Hi All
New to the ELK Stack, I am wanting to use it to parse my nginx access logs.
Having two issue, removing client ip field breaks geoip
and overwriting the message..doesnt work.. it just gives the full message.
My config is below, can anyone see where im going wrong?
filter {
grok {
match => { "message" => "%{WORD:method} %{URIPATHPARAM:request}" }
overwrite => [ "message" ]
}
mutate {
convert => ["response", "integer"]
convert => ["bytes", "integer"]
convert => ["responsetime", "float"]
}
geoip {
source => "clientip"
target => "geoip"
add_tag => [ "nginx-geoip" ]
remove_field => [ "clientip" ]
}
date {
match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
remove_field => [ "timestamp" ]
}
useragent {
source => "agent"
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "weblogs-%{+YYYY.MM.dd}"
document_type => "nginx_logs"
}
stdout { codec => rubydebug }