千家信息网

请输入关键字词

热门搜索排行

最新搜索排行

导航: 首页 > 服务器 >

Logstash基础操作-Filter

发表于:2025-12-03 作者:千家信息网编辑
千家信息网最后更新 2025年12月03日,Grok配置案例:##启动文件配置:# Sample Logstash configuration for creating a simple# Beats -> Logstash -> Elasti
千家信息网最后更新 2025年12月03日Logstash基础操作-Filter

Grok配置案例:

##启动文件配置:# Sample Logstash configuration for creating a simple# Beats -> Logstash -> Elasticsearch pipeline.input {  stdin{}}filter {grok {match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\%{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"]   }}output {  stdout{    codec => "rubydebug"  }}##输出文件内容172.16.213.132 [07/Feb/2018:16:24:19 +0800] "GET / HTTP/1.1" 403 5039##显示内容{      "@version" => "1",    "@timestamp" => 2019-11-10T06:02:42.865Z,          "host" => "localhost.localdomain",       "message" => "172.16.213.132 [07/Feb/2018:16:24:19 +0800] \"GET / HTTP/1.1\" 403 5039",     "timestamp" => "07/Feb/2018:16:24:19 +0800",         "bytes" => "5039",      "response" => "403",      "clientip" => "172.16.213.132",      "referrer" => "\"GET / HTTP/1.1\""}

Grok 过滤重复字段

## 配置文件# Sample Logstash configuration for creating a simple# Beats -> Logstash -> Elasticsearch pipeline.input {  stdin{ }}filter {  grok {  match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\   %{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"]  remove_field => ["message"]   }}output {  stdout{  codec => "rubydebug"  }}

Grok搭配Date时间插件配置

# Sample Logstash configuration for creating a simple# Beats -> Logstash -> Elasticsearch pipeline.input {  stdin{  }}filter {grok { match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\  %{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"] remove_field => ["message"]   }date {  match => ["timestamp", "dd/MMMM/yyyy:HH:mm:ss Z"]  }}output {  stdout{  codec => "rubydebug"  }}

Date 过滤重复得字段配置

# Sample Logstash configuration for creating a simple# Beats -> Logstash -> Elasticsearch pipeline.input {  stdin{  }}filter { grok {   match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\    %{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"]   remove_field => ["message"]   }date {  match => ["timestamp", "dd/MMMM/yyyy:HH:mm:ss Z"]    }mutate {   remove_field => [ "timestamp" ]    }}output { stdout{  codec => "rubydebug"  }}

综合练习配置参数

# Sample Logstash configuration for creating a simple# Beats -> Logstash -> Elasticsearch pipeline.input {  stdin{  }}filter {  grok {   match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\    %{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"]   remove_field => ["message"]  } date {  match => ["timestamp", "dd/MMMM/yyyy:HH:mm:ss Z"]   } mutate{    rename => {"response" => "response_new"}    gsub => ["referrer", "\"", ""]    remove_field => [ "timestamp" ]    split => ["clientip", "."]  }}output { stdout{  codec => "rubydebug"  }}

Geoip 地理位置插件操作方式

# Sample Logstash configuration for creating a simple# Beats -> Logstash -> Elasticsearch pipeline.input {  stdin{  }}filter {    grok {     match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\      %{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"]     remove_field => ["message"]   }   date {    match => ["timestamp", "dd/MMMM/yyyy:HH:mm:ss Z"]   }   mutate{      remove_field => [ "timestamp" ]  }  geoip {    source => "clientip"    database => "/usr/local/include/GeoLite2-ASN_20191105/GeoLite2-ASN.mmdb"   }}output {  stdout{    codec => "rubydebug"  } }

Geoip输出指定属性值

# Sample Logstash configuration for creating a simple# Beats -> Logstash -> Elasticsearch pipeline.input {  stdin{  }}filter {    grok {     match => ["message","%{IP:clientip}\ \[%{HTTPDATE:timestamp}\]\      %{QS:referrer}\ %{NUMBER:response}\ %{NUMBER:bytes}"]     remove_field => ["message"]   }   date {    match => ["timestamp", "dd/MMMM/yyyy:HH:mm:ss Z"]  }   mutate{      remove_field => [ "timestamp" ]  }geoip {source => "clientip"#database => "/usr/local/include/GeoLite2-Country_20191015/GeoLite2-Country.mmdb"database => "/usr/local/include/GeoLite2-City_20191105/GeoLite2-City.mmdb"fields => ["city_name", "region_name", "country_name", "ip", "latitude", "longitude", "timezone"]   }}output {  stdout{    codec => "rubydebug"  }}模拟数据:36.7.152.182 [07/Feb/2018:16:24:19 +0800] "GET / HTTP/1.1" 403 5039

综合实战

# Sample Logstash configuration for creating a simple# Beats -> Logstash -> Elasticsearch pipeline.input {  stdin{}}filter{grok{  match => {"message" => "%{TIMESTAMP_ISO8601:localtime}\|\~\|%{IP:clientip}  \|\~\|%{GREEDYDATA:http_user_agent}\|\~\|%{GREEDYDATA:url}  \|\~\|%{GREEDYDATA:mediaid}\|\~\|%{GREEDYDATA:osid}"}  remove_field => [ "message" ]   }date {    match => ["localtime", "yyyy-MM-dd'T'HH:mm:ssZZ"]    target => "@timestamp"   }mutate {      remove_field => ["localtime"]   }geoip { source => "clientip" #database => "/usr/local/include/GeoLite2-Country_20191015/GeoLite2-Country.mmdb" database => "/usr/local/include/GeoLite2-City_20191105/GeoLite2-City.mmdb" fields => ["city_name", "region_name", "country_name", "ip", "latitude", "longitude", "timezone"]  }}output {   stdout {   codec => "rubydebug"   }}示例:2018-02-09T10:57:42+08:00|~|123.87.240.97|~|Mozilla/5.0(iPhone;CPU iPhone OS 11_2_2 like Mac OS X)AppleWebKit/604.4.7 Version/11.0 Mobile/15C202 Safari/604.1|~|http://m.sina.cn/cm/ads_ck_wap.html|~|12434785489009|~|DF45566587855P



很赞哦!
配置 文件 内容 字段 插件 综合 输出 位置 参数 地理 地理位置 实战 属性 数据 方式 时间 案例 示例 基础 数据库的安全要保护哪些东西 数据库安全各自的含义是什么 生产安全数据库录入 数据库的安全性及管理 数据库安全策略包含哪些 海淀数据库安全审计系统 建立农村房屋安全信息数据库 易用的数据库客户端支持安全管理 连接数据库失败ssl安全错误 数据库的锁怎样保障安全 ( )用于数据库安全管理 空岛生存服务器 网络安全检查自查总结报告 计算机应用和网络技术有前途吗 计算机系统网络技术与软件 服装gsd软件开发 应用软件开发的相关政策 虹口区立体化软件开发代理品牌 曲靖互联网科技有哪些 医药检索数据库有哪些 服务器的内存条家里电脑能用吗 网络安全攻击趋势 嵌入式软件开发指的什么意思 vs 附加数据库 .数据库基本三大范式 网络安全设防火墙 软件开发常用语言 搞游戏软件开发挣钱吗 加强网络安全知识讲解 网络安全新标准 软件开发与测试工作 互联网先进科技成果 网络安全知识宣传图画 第五届429网络安全日 局域网中的服务器指的什么 数据库cpu使用率 网络安全 人才缺乏 曲靖互联网科技有哪些 软件开发很烧钱 凯里服务器专卖

相关文章

0