今天重新调整了下配置文件,之前的apache_errorlog未匹配到clientip。

1.首先修改shipper.conf

input {
    file {
      type => "apache-accesslog" 
      path => "/var/log/httpd/access_log"
    }
    file {
      type => "apache-errorlog"
      path => "/var/log/httpd/error_log" 
    }
} 
 

filter {
  if [type] == "apache-accesslog" {
    grok {
      type => "apache-accesslog"
      pattern => "%{COMBINEDAPACHELOG}"  
      patterns_dir => "/opt/logstash/patterns"
    }
  }
  else if [type] == "apache-errorlog" {
    grok {
      type => "apache-errorlog"
      match => { "message" => "%{APACHEERRORLOG}" }
      patterns_dir => [ "/opt/logstash/lib/logstash/grok" ]
      #pattern => "%{LOGLEVEL}"
      #patterns_dir => "/usr/local/src/logstash-1.4.2/patterns"
    }
  }
}

output {
      redis {
      host => '192.168.1.101'
      data_type => 'list'
      key => 'logstash'
      }
}

apache-errorlog匹配的patterns写入一个文件中,也可以直接在后面写。我这里写入文件中,文件内容如下:

HTTPERRORDATE %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}
APACHEERRORLOG \[%{HTTPERRORDATE:timestamp}\] \[%{WORD:severity}\] \[client %{IPORHOST:clientip}\] %{GREEDYDATA:message_remainder}

2.下面是indexer.conf

input {
    redis {
    host => "localhost"
    data_type =>"list"
    port => "6379"
    key => "logstash"
    type => "apache-(access|error)log"
    codec => "json"
    }
}
 
output {
  elasticsearch {
  host => "localhost"
  }
}

3.重启服务

# /bin/logstash -f conf/shipper.conf &
# /bin/logstash -f conf/indexer.conf &

4.查看图形,访问日志跟错误日志都能显示客户端IP

wKioL1QSrfzjEDinAAD2cMjP8u8295.jpg