I don't think I changed it.
Logstash config (same configuration for all nginx log indices:
input {
beats {
port => 5052
}
}
filter {
grok {
match => { "message" => '%{IPORHOST:lbip} %{NGUSER:ident} %{NGUSER:auth} [%{HTTPDATE:logdate}] %{NUMBER:response} "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" (?:%{NUMBER:bytes}|-) (?:"(?:%{URI:referrer}|-)"|%{QS:referrer}) %{QS:agent} "%{GREEDYDATA:clientIPs}"' }
}
date {
locale => en
match => [ "logdate", "dd/MMM/YYYY:HH:mm:ss Z" ]
remove_field => "logdate"
}
useragent {
source => "agent"
target => "useragent"
remove_field => "agent"
}
csv {
# separate client IP from reverse proxy IP
columns => [ "clientip", "rp_ip" ]
source => "clientIPs"
separator => ","
}
geoip {
source => "clientip"
}
}
output {
elasticsearch {
hosts=> ["10.8.154.31:9200","10.8.154.33:9200"]
index => "logstash-rostr-prod-web-access-logs-%{+YYYY.MM.dd}"
}
}
Here is the definition of my logstash template:
curl -XGET 10.8.154.30:9200/_template/logstash*
{"logstash":{"order":0,"template":"logstash-","settings":{"index":{"refresh_interval":"5s"}},"mappings":{"default":{"dynamic_templates":[{"message_field":{"mapping":{"index":"analyzed","omit_norms":true,"fielddata":{"format":"disabled"},"type":"string"},"match_mapping_type":"string","match":"message"}},{"string_fields":{"mapping":{"index":"analyzed","omit_norms":true,"fielddata":{"format":"disabled"},"type":"string","fields":{"raw":{"index":"not_analyzed","ignore_above":256,"type":"string"}}},"match_mapping_type":"string","match":""}}],"properties":{"@timestamp":{"type":"date"},"geoip":{"dynamic":true,"properties":{"location":{"type":"geo_point"},"longitude":{"type":"float"},"latitude":{"type":"float"},"ip":{"type":"ip"}}},"@version":{"index":"not_analyzed","type":"string"}},"_all":{"enabled":true,"omit_norms":true}}},"aliases":{}}}