ini Logstash手表码头日志

Posted 2021-05-24

input {
  file {
    codec => json
    path => '/var/lib/docker/containers/*/*-json.log'
  }
}
filter {
  ruby {
    code => "Thread.current[event['path']] ||= JSON.parse(Pathname(event['path']).dirname.join('config.json').read)"
  }
  ruby {
    code => "event['container_name'] = Thread.current[event['path']].fetch('Name', '<missing>')"
  }
  ruby {
    code => "event['container_image'] = Thread.current[event['path']]['Config'].fetch('Image', '<missing>')"
  }
}
output {
  stdout {
    codec => rubydebug
  }
}

ini IIS日志的Logstash配置。

input {
	file {
		type => "IISLog"
		path => "C:/inetpub/logs/LogFiles/W3SVC*/*.log"
		start_position => "beginning"
	}
}

filter {

	# ignore log comments
	if [message] =~ "^#" {
		drop {}
	}
 
 	# check that fields match your IIS log settings
	grok {
        match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} (%{URI:referer})? %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:time_taken}"]
	}
  
	# set the event timestamp from the log
	# https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html
	date {
		match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
		timezone => "Etc/UCT"
	}
	
	# matches the big, long nasty useragent string to the actual browser name, version, etc
	# https://www.elastic.co/guide/en/logstash/current/plugins-filters-useragent.html
	useragent {
		source=> "useragent"
		prefix=> "browser_"
	}
	
	mutate {
		remove_field => [ "log_timestamp"]
	}
}

# output logs to console and to elasticsearch
output {
    stdout { codec => rubydebug }
	elasticsearch { hosts => ["localhost:9200"] }
}