設定ファイルの/etc/logstash/conf.d/nginx-access_log.confにて filter設定を試してみました。
pattern 1
設定内容
filter { grok { match => { "message" => "%{COMBINEDAPACHELOG}" } } }
Logstashで出力された内容
{ "message":"127.0.0.1 - - [02/Jul/2016:08:57:36 +0000] \"GET / HTTP/1.0\" 200 612 \"-\" \"ApacheBench/2.3\" \"-\"", "@version":"1", "@timestamp":"2016-07-20T08:57:37.213Z", "path":"/var/log/nginx/access.log", "host":"e0b8c7a1e2cb", "clientip":"127.0.0.1", "ident":"-", "auth":"-", "timestamp":"02/Jul/2016:08:57:36 +0000", "verb":"GET", "request":"/", "httpversion":"1.0", "response":"200", "bytes":"612", "referrer":"\"-\"", "agent":"\"ApacheBench/2.3\"" }
pattern 2
設定内容
filter { grok { match => { "message" => "%{COMBINEDAPACHELOG}" } overwrite => [ "message" ] } date { match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ] remove_field => [ "timestamp" ] } }
Logstashで出力された内容
{ "message":"127.0.0.1 - - [02/Jul/2016:09:08:45 +0000] \"GET / HTTP/1.0\" 200 612 \"-\" \"ApacheBench/2.3\" \"-\"", "@version":"1", "@timestamp":"2016-07-02T09:08:45.000Z", "path":"/var/log/nginx/access.log", "host":"e0b8c7a1e2cb", "clientip":"127.0.0.1", "ident":"-","auth":"-", "verb":"GET", "request":"/", "httpversion":"1.0", "response":"200", "bytes":"612", "referrer":"\"-\"", "agent":"\"ApacheBench/2.3\"" }
timestampフィールドがなくなっていますね。
messageフィールドに対するoverwriteの影響はよくわからない。。。