logstash apache COMMONAPACHELOG

2016. 7. 17. 22:39

삽질 1. timezone 부분

logstash, elasticsearch(plugis등), kibana 골치 아프니 UTC로 모두 바꾸니 편함...ㅡㅡ;

[logstash]

dd/MMM/yyyy:HH:mm:ss Z 했었는데 처리가 안되서.. 아래와 같이 했더니 해결...

-> https://discuss.elastic.co/t/how-to-set-timestamp-timezone/28401/10

[kibana]

Settings -> Advanced -> dateFormat:tz -> UTC 선택

[logconf/apache.conf]

input {
  stdin { }
}

filter {
  grok {
    patterns_dir => ["./patterns"]
    # 본인 로그 패턴에 따라 설정
    match => { "message" => "%{COMMONAPACHELOG} %{NUMBER:responseTime} %{ALL_STR:qq1} %{ALL_STR:qq2} %{QS:referrer} %{QS:agent}" }
  }
  date {
    match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss +0900" ]
    timezone => "UTC"
  }
}

output {
  stdout { codec => json }
}

[logconf/apache.conf]

# 파일 단위 -> elasticsearch
input {
  file {
    path => "/usr/local/tomcat/logstash/dump_logs/ssl/*"
    start_position => "beginning"
  }
}

filter {
  grok {
    patterns_dir => ["./patterns"]
    # 본인 로그 패턴에 따라 설정
    match => { "message" => "%{COMMONAPACHELOG} %{ALL_STR:qq1} %{ALL_STR:qq2} %{QS:referrer} %{QS:agent}" }
  }
  date {
    match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss +0900" ]
    timezone => "UTC"
  }
}

output {
  elasticsearch { hosts => ["localhost:9200"]
                  index => "apache-access-log-%{+YYYY-MM-dd}"
                  document_type => "web01"
                }
  #stdout { codec => rubydebug }
}

[haproxy]

input {
  #stdin { }
  file {
    type => "searchWas"
    path => "/usr/local/tomcat/logstash/dump_logs/haproxy/haproxy-searchWas.log*"
    start_position => "beginning"
  }
  file {
    type => "aqmp"
    path => "/usr/local/tomcat/logstash/dump_logs/haproxy/haproxy-aqmp.log*"
    start_position => "beginning"
  }
}

  
filter {
  if [type] == "searchWas" {
    grok {
      patterns_dir => ["./patterns"]
    # 본인 로그 패턴에 따라 설정
      match => { "message" => "%{HAPROXYHTTP}" }
    }
    date {
      match => [ "accept_date", "dd/MMM/YYYY:HH:mm:ss.SSS" ]
      timezone => "UTC"
    }
  } else if [type] == "aqmp" {
    grok {
      patterns_dir => ["./patterns"]
      match => { "message" => "%{HAPROXYTCP}" }
    }
    date {
      match => [ "accept_date", "dd/MMM/YYYY:HH:mm:ss.SSS" ]
      timezone => "UTC"
    }
  }
}

output {
  #stdout { codec => json }
  
  if [type] == "searchWas" {
    elasticsearch {  
      hosts => ["localhost:9200"]
      index => "haproxy-access-log-%{+YYYY-MM-dd}"
      document_type => "searchWas"
    }
  } else if [type] == "aqmp" {
    elasticsearch {  
      hosts => ["localhost:9200"]
      index => "haproxy-access-log-%{+YYYY-MM-dd}"
      document_type => "aqmp"
    }
  }
}

[logconf/test-db.conf] db -> elasticsearch 케이스

input {
        jdbc {
                jdbc_driver_library => "/usr/local/tomcat/logstash/lib/mysql-connector-java-5.1.38.jar"
                jdbc_driver_class => "com.mysql.jdbc.Driver"
                jdbc_connection_string => "jdbc:mysql://mariadb-dev:3306/log"
                jdbc_user => "log"
                jdbc_password => "test"
                statement => "SELECT * FROM ez_apache_access_log_201602"
                #schedule => "* * * * *"
                jdbc_paging_enabled => "true"
                jdbc_page_size => "50000"

        }
}

[patterns/custom.conf]

ALL_STR .*

test exec

$ bin/logstash -f logconf/apache.conf 
192.168.1.100 - - [17/Jul/2016:21:08:51 +0900] "GET /test/list HTTP/1.1" 200 17194 5657 -/- (-%) "http://ddakker.test.com/test/add?test=1" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)"

mappings -> 수동 index/document mapping 생성 예제

$ curl -XPUT http://localhost:9200/log_httpd -d '
{
  "mappings": {
    "web01": {
      "properties": {
        "req_query_string": {
          "type": "string",
          "fields": {
            "raw": {
              "type": "string",
              "index": "not_analyzed"
            }
          }
        },
        "req_dt": {
          "type": "string"
        },
        "referrer_query_string": {
          "type": "string",
          "fields": {
            "raw": {
              "type": "string",
              "index": "not_analyzed"
            }
          }
        },
        "referrer_domain": {
          "type": "string",
          "fields": {
            "raw": {
              "type": "string",
              "index": "not_analyzed"
            }
          }
        },
        "req_ext": {
          "type": "string"
        },
        "referrer_ext": {
          "type": "string"
        },
        "res_status": {
          "type": "string"
        },
        "req_mall_type": {
          "type": "string"
        },
        "@version": {
          "type": "string"
        },
        "ip": {
          "type": "string"
        },
        "req_uri": {
          "type": "string",
          "fields": {
            "raw": {
              "type": "string",
              "index": "not_analyzed"
            }
          }
        },
        "@timestamp": {
          "format": "strict_date_optional_time||epoch_millis",
          "type": "date"
        },
        "referrer_mall_type": {
          "type": "string",
          "fields": {
            "raw": {
              "type": "string",
              "index": "not_analyzed"
            }
          }
        },
        "method": {
          "type": "string"
        },
        "referrer_uri": {
          "type": "string",
          "fields": {
            "raw": {
              "type": "string",
              "index": "not_analyzed"
            }
          }
        }
      }
    }
  }
}'

저작자표시

ddakker님의 블로그

logstash apache COMMONAPACHELOG

+ Recent posts

티스토리툴바