input {
file {
type => "zj_frontend_access"
path => ["/data01/applog_backup/zjzc_log/zj-frontend0*access*"]
}
file {
type => "wj_frontend_access"
path => ["/data01/applog_backup/winfae_log/wj-frontend0*access*"]
}
}
filter {
grok {
match =>[
"message","%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request}\?.* HTTP/%{NUMBER:httpversion}\" \- %{NUMBER:http_status_code} %{NUMBER:bytes} \"(?<http_referer>\S+)\" \"(?<http_user_agent>(\S+\s+)*\S+)\" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)",
"message" , "%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\" \- %{NUMBER:http_status_code} %{NUMBER:bytes} \"(?<http_referer>\S+)\" \"(?<http_user_agent>(\S+\s+)*\S+)\" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)"
]
}
geoip {
source => "http_x_forwarded_for"
target => "geoip"
database => "/usr/local/logstash-2.3.4/etc/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
convert => [ "request_time", "float"]
add_field =>["response_time","%{request_time}"]
convert => [ "response_time", "float"]
remove_field =>["request_time"]
add_field => [ "[@metadata][zabbix_key]" , "logstash-api-access" ]
add_field => [ "[@metadata][zabbix_host]" , "dr-mysql01" ]
}
date {
match => ["time", "dd/MMM/yyyy:HH:mm:ss Z"]
}
}
output {
if [response_time] >= 5 {
zabbix {
zabbix_host => "[@metadata][zabbix_host]"
zabbix_key => "[@metadata][zabbix_key]"
zabbix_server_host => "192.168.32.55"
zabbix_server_port => "10051"
zabbix_value => "message"
}
}
if [type] == "zj_frontend_access" {
redis {
host => "192.168.32.67"
data_type => "list"
key => "zj_frontend_access:redis"
port=>"6379"
password => "1234567"
}
}
else if [type] == "wj_frontend_access"{
redis {
host => "192.168.32.67"
data_type => "list"
key => "wj_frontend_access:redis"
port=>"6379"
password => "1234567"
}
}
}
