Logstash
Apache
input{
# file { "path" => "/data/teufelsmuehle/access_log" # "/data/apache2/other_vhosts_access_all.log"
file { "path" => "/root/apfelreich_access.log" # "/data/apache2/other_vhosts_access_all.log"
"tags" => "apfelreich"
"start_position" => "beginning"
"sincedb_path" => "/dev/null"
}
#stdin {}
}
filter{
grok {
match => [ "message", "%{COMBINEDAPACHELOG}" ]
# www.apfelreich.net:80 127.0.0.1 - - [31/May/2015:06:27:28 +0200] "GET /index.html HTTP/1.1" 200 454 "-" "monit/5.4"
}
mutate {
gsub => [
# remove ? from referrer
"referrer", "\?", " "]
}
mutate {
gsub => [
# remove & from referrer
"referrer", "\&", " "]
}
# key-value-match in referrer
kv{ source => "referrer"}
date { locale => "en" match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] }
mutate {
convert => { "bytes" => "integer" }
}
geoip{
source => "clientip"
}
mutate {
tags => [ "geoip" ]
# 'coords' will be kept, 'tmplat' is temporary.
# Both of these new fields are strings.
add_field => [ "coords", "%{geoip.longitude}",
"tmplat", "%{geoip.latitude}" ]
}
mutate {
tags => [ "geoip" ]
# Merge 'tmplat' into 'coords'
merge => [ "coords", "tmplat" ]
}
mutate {
tags => [ "geoip" ]
# Convert our new array of strings back to float
convert => [ "coords", "float" ]
# Delete our temporary latitude field
remove => [ "tmplat" ]
}
}
output{
#stdout { codec => rubydebug }
elasticsearch { host => "labor05" }
}