug"
}
}Geoip 地理位置插件操作方式
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
stdin{
}
}
filter {
grok {
match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\
%{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"]
remove_field => ["message"]
}
date {
match => ["timestamp", "dd/MMMM/yyyy:HH:mm:ss Z"]
}
mutate{
remove_field => [ "timestamp" ]
}
geoip {
source => "clientip"
database => "/usr/local/include/GeoLite2-ASN_20191105/GeoLite2-ASN.mmdb"
}
}
output {
stdout{
codec => "rubydebug"
}
}Geoip输出指定属性值
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
stdin{
}
}
filter {
grok {
match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\
%{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"]
remove_field => ["message"]
}
date {
match => ["timestamp", "dd/MMMM/yyyy:HH:mm:ss Z"]
}
mutate{
remove_field => [ "timestamp" ]
}
geoip {
source => "clientip"
#database => "/usr/local/include/GeoLite2-Country_20191015/GeoLite2-Country.mmdb"
database => "/usr/local/include/GeoLite2-City_20191105/GeoLite2-City.mmdb"
fields => ["city_name", "region_name", "country_name", "ip", "latitude", "longitude", "timezone"]
}
}
output {
stdout{
codec => "rubydebug"
}
}
模拟数据:
36.7.152.182 [07/Feb/2018:16:24:19 +0800] "GET / HTTP/1.1" 403 5039综合实战
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
stdin{}
}
filter{
grok{
match => {"message" => "%{TIMESTAMP_ISO8601:localtime}\|\~\|%{IP:clientip}
\|\~\|%{GREEDYDATA:http_user_agent}\|\~\|%{GREEDYDATA:url}
\|\~\|%{GREEDYDATA:mediaid}\|\~\|%{GREEDYDATA:osid}"}
remove_field => [ "message" ]
}
date {
match => ["localtime", "yyyy-MM-dd'T'HH:mm:ssZZ"]
target => "@timestamp"
}
mutate {
remove_field => ["localtime"]
}
geoip {
source => "clientip"
#database => "/usr/local/include/GeoLite2-Country_20191015/GeoLite2-Country.mmdb"
database => "/usr/local/include/GeoLite2-City_20191105/GeoLite2-City.mmdb"
fields => ["city_name", "region_name", "country_name", "ip", "latitude", "longitude", "timezone"]
}
}
output {
stdout {
codec => "rubydebug"
}
}
示例:2018-02-09T10:57:42+08:00|~|123.87.240.97|~|Mozilla/5.0
(iPhone;CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 Version/11.0 Mobile/15C202 Safari/604.1
|~|http://m.sina.cn/cm/ads_ck_wap.html
|~|12434785489009|~|DF45566587855P下一篇:Linux sudo实现灵活授权
相关内容
热门资讯
沈伯洋彻底没戏?深绿智库民调:...
岛内深绿智库“新台湾正常智库”7日公布的最新民调显示,在台北市长选战中,力拼连任的国民党籍台北市长蒋...
白象“多半袋”、今麦郎“手打”...
印有“手打”“手擀”字样的挂面,其实全部来自流水线;印有“多半袋”“多半桶”字样的方便面,其实只多出...
陕西一镇被曝垃圾堆满山腰,当地...
5月6日,一则关于陕西省山阳县南宽坪镇垃圾填埋问题的视频引发关注。一名视频博主反映,该镇后坡半山腰处...
中国第一台高能加速器:北京正负...
感谢IT之家网友 的线索投递! 5 月 7 日消息,中国科学院高能物理研究所今日官宣,2026 年...
最强计算组合刷新大分子模拟纪录
量子计算机最具前景的应用方向之一,就是模拟蛋白质,助力新药研发。但眼下这类设备误差率仍然偏高。据英国...
贵州高校借力“中国天眼”勇攀科...
“中国天眼”(FAST)。 新华社记者 欧东衢 摄 4月8日,遵义师范学院青年教师吴庆东以第一作者身...
Claude牵手马斯克,调用限...
智东西 作者 | 程茜 编辑 | 李水青 智东西5月7日报道,今日凌晨,Anthropic在开发者大...
男子称爷爷30年前向天津美院捐...
5月6日,天津康先生反映,1996年他爷爷捐赠40件书画到天津美术学院,如今部分书画去向不明。
寒武纪股价再成A股最贵,半导体...
一方面,受益于AI产业发展,不少半导体公司业绩上涨;另一方面,美股半导体的上涨也带动了A股行情 文|...
OpenAI两大劲敌联手!马斯...
AIPress.com.cn报道 奥特曼今晚能安然入睡吗? 就在刚刚,OpenAI的两大死对头美美牵...