今天重新调整了下配置文件,之前的apache_errorlog未匹配到clientip。
1.首先修改shipper.conf
input {
file {
type => "apache-accesslog"
path => "/var/log/httpd/access_log"
}
file {
type => "apache-errorlog"
path => "/var/log/httpd/error_log"
}
}
filter {
if [type] == "apache-accesslog" {
grok {
type => "apache-accesslog"
pattern => "%{COMBINEDAPACHELOG}"
patterns_dir => "/opt/logstash/patterns"
}
}
else if [type] == "apache-errorlog" {
grok {
type => "apache-errorlog"
match => { "message" => "%{APACHEERRORLOG}" }
patterns_dir => [ "/opt/logstash/lib/logstash/grok" ]
#pattern => "%{LOGLEVEL}"
#patterns_dir => "/usr/local/src/logstash-1.4.2/patterns"
}
}
}
output {
redis {
host => '192.168.1.101'
data_type => 'list'
key => 'logstash'
}
}
apache-errorlog匹配的patterns写入一个文件中,也可以直接在后面写。我这里写入文件中,文件内容如下:
HTTPERRORDATE %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}
APACHEERRORLOG \[%{HTTPERRORDATE:timestamp}\] \[%{WORD:severity}\] \[client %{IPORHOST:clientip}\] %{GREEDYDATA:message_remainder}
2.下面是indexer.conf
input {
redis {
host => "localhost"
data_type =>"list"
port => "6379"
key => "logstash"
type => "apache-(access|error)log"
codec => "json"
}
}
output {
elasticsearch {
host => "localhost"
}
}
3.重启服务
# /bin/logstash -f conf/shipper.conf & # /bin/logstash -f conf/indexer.conf &
4.查看图形,访问日志跟错误日志都能显示客户端IP
转载于:https://blog.51cto.com/charlie928/1551624