logstash在处理nginx日志时对内网IP不进行geoip的位置信息处理,及分开存储到不同的index中,便于分析内外网的用户请求
# logstash配置文件如下
input{
redis {
type => "nginx-log"
host =>"10.57.1.203"
key =>"nginx-log"
data_type =>"list"
db => 0
}
}
filter {
json {
source => "message"
remove_field => "message"
}
# 判断如果客户端IP为内网IP 则不进行geoip进行处理
if "10.57.1." not in [remote_addr] and "192.168." not in [remote_addr] {
geoip{
source => "remote_addr"
target => "geoip"
database => "/etc/logstash/geoip/GeoLite2-City.mmdb"
}
}
# kv {
# source => "request"
# field_split => "&"
# value_split => "="
# prefix => "url_args_"
# remove_field => "url_args_imsi"
# }
}
output {
# 输出的时候判断如果是内网IP 则单独进行分类存储至不同的index中
if "10.57.1" in [remote_addr] or "192.168.1" in [remote_addr]{
elasticsearch {
hosts => "10.57.1.201"
index => "logstash-nginx-lan-%{+YYYY.MM.dd}"
}
}
else{
elasticsearch {
hosts => "10.57.1.203"
index => "logstash-nginx-wan-%{+YYYY.MM.dd}"
}
}
}
# logstash配置文件如下
input{
redis {
type => "nginx-log"
host =>"10.57.1.203"
key =>"nginx-log"
data_type =>"list"
db => 0
}
}
filter {
json {
source => "message"
remove_field => "message"
}
# 判断如果客户端IP为内网IP 则不进行geoip进行处理
if "10.57.1." not in [remote_addr] and "192.168." not in [remote_addr] {
geoip{
source => "remote_addr"
target => "geoip"
database => "/etc/logstash/geoip/GeoLite2-City.mmdb"
}
}
# kv {
# source => "request"
# field_split => "&"
# value_split => "="
# prefix => "url_args_"
# remove_field => "url_args_imsi"
# }
}
output {
# 输出的时候判断如果是内网IP 则单独进行分类存储至不同的index中
if "10.57.1" in [remote_addr] or "192.168.1" in [remote_addr]{
elasticsearch {
hosts => "10.57.1.201"
index => "logstash-nginx-lan-%{+YYYY.MM.dd}"
}
}
else{
elasticsearch {
hosts => "10.57.1.203"
index => "logstash-nginx-wan-%{+YYYY.MM.dd}"
}
}
}