간단한 로그스태시 파이프라인 설정.
input {
file {
path => "D:/Edu/Multicam/elastic/log/iis_sample.log"
start_position => "beginning"
sincedb_path => "nul"
}
}
output {
elasticsearch {
hosts => "192.168.56.1"
}
}실행 결과는 이렇다.
[2020-11-08T12:51:11,023][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2020-11-08T12:51:11,065][INFO ][logstash.outputs.elasticsearch][main] Creating rollover alias <logstash-{now/d}-000001>
{
"path" => "D:/Edu/Multicam/elastic/log/iis_sample.log",
"host" => "MHKANG",
"@timestamp" => 2020-11-08T03:51:11.018Z,
"@version" => "1",
"message" => "2011-01-10 03:00:56 W3SVC1 192.168.48.11 GET /view.asp cate_id=2&vod_id=614 80 - 192.168.90.226 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+InfoPath.2;+MS-RTC+EA+2;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 200 0 0\r"
}filter {
mutate { remove_field => [ "@timestamp", "@version", "path", "host" ] }
}이제 필터 수정에 따른 message의 변화에만 집중하면 된다.
[2020-11-08T12:54:06,099][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
{
"message" => "2011-01-10 03:00:56 W3SVC1 192.168.48.11 GET /view.asp cate_id=2&vod_id=614 80 - 192.168.90.226 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+InfoPath.2;+MS-RTC+EA+2;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 200 0 0\r"
}output {
elasticsearch {
hosts => "192.168.56.1"
index => "iis-%{+yyyy}"
}
}[2020-11-08T12:55:05,143][INFO ][o.e.c.m.MetadataCreateIndexService] [MHKANG] [iis-] creating index, cause [auto(bulk api)], templates [], shards [1]/[1]
[2020-11-08T12:55:05,269][INFO ][o.e.c.m.MetadataMappingService] [MHKANG] [iis-/vG5ua_xbREWFi6YIrlxD8A] create_mapping [_doc]filter {
mutate { remove_field => [ "@version", "path", "host" ] }
}
[2020-11-08T12:57:45,030][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
{
"@timestamp" => 2020-11-08T03:57:45.035Z,
"message" => "2011-01-10 03:00:56 W3SVC1 192.168.48.11 GET /view.asp cate_id=2&vod_id=614 80 - 192.168.90.226 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+InfoPath.2;+MS-RTC+EA+2;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 200 0 0\r"
}[2020-11-08T12:57:45,162][INFO ][o.e.c.m.MetadataCreateIndexService] [MHKANG] [iis-2020] creating index, cause [auto(bulk api)], templates [], shards [1]/[1]
[2020-11-08T12:57:45,288][INFO ][o.e.c.m.MetadataMappingService] [MHKANG] [iis-2020/EN4Mku1CTzGRdnIPq8j4Pw] create_mapping [_doc]filter {
mutate { remove_field => [ "@version", "path", "host" ] }
dissect { mapping => { "message" => "%{timestamp} %{+timestamp} %{}" } }
date { match => [ "timestamp", "yyyy-MM-dd HH:mm:ss" ] }
}[2020-11-08T12:59:51,086][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
{
"timestamp" => "2011-01-10 03:00:56",
"@timestamp" => 2011-01-09T18:00:56.000Z,
"message" => "2011-01-10 03:00:56 W3SVC1 192.168.48.11 GET /view.asp cate_id=2&vod_id=614 80 - 192.168.90.226 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+InfoPath.2;+MS-RTC+EA+2;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 200 0 0\r"
}
[2020-11-08T12:59:51,228][INFO ][o.e.c.m.MetadataCreateIndexService] [MHKANG] [iis-2011] creating index, cause [auto(bulk api)], templates [], shards [1]/[1]
[2020-11-08T12:59:51,346][INFO ][o.e.c.m.MetadataMappingService] [MHKANG] [iis-2011/IpdvLVZoSv677yCdvh_xCg] create_mapping [_doc]
댓글 없음:
댓글 쓰기