使用Filebeat Modules配置示例

本节中的示例展示了如何构建用于解析Filebeat模块收集的数据的Logstash管道：

Apache 2日志

本例中的Logstash管道配置展示了如何运送和解析apache2 Filebeat模块收集的访问和错误日志。

input {beats {port => 5044host => "0.0.0.0"}
}
filter {if [fileset][module] == "apache2" {if [fileset][name] == "access" {grok {match => { "message" => ["%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \[%{HTTPDATE:[apache2][access][time]}\] \"%{WORD:[apache2][access][method]} %{DATA:[apache2][access][url]} HTTP/%{NUMBER:[apache2][access][http_version]}\" %{NUMBER:[apache2][access][response_code]} %{NUMBER:[apache2][access][body_sent][bytes]}( \"%{DATA:[apache2][access][referrer]}\")?( \"%{DATA:[apache2][access][agent]}\")?","%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \\[%{HTTPDATE:[apache2][access][time]}\\] \"-\" %{NUMBER:[apache2][access][response_code]} -" ] }remove_field => "message"}mutate {add_field => { "read_timestamp" => "%{@timestamp}" }}date {match => [ "[apache2][access][time]", "dd/MMM/YYYY:H:m:s Z" ]remove_field => "[apache2][access][time]"}useragent {source => "[apache2][access][agent]"target => "[apache2][access][user_agent]"remove_field => "[apache2][access][agent]"}geoip {source => "[apache2][access][remote_ip]"target => "[apache2][access][geoip]"}}else if [fileset][name] == "error" {grok {match => { "message" => ["\[%{APACHE_TIME:[apache2][error][timestamp]}\] \[%{LOGLEVEL:[apache2][error][level]}\]( \[client %{IPORHOST:[apache2][error][client]}\])? %{GREEDYDATA:[apache2][error][message]}","\[%{APACHE_TIME:[apache2][error][timestamp]}\] \[%{DATA:[apache2][error][module]}:%{LOGLEVEL:[apache2][error][level]}\] \[pid %{NUMBER:[apache2][error][pid]}(:tid %{NUMBER:[apache2][error][tid]})?\]( \[client %{IPORHOST:[apache2][error][client]}\])? %{GREEDYDATA:[apache2][error][message1]}" ] }pattern_definitions => {"APACHE_TIME" => "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}"}remove_field => "message"}mutate {rename => { "[apache2][error][message1]" => "[apache2][error][message]" }}date {match => [ "[apache2][error][timestamp]", "EEE MMM dd H:m:s YYYY", "EEE MMM dd H:m:s.SSSSSS YYYY" ]remove_field => "[apache2][error][timestamp]"}}}
}
output {elasticsearch {hosts => localhostmanage_template => falseindex => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"}
}

MySQL日志

本例中的Logstash管道配置展示了如何运送和解析mysql Filebeat模块收集的错误和慢日志日志。

input {beats {port => 5044host => "0.0.0.0"}
}
filter {if [fileset][module] == "mysql" {if [fileset][name] == "error" {grok {match => { "message" => ["%{LOCALDATETIME:[mysql][error][timestamp]} (\[%{DATA:[mysql][error][level]}\] )?%{GREEDYDATA:[mysql][error][message]}","%{TIMESTAMP_ISO8601:[mysql][error][timestamp]} %{NUMBER:[mysql][error][thread_id]} \[%{DATA:[mysql][error][level]}\] %{GREEDYDATA:[mysql][error][message1]}","%{GREEDYDATA:[mysql][error][message2]}"] }pattern_definitions => {"LOCALDATETIME" => "[0-9]+ %{TIME}"}remove_field => "message"}mutate {rename => { "[mysql][error][message1]" => "[mysql][error][message]" }}mutate {rename => { "[mysql][error][message2]" => "[mysql][error][message]" }}date {match => [ "[mysql][error][timestamp]", "ISO8601", "YYMMdd H:m:s" ]remove_field => "[mysql][error][time]"}}else if [fileset][name] == "slowlog" {grok {match => { "message" => ["^# User@Host: %{USER:[mysql][slowlog][user]}(\[[^\]]+\])? @ %{HOSTNAME:[mysql][slowlog][host]} \[(IP:[mysql][slowlog][ip])?\](\s*Id:\s* %{NUMBER:[mysql][slowlog][id]})?\n# Query_time: %{NUMBER:[mysql][slowlog][query_time][sec]}\s* Lock_time: %{NUMBER:[mysql][slowlog][lock_time][sec]}\s* Rows_sent: %{NUMBER:[mysql][slowlog][rows_sent]}\s* Rows_examined: %{NUMBER:[mysql][slowlog][rows_examined]}\n(SET timestamp=%{NUMBER:[mysql][slowlog][timestamp]};\n)?%{GREEDYMULTILINE:[mysql][slowlog][query]}"] }pattern_definitions => {"GREEDYMULTILINE" => "(.|\n)*"}remove_field => "message"}date {match => [ "[mysql][slowlog][timestamp]", "UNIX" ]}mutate {gsub => ["[mysql][slowlog][query]", "\n# Time: [0-9]+ [0-9][0-9]:[0-9][0-9]:[0-9][0-9](\\.[0-9]+)?$", ""]}}}
}
output {elasticsearch {hosts => localhostmanage_template => falseindex => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"}
}

Nginx日志

本例中的Logstash管道配置展示了如何运送和解析nginx Filebeat模块收集的访问和错误日志。

input {beats {port => 5044host => "0.0.0.0"}
}
filter {if [fileset][module] == "nginx" {if [fileset][name] == "access" {grok {match => { "message" => ["%{IPORHOST:[nginx][access][remote_ip]} - %{DATA:[nginx][access][user_name]} \[%{HTTPDATE:[nginx][access][time]}\] \"%{WORD:[nginx][access][method]} %{DATA:[nginx][access][url]} HTTP/%{NUMBER:[nginx][access][http_version]}\" %{NUMBER:[nginx][access][response_code]} %{NUMBER:[nginx][access][body_sent][bytes]} \"%{DATA:[nginx][access][referrer]}\" \"%{DATA:[nginx][access][agent]}\""] }remove_field => "message"}mutate {add_field => { "read_timestamp" => "%{@timestamp}" }}date {match => [ "[nginx][access][time]", "dd/MMM/YYYY:H:m:s Z" ]remove_field => "[nginx][access][time]"}useragent {source => "[nginx][access][agent]"target => "[nginx][access][user_agent]"remove_field => "[nginx][access][agent]"}geoip {source => "[nginx][access][remote_ip]"target => "[nginx][access][geoip]"}}else if [fileset][name] == "error" {grok {match => { "message" => ["%{DATA:[nginx][error][time]} \[%{DATA:[nginx][error][level]}\] %{NUMBER:[nginx][error][pid]}#%{NUMBER:[nginx][error][tid]}: (\*%{NUMBER:[nginx][error][connection_id]} )?%{GREEDYDATA:[nginx][error][message]}"] }remove_field => "message"}mutate {rename => { "@timestamp" => "read_timestamp" }}date {match => [ "[nginx][error][time]", "YYYY/MM/dd H:m:s" ]remove_field => "[nginx][error][time]"}}}
}
output {elasticsearch {hosts => localhostmanage_template => falseindex => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"}
}

System日志

本例中的Logstash管道配置展示了如何运送和解析system Filebeat模块收集的系统日志。

input {beats {port => 5044host => "0.0.0.0"}
}
filter {if [fileset][module] == "system" {if [fileset][name] == "auth" {grok {match => { "message" => ["%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} %{DATA:[system][auth][ssh][method]} for (invalid user )?%{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]} port %{NUMBER:[system][auth][ssh][port]} ssh2(: %{GREEDYDATA:[system][auth][ssh][signature]})?","%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} user %{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]}","%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: Did not receive identification string from %{IPORHOST:[system][auth][ssh][dropped_ip]}","%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sudo(?:\[%{POSINT:[system][auth][pid]}\])?: \s*%{DATA:[system][auth][user]} :( %{DATA:[system][auth][sudo][error]} ;)? TTY=%{DATA:[system][auth][sudo][tty]} ; PWD=%{DATA:[system][auth][sudo][pwd]} ; USER=%{DATA:[system][auth][sudo][user]} ; COMMAND=%{GREEDYDATA:[system][auth][sudo][command]}","%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} groupadd(?:\[%{POSINT:[system][auth][pid]}\])?: new group: name=%{DATA:system.auth.groupadd.name}, GID=%{NUMBER:system.auth.groupadd.gid}","%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} useradd(?:\[%{POSINT:[system][auth][pid]}\])?: new user: name=%{DATA:[system][auth][user][add][name]}, UID=%{NUMBER:[system][auth][user][add][uid]}, GID=%{NUMBER:[system][auth][user][add][gid]}, home=%{DATA:[system][auth][user][add][home]}, shell=%{DATA:[system][auth][user][add][shell]}$","%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} %{DATA:[system][auth][program]}(?:\[%{POSINT:[system][auth][pid]}\])?: %{GREEDYMULTILINE:[system][auth][message]}"] }pattern_definitions => {"GREEDYMULTILINE"=> "(.|\n)*"}remove_field => "message"}date {match => [ "[system][auth][timestamp]", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]}geoip {source => "[system][auth][ssh][ip]"target => "[system][auth][ssh][geoip]"}}else if [fileset][name] == "syslog" {grok {match => { "message" => ["%{SYSLOGTIMESTAMP:[system][syslog][timestamp]} %{SYSLOGHOST:[system][syslog][hostname]} %{DATA:[system][syslog][program]}(?:\[%{POSINT:[system][syslog][pid]}\])?: %{GREEDYMULTILINE:[system][syslog][message]}"] }pattern_definitions => { "GREEDYMULTILINE" => "(.|\n)*" }remove_field => "message"}date {match => [ "[system][syslog][timestamp]", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]}}}
}
output {elasticsearch {hosts => localhostmanage_template => falseindex => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"}
}

Logstash 参考指南（使用Filebeat Modules配置示例）相关推荐

Logstash 6.2 参考指南（开始使用Logstash）
Logstash 6.2 参考指南(开始使用Logstash) https://segmentfault.com/a/1190000015237808#articleHeader3 Logstash官 ...
MRTG教程（五）：MRTG的配置参考指南
mrtg的配置参考指南内容 NAME OVERVIEW SYNTAX GLOBAL KEYWORDS OPTIONAL GLOBAL KEYWORDS EXAMPLES NAME mrtg-refe ...
[译] Cilium：BPF 和 XDP 参考指南（2021）
Cilium:BPF和XDP参考指南_RToax-CSDN博客Table of ContentsBPF体系结构指令系统辅助功能地图对象固定尾叫BPF到BPF呼叫准时制硬化减负工具链开发环境虚拟机本文档 ...
metricbeat mysql_Metricbeat 参考指南（目录）
Metricbeat 参考指南版本:v6.4 更新日期:2018-10-15 概述 Metricbeat是一个轻量级的托运工,你可以在服务器上安装它,定期从操作系统和服务器上运行的服务收集指标,Me ...
Spring Boot参考指南
Spring Boot参考指南作者菲利普·韦伯,戴夫 Syer,约什长,斯特凡尼科尔,罗布绞车,安迪·威尔金森,马塞尔 Overdijk,基督教杜普伊斯,塞巴斯蒂安·德勒兹,迈克尔·西蒙斯 ...
《SAFe 4.0参考指南：精益软件与系统工程的规模化敏捷框架》一 3.13　故事
本节书摘来自华章出版社<SAFe 4.0参考指南:精益软件与系统工程的规模化敏捷框架>一书中的第3章,第3.13节作者［美］迪恩·莱芬(DeanLeffingwell),更多章节内容可以 ...
Cilium：BPF和XDP参考指南
Table of Contents BPF体系结构指令系统辅助功能地图对象固定尾叫 BPF到BPF呼叫准时制硬化减负工具链开发环境虚拟机本文档部分针对希望深入了解BPF和XDP ...
[翻译]Reactor Netty参考指南 - 8.UDP客户端
Reactor Netty参考指南目录原文地址 Reactor Netty提供了易于使用.易于配置的UdpClient.它隐藏了创建UDP客户端所需的大部分Netty的功能,并增加了Reactive ...
Oracle 11G 11.2.0.4 RAC部署参考指南
Oracle 11G 11.2.0.4 RAC部署参考指南一.Oracle 11g RAC部署二.集群规划三.主机网络规划四.操作系统配置部分五.Grid集群软件安装部分六.Oracle ...

Logstash 参考指南（使用Filebeat Modules配置示例）