1.安装geoip
ElasticSearch 可以使用 ingest-geoip 插件可以在 Kibana 上对 IP 进行地理位置分析,
这个插件需要 Maxmind 的 GeoLite2 City,GeoLite2 国家和 GeoLite2 ASN geoip2 数据库。有关更多详细信息,请参见
http://dev.maxmind.com/geoip/geoip2/geolite2/,现在需要注册才能下载!
2.配置
####配置时需要注意,索引名称必须是 "logstash-*" 才可以使用 GeoIP ,生成坐标图####
[root@web01 logstash]# cat conf.d/geoip.conf
input {
file {
path => "/var/log/nginx/access.log"
type => "nginx_access_log"
start_position => "end"
codec => "json"
}
}
filter {
json {
source => "message"
remove_field => ["message"]
}
geoip {
source => "clientip"
target => "geoip"
database => "/etc/logstash/config/GeoLite2-City.mmdb"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
output {
elasticsearch {
hosts => ["10.0.0.51:9200"]
index => "logstash-%{type}-%{+YYYY.MM.dd}"
}
}
3.启动
[root@web01 logstash]# logstash -f conf.d/geoip.conf
4.模拟生成数据(多 Client IP)
# 下载测试日志
[root@blog ELK]# wget https://www.linuxyz.top/download/software/test_log/access_test.log
[root@blog ELK]# cat access_test.log >> /var/log/nginx/access.log