Logstash基础操作-Filter
admin
2023-02-28 10:02:15
0次
Grok配置案例:
##启动文件配置:
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
stdin{}
}
filter {
grok {
match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\
%{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"]
}
}
output {
stdout{
codec => "rubydebug"
}
}
##输出文件内容
172.16.213.132 [07/Feb/2018:16:24:19 +0800] "GET / HTTP/1.1" 403 5039
##显示内容
{
"@version" => "1",
"@timestamp" => 2019-11-10T06:02:42.865Z,
"host" => "localhost.localdomain",
"message" => "172.16.213.132 [07/Feb/2018:16:24:19 +0800] \"GET / HTTP/1.1\" 403 5039",
"timestamp" => "07/Feb/2018:16:24:19 +0800",
"bytes" => "5039",
"response" => "403",
"clientip" => "172.16.213.132",
"referrer" => "\"GET / HTTP/1.1\""
}Grok 过滤重复字段
## 配置文件
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
stdin{
}
}
filter {
grok {
match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\
%{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"]
remove_field => ["message"]
}
}
output {
stdout{
codec => "rubydebug"
}
}Grok搭配Date时间插件配置
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
stdin{
}
}
filter {
grok {
match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\
%{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"]
remove_field => ["message"]
}
date {
match => ["timestamp", "dd/MMMM/yyyy:HH:mm:ss Z"]
}
}
output {
stdout{
codec => "rubydebug"
}
}Date 过滤重复得字段配置
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
stdin{
}
}
filter {
grok {
match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\
%{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"]
remove_field => ["message"]
}
date {
match => ["timestamp", "dd/MMMM/yyyy:HH:mm:ss Z"]
}
mutate {
remove_field => [ "timestamp" ]
}
}
output {
stdout{
codec => "rubydebug"
}
}综合练习配置参数
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
stdin{
}
}
filter {
grok {
match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\
%{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"]
remove_field => ["message"]
}
date {
match => ["timestamp", "dd/MMMM/yyyy:HH:mm:ss Z"]
}
mutate{
rename => {"response" => "response_new"}
gsub => ["referrer", "\"", ""]
remove_field => [ "timestamp" ]
split => ["clientip", "."]
}
}
output {
stdout{
codec => "rubydebug"
}
}Geoip 地理位置插件操作方式
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
stdin{
}
}
filter {
grok {
match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\
%{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"]
remove_field => ["message"]
}
date {
match => ["timestamp", "dd/MMMM/yyyy:HH:mm:ss Z"]
}
mutate{
remove_field => [ "timestamp" ]
}
geoip {
source => "clientip"
database => "/usr/local/include/GeoLite2-ASN_20191105/GeoLite2-ASN.mmdb"
}
}
output {
stdout{
codec => "rubydebug"
}
}Geoip输出指定属性值
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
stdin{
}
}
filter {
grok {
match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\
%{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"]
remove_field => ["message"]
}
date {
match => ["timestamp", "dd/MMMM/yyyy:HH:mm:ss Z"]
}
mutate{
remove_field => [ "timestamp" ]
}
geoip {
source => "clientip"
#database => "/usr/local/include/GeoLite2-Country_20191015/GeoLite2-Country.mmdb"
database => "/usr/local/include/GeoLite2-City_20191105/GeoLite2-City.mmdb"
fields => ["city_name", "region_name", "country_name", "ip", "latitude", "longitude", "timezone"]
}
}
output {
stdout{
codec => "rubydebug"
}
}
模拟数据:
36.7.152.182 [07/Feb/2018:16:24:19 +0800] "GET / HTTP/1.1" 403 5039综合实战
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
stdin{}
}
filter{
grok{
match => {"message" => "%{TIMESTAMP_ISO8601:localtime}\|\~\|%{IP:clientip}
\|\~\|%{GREEDYDATA:http_user_agent}\|\~\|%{GREEDYDATA:url}
\|\~\|%{GREEDYDATA:mediaid}\|\~\|%{GREEDYDATA:osid}"}
remove_field => [ "message" ]
}
date {
match => ["localtime", "yyyy-MM-dd'T'HH:mm:ssZZ"]
target => "@timestamp"
}
mutate {
remove_field => ["localtime"]
}
geoip {
source => "clientip"
#database => "/usr/local/include/GeoLite2-Country_20191015/GeoLite2-Country.mmdb"
database => "/usr/local/include/GeoLite2-City_20191105/GeoLite2-City.mmdb"
fields => ["city_name", "region_name", "country_name", "ip", "latitude", "longitude", "timezone"]
}
}
output {
stdout {
codec => "rubydebug"
}
}
示例:2018-02-09T10:57:42+08:00|~|123.87.240.97|~|Mozilla/5.0
(iPhone;CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 Version/11.0 Mobile/15C202 Safari/604.1
|~|http://m.sina.cn/cm/ads_ck_wap.html
|~|12434785489009|~|DF45566587855P下一篇:Linux sudo实现灵活授权
相关内容
热门资讯
最新引进“十胡卡.真的有挂吗?...
最新引进“十胡卡.真的有挂吗?”确实真的有挂您好,十胡卡这个游戏其实有挂的,确实是有挂的,需要了解加...
终于懂了“同城游跑胡子.怎么开...
网上科普关于“同城游跑胡子有没有挂”话题很是火热,小编也是针对同城游跑胡子作*弊开挂的方法以及开挂对...
【第一消息】“微乐海南麻将.辅...
家人们!今天小编来为大家解答微乐海南麻将透视挂怎么安装这个问题咨询软件客服徽9784099的挂在哪里...
降低家庭养育成本,中国拟对托育...
12月22日,托育服务法草案提请十四届全国人大常委会第十九次会议首次审议。草案共8章76条,包括总则...
我来教教您“哪吒重生.开挂器?...
有 亲,根据资深记者爆料哪吒重生是可以开挂的,确实有挂(咨询软件无需打开...
俄称普京愿与马克龙展开对话,法...
【环球网报道】据美国政治新闻网站(Politico)等外媒报道,俄总统新闻秘书、克宫发言人佩斯科夫当...
【第一资讯】“丽水都莱.怎么开...
您好:丽水都莱这款游戏可以开挂,确实是有挂的,需要了解加客服微信【9752949】很多玩家在这款游戏...
【第一资讯】“人海牛牛.可以开...
网上科普关于“人海牛牛有没有挂”话题很是火热,小编也是针对人海牛牛作*弊开挂的方法以及开挂对应的知识...
终于懂了“乐暴延边麻将.开挂器...
家人们!今天小编来为大家解答乐暴延边麻将透视挂怎么安装这个问题咨询软件客服徽4282891的挂在哪里...
今日重大发现“白金岛红拐弯.开...
您好:白金岛红拐弯这款游戏可以开挂,确实是有挂的,需要了解加客服微信【9752949】很多玩家在这款...