ini IIS日志的Logstash配置。
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了ini IIS日志的Logstash配置。相关的知识,希望对你有一定的参考价值。
input {
file {
type => "IISLog"
path => "C:/inetpub/logs/LogFiles/W3SVC*/*.log"
start_position => "beginning"
}
}
filter {
# ignore log comments
if [message] =~ "^#" {
drop {}
}
# check that fields match your IIS log settings
grok {
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} (%{URI:referer})? %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:time_taken}"]
}
# set the event timestamp from the log
# https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html
date {
match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Etc/UCT"
}
# matches the big, long nasty useragent string to the actual browser name, version, etc
# https://www.elastic.co/guide/en/logstash/current/plugins-filters-useragent.html
useragent {
source=> "useragent"
prefix=> "browser_"
}
mutate {
remove_field => [ "log_timestamp"]
}
}
# output logs to console and to elasticsearch
output {
stdout { codec => rubydebug }
elasticsearch { hosts => ["localhost:9200"] }
}
以上是关于ini IIS日志的Logstash配置。的主要内容,如果未能解决你的问题,请参考以下文章
Logstash使用grok解析IIS日志
ini Logstash配置使用编解码器多线解析Scala / Java日志,以将异常和堆栈跟踪消息连接到单个事件和gro中
ini Logstash配置使用编解码器多线解析Scala / Java日志,以将异常和堆栈跟踪消息连接到单个事件和gro中
ini Logstash手表码头日志
Logstash 之 IIS日志收集分析
ini 使用ELK堆栈(Elasticsearch + Logstash + Kibana)进行脱机SSHD日志分析