參考文檔:http://blog.51cto.com/ls40905250/1915280
https://blog.csdn.net/zsjwish/article/details/79792212
https://blog.csdn.net/yanggd1987/article/details/50469113
安裝logstash的geoip插件,使logstash可以獲取到國家及城市信息
yum install GeoIP-data -y
修改原logstash配置文件
input{
redis {
host => "192.168.56.11"
port => "6379"
password => "123456"
db => "3"
data_type => "list"
key => "system-log-5611"
}
redis {
host => "192.168.56.11"
port => "6379"
password => "123456"
db => "4"
data_type => "list"
key => "nginx-log"
}
}
filter{
if "nginx-log" in [tags] {
json{
source => "message"
}
if [user_ua] != "-" {
useragent {
target => "agent" #agent將過來出的user agent的信息配置到了單獨的字段中
source => "user_ua" #這個表示對message里面的哪個字段進行分析
}
}
if [user_ip] != "-" {
geoip {
source => "user_ip"
target => "geoip"
# database => "/usr/share/GeoIP/GeoIPCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
}
}
output{
if "nginx-log" in [tags]{
elasticsearch{
hosts => ["192.168.56.11:9200"]
index => "logstash-nginx-log-%{+YYYY.MM}"
}
stdout{
codec => rubydebug
}
}
if "system-log-5611" in [tags]{
elasticsearch{
hosts => ["192.168.56.11:9200"]
index => "system-log-5611-%{+YYYY.MM}"
}
}
}
PS:filter檢測過濾如果是nginx日志並且user_ip不為空則調用geoip插件
nginx的index設置需要在前面加logstash否則在kibana里面不識別
通過ip獲取到的信息如下
系統自帶的地圖為英文地圖,設置成中文地圖,修改配置文件/etc/kibana/kibana.yml在尾部添加以下配置
tilemap.url: 'http://webrd02.is.autonavi.com/appmaptile?lang=zh_cn&size=1&scale=1&style=7&x={x}&y={y}&z={z}'
tilemap.options.minZoom: "1"
tilemap.options.maxZoom: "10"
重啟kibana然后進web界面進行設置
最終效果圖
