Map User Location With Geoip And ELK Through Nginx Access Log

ELK Server Environment

1
2
3
4
5
6
7
8
9
10
11
$ cat /etc/issue
Ubuntu 14.04.4 LTS
$ ifconfig eth0 | grep inet
inet addr:192.168.0.110
$ cat /proc/cpuinfo | grep processor
processor : 0
processor : 1
processor : 2
processor : 3
$ cat /proc/meminfo | grep MemTotal
MemTotal: 8125540 kB

Filebeat Client Server Environment

1
2
3
4
$ cat /etc/issue
Ubuntu 14.04.5 LTS
$ ifconfig eth0 | grep inet
inet addr:192.168.0.120

Dependence Software Version

1
2
3
4
5
Elasticsearch 2.2.1
Logstash 2.2.1
Kibana 4.4.1
Filebeat:1.3.1
Java 1.8
1
$ vim /etc/logstash/conf.d/10-filebeat-input.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
input {
beats {
port => 5044
}
}
filter {
grok {
match => [ "message" , "%{COMBINEDAPACHELOG}+%{GREEDYDATA:extra_fields}"]
overwrite => [ "message" ]
}
mutate {
gsub => ["user_agent","[\"]",""]
convert => [ "response", "integer"]
convert => [ "bytes", "integer"]
convert => [ "body_bytes_sent","integer" ]
convert => [ "bytes_sent","integer" ]
convert => [ "upstream_response_time","float" ]
convert => [ "upstream_status","integer" ]
convert => [ "request_time","float" ]
convert => [ "responsetime", "float"]
convert => [ "port","integer" ]
}
geoip {
source => "clientip"
target => "geoip"
database => "/etc/logstash/geoip/GeoLiteCity.dat"
add_tag => [ "nginx-geoip" ]
remove_field => ["[geoip][latitude]", "[geoip][longitude]"]
}
date {
match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
remove_field => [ "timestamp" ]
}
useragent {
source => "agent"
}
urldecode {
all_fields => true
}
}

output {
elasticsearch {
hosts => ["http://127.0.0.1:9200"]
index => "helloup-%{+YYYY.MM}"
document_type => "helloup-access"
template_overwrite => true
template => "/etc/logstash/template/home-nginx-access.json"
}
}
1
$ cd /etc/logstash/geoip

Check logstash config

1
$ /opt/logstash/bin/logstash -t -f /etc/logstash/conf.d/10-filebeat-input.conf

Thank you for reading.
This post is copyrighted by Liyuliang’s Blog.
If reproduced, please indicate the source: Liyuliang’s Blog
This blog uses Creative Commons Attribution-NonCommercial-Share-Sharing 4.0 International License Agreement to license.


Comments

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×