Kibana深入结合Logstash画地图

Kibana深入结合Logstash画地图

地址库

在ELK中,我们可以使用地址库,来对IP进行分析,对日志进行分析,在ELKstack中只有Logstash可以做到,但是出图,是Kibana来出的,所以我们首先需要下载地址库数据文件,然后对Logstash进行配置,使用geoip模块对日志访问IP进行分析后,再以中国地图或者是世界地图的形式,展现在Kibana中。

下载地址库

官网:https://dev.maxmind.com/

# 1.进入Logstash配置目录
[root@elkstack04 logstash]# cd /etc/logstash

# 2.下载地址库
[root@elkstack04 ~]# wget http://test.driverzeng.com/other/GeoLite2-City_20211102.tar.gz

# 3.解压
[root@elkstack04 logstash]# tar xf GeoLite2-City_20211102.tar.gz 

# 4.修改Logstash配置
[root@elkstack04 logstash]# vim /etc/logstash/conf.d/ngx_redis_es.conf 
input{
	redis{
		data_type => "list"
		key => "nginx_log"
		host => "10.0.0.52"
		port => "6379"
		db => "6"
		codec => "json"
	}
}

filter{
	json{
		source => "message"
		remove_field => ["message"]
	}
	geoip {
                source => "ipaddr"
                target => "geoip"
                database => "/etc/logstash/GeoLite2-City_20211102/GeoLite2-City.mmdb"
                add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
                add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
        }
	mutate {
		convert => [ "[geoip][coordinates]", "float"]
		}
}

output{
	elasticsearch{
		hosts => ["10.0.0.82:9200"]
		index => "%{type}-%{+yyyy.MM.dd}"
	}
}

[root@elkstack04 logstash]# logstash -f /etc/logstash/conf.d/ngx_redis_es.conf 



182.140.199.13

echo '{"@timestamp":"2022-09-08T15:29:21+08:00","host":"10.0.0.83","ipaddr":"182.140.199.13","login_user":"-","size":555,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"10.0.0.83","url":"/favicon.ico","domain":"10.0.0.83","xff":"-","referer":"http://10.0.0.83:8090/","status":"404"}' >> /var/log/nginx/www.zls.com_access_json.log


echo '{"@timestamp":"2022-09-08T15:40:00+08:00","host":"10.0.0.83","ipaddr":"1.50.83.255","login_user":"-","size":555,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"10.0.0.83","url":"/favicon.ico","domain":"10.0.0.83","xff":"-","referer":"http://10.0.0.83:8090/","status":"200"}' >> /var/log/nginx/www.zls.com_access_json.log


echo '{"@timestamp":"2022-09-08T20:48:00+08:00","host":"10.0.0.83","clientip":"1.50.83.255","size":0,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"10.0.0.83","url":"/index.html","domain":"10.0.0.83","xff":"-","referer":"-","status":"304"}' >> /var/log/nginx/www.access.log

posted @ 2022-09-08 21:08  Gabydawei  阅读(127)  评论(0编辑  收藏  举报