1.安装GeoIP数据库 cd /usr/local/logstash/etc curl -O "http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz" gunzip GeoLiteCity.dat.gz 1 2 3 2.配置logstash使用GeoIP 只需要在原来的logstash.conf中添加filter即可 vim /usr/local/logstash/etc/logstash.conf input { file { path => "/data/nginx/logs/access_java.log" type => "nginx-access" start_position => "beginning" sincedb_path => "/usr/local/logstash/sincedb" codec => "json" } } filter { if [type] == "nginx-access" { geoip { source => "clientip" target => "geoip" database => "/usr/local/logstash/etc/GeoLiteCity.dat" add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ] } mutate { convert => [ "[geoip][coordinates]", "float"] } } } output { if [type] == "nginx-access" { elasticsearch { hosts => ["10.10.20.16:9200"] manage_template => true index => "nginx-access-%{+YYYY-MM}" } } } 注意如果是haproxy 作为代理,nginx需要修改为; filter { grok { match => { "message" => "%{IPORHOST:clientip} [%{HTTPDATE:time}] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" - %{NUMBER:http_status_code} %{NUMBER:bytes} "(?<http_referer>S+)" "(?<http_user_agent>(S+s+)*S+)" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)" } } geoip { source => "http_x_forwarded_for" target => "geoip" database => "/usr/local/logstash/etc/GeoLiteCity.dat" add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ] } mutate { convert => [ "[geoip][coordinates]", "float"] } } 3.重启logstash即可。