[elk@dr-mysql01 api-access]$ date
Wed Nov 30 19:21:35 CST 2016
[elk@dr-mysql01 api-access]$
[elk@dr-mysql01 config]$ ../bin/logstash -f stdin02.conf
Settings: Default pipeline workers: 8
Pipeline main started
12/Sep/2016:21:32:33 +0800
{
"message" => "12/Sep/2016:21:32:33 +0800",
"@version" => "1",
"@timestamp" => "2016-11-30T11:21:57.442Z", ##时间为当前系统时间
"host" => "dr-mysql01.zjcap.com",
"logdate" => "12/Sep/2016:21:32:33 +0800"
}
[elk@dr-mysql01 config]$ ../bin/logstash -f stdin02.conf
Settings: Default pipeline workers: 8
Pipeline main started
12/Sep/2016:21:32:33 +0800
{
"message" => "12/Sep/2016:21:32:33 +0800",
"@version" => "1",
"@timestamp" => "2016-09-12T13:32:33.000Z",
"host" => "dr-mysql01.zjcap.com",
"logdate" => "12/Sep/2016:21:32:33 +0800",
"response_time" => "12/Sep/2016:21:32:33 +0800"
}
c[elk@dr-mysql01 config]$ cat stdin02.conf
input {
stdin {
}
}
filter {
grok {
match => ["message", "%{HTTPDATE:logdate}"]
}
date {
match => ["logdate", "dd/MMM/yyyy:HH:mm:ss Z"]
add_field =>["response_time","%{logdate}"]
}
}
output {
stdout {
codec=>rubydebug{}
}
}
/****************iss日志
2016-11-30 06:33:33 192.168.5.116 GET /Hotel/HotelDisplay/cncqcqb230 - 80 - 192.168.9.2 Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X+10.9;+en-US;+rv:1.9pre)+Gecko - 200 0 0 45
[elk@dr-mysql01 config]$ cat iss.conf
input {
stdin {
}
}
filter {
grok {
match => [
"message" ,"s*(?<time>([0-9]{4}-[0-9]{2}-[0-9]{2}s+[0-9]{2}:[0-9]{2}:[0-9]{2}))s+%{IPORHOST:clientip}s+%{WORD:verb}s+%{URIPATHPARAM:request}s+-s+(?<port>
([0-9]{2}.*?))s+-s+%{IPORHOST:sourceip}s+(?<http_user_agent>(S+s+).*?).*"
]
}
date {
match => ["time", "yyyy-MM-dd HH:mm:ss"]
}
}
output {
stdout {
codec => rubydebug
}
}
[elk@dr-mysql01 config]$ ../bin/logstash -f iss.conf
Settings: Default pipeline workers: 8
Pipeline main started
2016-11-30 06:33:33 192.168.5.116 GET /Hotel/HotelDisplay/cncqcqb230 - 80 - 192.168.9.2 Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X+10.9;+en-US;+rv:1.9pre)+Gecko - 200 0 0 45
{
"message" => "2016-11-30 06:33:33 192.168.5.116 GET /Hotel/HotelDisplay/cncqcqb230 - 80 - 192.168.9.2 Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X+10.9;+en-US;
+rv:1.9pre)+Gecko - 200 0 0 45",
"@version" => "1",
"@timestamp" => "2016-11-29T22:33:33.000Z",
"host" => "dr-mysql01.zjcap.com",
"time" => "2016-11-30 06:33:33",
"clientip" => "192.168.5.116",
"verb" => "GET",
"request" => "/Hotel/HotelDisplay/cncqcqb230",
"port" => "80",
"sourceip" => "192.168.9.2",
"http_user_agent" => "Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X+10.9;+en-US;+rv:1.9pre)+Gecko "
[elk@dr-mysql01 config]$ cat iss.conf
input {
stdin {
}
}
filter {
grok {
match => [
"message" ,"s*(?<time>([0-9]{4}-[0-9]{2}-[0-9]{2}s+[0-9]{2}:[0-9]{2}:[0-9]{2}))s+%{IPORHOST:clientip}s+%{WORD:verb}s+%{URIPATHPARAM:request}s+-s+(?<port>
([0-9]{2}.*?))s+-s+%{IPORHOST:sourceip}s+(?<http_user_agent>(S+s+).*?).*"
]
}
date {
match => ["time", "yyyy-MM-dd HH:mm:ss Z"]
}
}
output {
stdout {
codec => rubydebug
}
}
[elk@dr-mysql01 config]$ ../bin/logstash -f iss.conf
Settings: Default pipeline workers: 8
Pipeline main started
2016-11-30 06:33:33 192.168.5.116 GET /Hotel/HotelDisplay/cncqcqb230 - 80 - 192.168.9.2 Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X+10.9;+en-US;+rv:1.9pre)+Gecko - 200 0 0 45
Failed parsing date from field {:field=>"time", :value=>"2016-11-30 06:33:33", :exception=>"Invalid format: "2016-11-30 06:33:33" is too short", :config_parsers=>"yyyy-MM-dd
HH:mm:ss Z", :config_locale=>"default=en_US", :level=>:warn}
{
"message" => "2016-11-30 06:33:33 192.168.5.116 GET /Hotel/HotelDisplay/cncqcqb230 - 80 - 192.168.9.2 Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X+10.9;+en-US;
+rv:1.9pre)+Gecko - 200 0 0 45",
"@version" => "1",
"@timestamp" => "2016-11-30T11:28:32.972Z",
"host" => "dr-mysql01.zjcap.com",
"time" => "2016-11-30 06:33:33",
"clientip" => "192.168.5.116",
"verb" => "GET",
"request" => "/Hotel/HotelDisplay/cncqcqb230",
"port" => "80",
"sourceip" => "192.168.9.2",
"http_user_agent" => "Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X+10.9;+en-US;+rv:1.9pre)+Gecko ",
"tags" => [
[0] "_dateparsefailure"
]
}