AKAI TSUKI

System development or Technical something

Configuration Logstash(filter:grok) 2

Logstash

設定ファイルの/etc/logstash/conf.d/nginx-access_log.confにて filter設定を試してみました。

pattern 1

設定内容

filter {
  grok {
    match => { "message" => "%{COMBINEDAPACHELOG}" }
  }
}

Logstashで出力された内容

{
    "message":"127.0.0.1 - - [02/Jul/2016:08:57:36 +0000] \"GET / HTTP/1.0\" 200 612 \"-\" \"ApacheBench/2.3\" \"-\"",
    "@version":"1",
    "@timestamp":"2016-07-20T08:57:37.213Z",
    "path":"/var/log/nginx/access.log",
    "host":"e0b8c7a1e2cb",
    "clientip":"127.0.0.1",
    "ident":"-",
    "auth":"-",
    "timestamp":"02/Jul/2016:08:57:36 +0000",
    "verb":"GET",
    "request":"/",
    "httpversion":"1.0",
    "response":"200",
    "bytes":"612",
    "referrer":"\"-\"",
    "agent":"\"ApacheBench/2.3\""
}

pattern 2

設定内容

filter {
  grok {
    match => { "message" => "%{COMBINEDAPACHELOG}" }
    overwrite => [ "message" ]
  }

  date {
    match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
    remove_field => [ "timestamp" ]
  }
}

Logstashで出力された内容

{
    "message":"127.0.0.1 - - [02/Jul/2016:09:08:45 +0000] \"GET / HTTP/1.0\" 200 612 \"-\" \"ApacheBench/2.3\" \"-\"",
    "@version":"1",
    "@timestamp":"2016-07-02T09:08:45.000Z",
    "path":"/var/log/nginx/access.log",
    "host":"e0b8c7a1e2cb",
    "clientip":"127.0.0.1",
    "ident":"-","auth":"-",
    "verb":"GET",
    "request":"/",
    "httpversion":"1.0",
    "response":"200",
    "bytes":"612",
    "referrer":"\"-\"",
    "agent":"\"ApacheBench/2.3\""
}

timestampフィールドがなくなっていますね。
messageフィールドに対するoverwriteの影響はよくわからない。。。