1

Logstash 按标签过滤不同网站

问题:我在单个 IIS 服务器中有多个网站。我想为发送到 logstash 的每个日志文件添加一个“标签”

这是我的 logstash 转发器配置

每个日志文件代表一个不同的网站。所以我想为这些日志中的每一个添加标签,并能够通过这个特定的标签进行过滤。

"日志\svr05\ex*",

{
  "network": {
    "servers": [ "logsvr1.logs.local:5000", "logsvr2.logs.local:5000" ],
    "timeout": 15,
    "ssl ca": "logstash-forwarder-new.crt"
  },
  "files": [
    {
      "paths": [
         "logs\\svr08\\ex*",
         "logs\\svr05\\ex*",
         "logs\\svr04\\ex*",
         "logs\\svr03\\ex*"
       ],
      "fields": { "type": "iis" },
      "dead time": "24h" 
        }
   ]
}

这是我为 logstash 配置的 IIS ..

filter {
    if [type] == "iis" {
            if [message] =~ "^#" {
                            drop {}
            }
            grok {
                    break_on_match => false
                    match => [
                            "message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:s-sitename} %{IPORHOST:s-ip} %{URIPROTO:cs-method} %{URIPATH:cs-uri-stem} (?:%{NOTSPACE:cs_query}|-) %{NUMBER:src_port} %{NOTSPACE:cs_username} %{IP:clientip} %{NOTSPACE:useragent} %{NUMBER:sc-substatus} %{NUMBER:sc_win32_status} %{NUMBER:sc-bytes} %{NUMBER:cs-bytes} %{NUMBER:timetaken}"
                    ]
            }

            date {

                    locale => "en"
                    match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
                    target => "@timestamp"
                    timezone => "Indian/Maldives"
            }
            useragent {
                    source=> "useragent"
                    prefix=> "browser"
            }
            geoip {
                    source => "clientip"
                    target => "geoip"
                    add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
                    add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
            }

            mutate {
                    add_field => [ "src_ip", "%{clientip}" ]
                    convert => [ "[geoip][coordinates]", "float" ]
                    replace => [ "@source_host", "%{clientip}" ]
                    replace => [ "@message", "%{message}" ]
                    rename => [ "cs_method", "method" ]
                    rename => [ "cs_stem", "request" ]
                    rename => [ "useragent", "agent" ]
                    rename => [ "cs_username", "username" ]
                    rename => [ "sc_status", "response" ]
                    rename => [ "timetaken", "time_request" ]
           }
    }
}
filter
  {
    if [type] == "iis" {
            mutate {
                    remove_field => [ "clientip", "host", "hostname", "logtime" ]
            }
    }
}

假设我想发送日志不同的应用程序

app1.egov.mv app2.egov.mv

如何为这些不同的 IIS 应用程序添加标签?并在发现模块中过滤它们以使用标签为特定网站制作图表?:|

问候,

伊斯梅尔

4

1 回答 1

0

您已经知道如何添加该type字段,因此只需使用相同的方法添加另一个包含主机名称的字段:

{
  ...,
  "files": [
    {
      "paths": [
         "logs\\svr08\\ex*",
         "logs\\svr05\\ex*",
         "logs\\svr04\\ex*",
         "logs\\svr03\\ex*"
      ],
      "fields": {
        "type": "iis",
        "virtualhost": "app1.egov.mv"
      },
      "dead time": "24h" 
    }
  ]
}

显然,如果您的不同日志文件模式适用于不同的服务器,您将不得不拆分配置:

{
  ...,
  "files": [
    {
      "paths": [
         "logs\\svr08\\ex*"
      ],
      "fields": {
        "type": "iis",
        "virtualhost": "app1.egov.mv"
      },
      "dead time": "24h" 
    },
    {
      "paths": [
         "logs\\svr05\\ex*"
      ],
      "fields": {
        "type": "iis",
        "virtualhost": "app2.egov.mv"
      },
      "dead time": "24h" 
    },
    ...
  ]
}

另一种选择(我更喜欢)是让 Web 服务器本身在每个日志条目中包含主机名。

于 2015-06-03T06:13:24.680 回答