[elk@yyjk conf]$ cat viewcode.conf
input {
file {
type => "viewcode-10.5.100.232"
path => ["/home/admin/tools/logs/gaccess.log"]
start_position=>"end"
}
}
filter {
multiline {
pattern => "^[0-9]"
negate=>true
what=>"previous"
}
}
output {
elasticsearch {
hosts => "10.5.100.232:9200"
index => "logstash-viewlog-%{+YYYY.MM.dd}"
}
stdout {
codec=>rubydebug{}
}
}
[elk@yyjk conf]$ logstash -f viewcode.conf
Settings: Default pipeline workers: 2
Defaulting pipeline worker threads to 1 because there are some filters that might not work with multiple worker threads {:count_was=>2, :filters=>["multiline"], :level=>:warn}
Pipeline main started
{
"message" => "10.5.100.80 - - [07/Sep/2018:15:52:52 +0800] "GET /?phone=17605860662&message=%E8%BF%90%E7%BB%B4%E5%A0%A1%E5%9E%92%E6%9C%BA%E8%AE%BF%E9%97%AE%E6%8E%88%E6%9D%83%E7%94%B3%E8%AF%B7%0A%E6%8E%88%E6%9D%83%E7%A0%81%EF%BC%9A336160%0A%E7%94%B3%E8%AF%B7%E4%BA%BA%EF%BC%9A%E8%B5%B5%E6%9D%A8%E5%81%A5%EF%BC%88015208%EF%BC%89%0A%E8%AE%BF%E9%97%AE%E8%AE%BE%E5%A4%87%EF%BC%9AJJ_ESBAPP_229.101%EF%BC%8810.2.229.101%EF%BC%89%0A%E8%AE%BF%E9%97%AE%E6%9C%8D%E5%8A%A1%EF%BC%9Assh%0A%E7%B3%BB%E7%BB%9F%E8%B4%A6%E5%8F%B7%EF%BC%9Aesb%0A%E7%94%B3%E8%AF%B7%E5%8E%9F%E5%9B%A0%EF%BC%9A%E9%97%AE%E9%A2%98%E6%8E%92%E6%9F%A5 HTTP/1.0" 200 47 "-" "Python-urllib/1.17"",
"@version" => "1",
"@timestamp" => "2018-09-07T07:52:53.065Z",
"path" => "/home/admin/tools/logs/gaccess.log",
"host" => "yyjk",
"type" => "viewcode-10.5.100.232"
}
{
"message" => "10.5.100.80 - - [07/Sep/2018:15:53:45 +0800] "GET /?phone=17605861150&message=%E8%BF%90%E7%BB%B4%E5%A0%A1%E5%9E%92%E6%9C%BA%E8%AE%BF%E9%97%AE%E6%8E%88%E6%9D%83%E7%94%B3%E8%AF%B7%0A%E6%8E%88%E6%9D%83%E7%A0%81%EF%BC%9A635367%0A%E7%94%B3%E8%AF%B7%E4%BA%BA%EF%BC%9A%E8%94%A1%E5%88%A9%E6%9D%B0%EF%BC%88006737%EF%BC%89%0A%E8%AE%BF%E9%97%AE%E8%AE%BE%E5%A4%87%EF%BC%9AJJ_ZHDQZDB_120.91%EF%BC%8810.2.120.91%EF%BC%89%0A%E8%AE%BF%E9%97%AE%E6%9C%8D%E5%8A%A1%EF%BC%9Assh%0A%E7%B3%BB%E7%BB%9F%E8%B4%A6%E5%8F%B7%EF%BC%9Aelink%0A%E7%94%B3%E8%AF%B7%E5%8E%9F%E5%9B%A0%EF%BC%9A%E9%97%AE%E9%A2%98%E6%8E%92%E6%9F%A5 HTTP/1.0" 200 47 "-" "Python-urllib/1.17"",
"@version" => "1",
"@timestamp" => "2018-09-07T07:53:46.113Z",
"path" => "/home/admin/tools/logs/gaccess.log",
"host" => "yyjk",
"type" => "viewcode-10.5.100.232"
}
需要进行urldecode解码;
安装urldecode插件
[root@node01 bin]# ./logstash-plugin install logstash-filter-urldecode
Ignoring ffi-1.9.13 because its extensions are not built. Try: gem pristine ffi --version 1.9.13
Validating logstash-filter-urldecode
Installing logstash-filter-urldecode
Installation successful
[root@node01 bin]#
[elk@yyjk conf]$ cat viewcode.conf
input {
file {
type => "viewcode-10.5.100.232"
path => ["/home/admin/tools/logs/gaccess.log"]
start_position=>"end"
}
}
filter {
multiline {
pattern => "^[0-9]"
negate=>true
what=>"previous"
}
urldecode{
field =>message
}
}
output {
elasticsearch {
hosts => "10.5.100.232:9200"
index => "logstash-viewlog-%{+YYYY.MM.dd}"
}
stdout {
codec=>rubydebug{}
}
}
[elk@yyjk conf]$ logstash -f viewcode.conf
Settings: Default pipeline workers: 2
Defaulting pipeline worker threads to 1 because there are some filters that might not work with multiple worker threads {:count_was=>2, :filters=>["multiline"], :level=>:warn}
Pipeline main started
{
"message" => "10.5.100.80 - - [07/Sep/2018:17:06:38 +0800] "GET /?phone=17605860662&message=运维堡垒机访问授权申请
授权码:995523
申请人:赵杨健(015208)
访问设备:JJ_ESBAPP_229.101(10.2.229.101)
访问服务:ssh
系统账号:esb
申请原因:问题排查 HTTP/1.0" 200 47 "-" "Python-urllib/1.17"",
"@version" => "1",
"@timestamp" => "2018-09-07T09:06:39.428Z",
"path" => "/home/admin/tools/logs/gaccess.log",
"host" => "yyjk",