Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- input {
- file {
- path => [ "/var/log/nginx/example.com_access.log", "/var/log/nginx/example.org_access.log" ]
- }
- }
- filter {
- grok {
- match => [ "message", '%{IP:client} - \S+ \[%{HTTPDATE:reqtimestamp}\] "(?:\S+ %{NOTSPACE:request} HTTP/\S+)" %{NUMBER:response} \S+ "\S+" "%{DATA:useragent}" ".*" ".*" "\S+/%{DATA:geocf}" "\S+" "\S+" "\S+" "\S*"$' ]
- }
- if [request] =~ /px.png/ {
- grok {
- match => [ "request", '/img/px.png\?s=%{DATA:partner}&cha=%{NUMBER:cha}&sa=%{DATA:said}&' ]
- }
- }
- if [useragent] =~ /Chrome/ {
- mutate {
- add_field => { "ua_parsed" => "Chrome" }
- }
- } else if [useragent] =~ /Safari/ {
- mutate {
- add_field => { "ua_parsed" => "Safari" }
- }
- } else if [useragent] =~ /Firefox/ {
- mutate {
- add_field => { "ua_parsed" => "Firefox" }
- }
- } else if [useragent] =~ /Opera/ {
- mutate {
- add_field => { "ua_parsed" => "Opera" }
- }
- } else if [useragent] =~ /Trident.*rv:11.0/ {
- mutate {
- add_field => { "ua_parsed" => "IE_11" }
- }
- } else if [useragent] =~ /MSIE/ {
- grok {
- match => ["useragent", "MSIE %{NUMBER:ieversion}.*" ]
- }
- mutate {
- add_field => { "ua_parsed" => "IE_%{ieversion}" }
- #remove_field => [ "ieversion" ]
- }
- } else {
- mutate {
- add_field => { "ua_parsed" => "other" }
- }
- }
- mutate {
- remove_field => [ "message", "answersize", "httpversion", "cachehit", "referer", "verb", "nginxgeoip", "cfgeoip" ]
- add_field => { "http_host" => "example.com" }
- add_tag => [ "cdn_nginx_request" ]
- }
- date {
- match => [ "reqtimestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
- target => "newtimestamp"
- locale => "en"
- }
- }
- output {
- elasticsearch {
- host => "es.example.com"
- port => 9222
- protocol => http
- flush_size => 1000
- workers => 4
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement