环境:mongodb 3.2.17 logstash 6
mongodb日志实例格式文件路径为/root/mongodb.log:
2018-03-06T03:11:51.338+0800 I COMMAND [conn1978967] command top_fba.$cmd command: createIndexes { createIndexes: "top_amazon_fba_inventory_data_2018-03-06", indexes: [ { key: { sellerId: 1,
sku: 1, updateTime: 1 }, name: "sellerId_1_sku_1_updateTime_1" } ] } keyUpdates:0 writeConflicts:0 numYields:0 reslen:113 locks:{ Global: { acquireCount: { r: 3, w: 3 } }, Database: { acquir
eCount: { w: 2, W: 1 } }, Collection: { acquireCount: { w: 1 } }, Metadata: { acquireCount: { w: 2 } }, oplog: { acquireCount: { w: 2 } } } protocol:op_query 5751ms
2018-03-07T10:06:09.834+0800 I COMMAND [conn2020085] command top.top_order_list command: aggregate { aggregate: "top_order_list", pipeline: [ { $match: { stock_id: { $ne: 75 }, date_day: { $
gte: "2018-01-01", $lt: "2018-02-01" } } }, { $group: { _id: 1, order_id: { $addToSet: "$order_id" } } }, { $project: { _id: 1, order_id: { $size: "$order_id" } } } ] } keyUpdates:0 writeConf
licts:0 numYields:13924 reslen:103 locks:{ Global: { acquireCount: { r: 27942 } }, Database: { acquireCount: { r: 13971 } }, Collection: { acquireCount: { r: 13971 } } } protocol:op_query 118
899ms
2018-03-07T10:09:03.590+0800 I COMMAND [conn6175621] getmore top.top_product_flat query: { catagory_id: { $in: [ 176, 170, 3447, 3448, 3449, 3450, 3451, 3452, 3453, 3454, 3455, 3456, 3457, 3
458, 3459, 3460, 3461, 3462, 3463, 3464, 3783, 183, 3465, 3466, 3467, 3468, 3469, 3470, 3471, 3472, 3473, 3474, 3475, 3476, 3477, 184, 3446, 3479, 3480, 3481, 3482, 3483, 3484, 3485, 3486, 34
87, 3488, 3489, 8186, 8187, 283, 3490, 3491, 3492, 3493, 3494, 3495, 3496, 3497, 3498, 3499, 3500, 3501, 3502, 3503, 3504, 284, 3505, 3506, 3507, 3509, 3510, 3511, 285, 3523, 3524, 3525, 3526
, 3527, 3528, 286, 3512, 3513, 3514, 3515, 3516, 3522, 3569, 287, 3517, 3518, 8642, 288, 289, 3784, 3785, 3794 ] } } cursorid:590981628130 ntoreturn:0 cursorExhausted:1 keyUpdates:0 writeConf
licts:0 numYields:533 nreturned:68330 reslen:2839556 locks:{ Global: { acquireCount: { r: 1068 }, acquireWaitCount: { r: 202 }, timeAcquiringMicros: { r: 130039 } }, Database: { acquireCount:
{ r: 534 } }, Collection: { acquireCount: { r: 534 } } } 530ms
2018-03-07T10:09:03.639+0800 I COMMAND [conn6184021] query top.top_purchase_product_price_nagotiation query: { $query: { nagotiation_date: { $gt: "2018-01-26 14:32:21", $lt: "2018-02-25 14:3
2:21" }, product_id: 1239714 }, $orderby: { nagotiation_date: 1 } } planSummary: COLLSCAN ntoreturn:0 ntoskip:0 keysExamined:0 docsExamined:242611 hasSortStage:1 cursorExhausted:1 keyUpdates:
0 writeConflicts:0 numYields:1895 nreturned:0 reslen:20 locks:{ Global: { acquireCount: { r: 3792 }, acquireWaitCount: { r: 85 }, timeAcquiringMicros: { r: 94774 } }, Database: { acquireCount
: { r: 1896 } }, Collection: { acquireCount: { r: 1896 } } } 221ms
2018-03-07T10:22:01.340+0800 I ACCESS [conn2020395] Unauthorized: not authorized on admin to execute command { replSetGetStatus: 1.0, forShell: 1.0 }
2018-03-07T10:22:01.344+0800 I NETWORK [conn2020395] end connection 192.168.1.100:52188 (268 connections now open)
2018-03-07T10:19:45.897+0800 I NETWORK [initandlisten] connection accepted from 192.168.1.100:51817 #2020374 (268 connections now open)logstash配置/root/logstash_mongodb.conf
input {
file {
path => "/root/mongodb.log"
type => "mongodblog"
start_position => "beginning"
}
}
filter {
if [type] == "mongodblog" {
grok {
match => ["message","%{TIMESTAMP_ISO8601:timestamp}\s+I %{WORD:MONGO_ACTION}\s+\[%{WORD:SOCK_ACTION}\]\s+%{GREEDYDATA:body}"]
remove_field => [ "message" ]
}
if [body] =~ "ms$" {
grok {
match => ["body","%{WORD:command_action}\s+%{WORD:dbname}\.\$?%{WORD:collname}\s+%{GREEDYDATA:command_content}\s+%{NUMBER:time_spend}ms"]
}
}
date {
match => [ "timestamp", "UNIX", "YYYY-MM-dd HH:mm:ss", "ISO8601"]
remove_field => [ "timestamp" ]
}
mutate {
remove_field => ["message"]
}
}
}
output {
elasticsearch {
hosts => ["192.168.220.100:9200"]
index => "mongodb-%{+YYYY.MM.dd}"
}
}最后执行logstash -f /root/logstash_mongodb.conf即可
