Issue with logstash configuration


(james) #1

Hi All

New to the ELK Stack, I am wanting to use it to parse my nginx access logs.

Having two issue, removing client ip field breaks geoip
and overwriting the message..doesnt work.. it just gives the full message.

My config is below, can anyone see where im going wrong?

filter {
grok {
match => { "message" => "%{WORD:method} %{URIPATHPARAM:request}" }
overwrite => [ "message" ]
}
mutate {
convert => ["response", "integer"]
convert => ["bytes", "integer"]
convert => ["responsetime", "float"]
}
geoip {
source => "clientip"
target => "geoip"
add_tag => [ "nginx-geoip" ]
remove_field => [ "clientip" ]
}
date {
match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
remove_field => [ "timestamp" ]
}
useragent {
source => "agent"
}
}

output {
elasticsearch {
hosts => ["localhost:9200"]
index => "weblogs-%{+YYYY.MM.dd}"
document_type => "nginx_logs"
}
stdout { codec => rubydebug }


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.