elasticsearch,Logstash,Kibana,Aws Load Balancer" />
elasticsearch,logstash,kibana,aws-load-balancer,Amazon Web Services,Amazon web services ELK Stack-AWS LoadBalancer访问日志用户代理
我最近集成了ELK堆栈,该堆栈具有来自存储在S3中的AWS ELB(类型:应用程序)访问日志的输入数据。我的目标是对用户代理进行可视化。 但我有一个小问题;用户代理(userAgent)不包含有效值;它只包含“-” 有什么想法/可能的解决方法吗?谢谢 我有下面的日志存储配置Amazon web services ELK Stack-AWS LoadBalancer访问日志用户代理,amazon-web-services,
elasticsearch,logstash,kibana,aws-load-balancer,Amazon Web Services,
input {
s3 {
bucket => "xxxxxxxx-elb-logs"
prefix => "AWSLogs/xxxxxxxxxxxx/elasticloadbalancing/xx-west-x"
region => "xx-west-x"
type => "elblogs"
codec => plain
}
}
filter {
if [type] == "elblogs" {
grok {
match => ["message", "%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:elb_name} %{IP:elb_client_ip}:%{INT:elb_client_port:int} (?:%{IP:elb_backend_ip}:%{NUMBER:elb_backend_port:int}|-) %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} (?:%{INT:elb_status_code:int}|-) (?:%{INT:backend_status_code:int}|-) %{INT:elb_received_bytes:int} %{INT:elb_sent_bytes:int} \"(?:%{GREEDYDATA:elb_request}|-)\" \"(?:%{GREEDYDATA:userAgent}|-)\" %{NOTSPACE:elb_sslcipher} %{NOTSPACE:elb_sslprotocol}"]
match => ["message", "%{GREEDYDATA:event_name} for ELB: %{NOTSPACE:elb_name} at %{TIMESTAMP_ISO8601:timestamp}"]
}
if [elb_request] =~ /.+/ {
grok {
match => ["elb_request", "(?:%{WORD:http_method}) (?:%{DATA:http_path})? (?:% {DATA:http_type}/%{NUMBER:http_version:float})?|%{GREEDYDATA:rawrequest}"]
}
}
if [http_path] =~ /.+/ {
grok {
match => ["http_path", "(?:%{WORD:http_path_protocol}://)?(% . {NOTSPACE:http_path_site}:)?(?:%{NUMBER:http_path_port:int})?(?:%{GREEDYDATA:http_path_url})?"]
}
}
geoip {
source => "elb_client_ip"
}
}
date {
match => [ "timestamp", "ISO8601" ]
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => ["xxx.xxx.xxx.xxx:9200"]
index => "logstash-xx-xxx-xxx-index"
}
}
通过增强grok过滤器解决。