ELK IIS 日誌-->logstash-->ElasticSearch

NXLOG 配置 json

   

#define ROOT C:\Program Files\nxlog elasticsearch

define ROOT C:\Program Files (x86)\nxlog tcp

   

Moduledir %ROOT%\modules spa

CacheDir %ROOT%\data code

Pidfile %ROOT%\data\nxlog.pid ip

SpoolDir %ROOT%\data input

LogFile %ROOT%\data\nxlog.log string

   

   

<Extension w3c> it

Module xm_csv io

Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $sc-status, $sc-substatus, $sc-win32-status, $time-taken

FieldTypes string, string, string, string, string, string, integer, string, string, string, integer, integer, integer, integer

Delimiter ' '

</Extension>

   

<Extension json>

Module xm_json

</Extension>

   

<Extension syslog>

Module xm_syslog

</Extension>

   

   

<Input IIS_Logs>

Module im_file

File "C:\inetpub\logs\LogFiles\W3SVC18\u_ex*.log"

SavePos TRUE

 

Exec if $raw_event =~ /^#/ drop();                                 \

else                                                         \

{                                                         \

w3c->parse_csv();                                         \

$EventTime = parsedate($date + "T" + $time+"Z");         \

$SourceName = "IIS";                                        \

}

</Input>

   

<Output IIS_out>

Module om_tcp

Host 127.0.0.1

Port 5545

Exec to_json();

</Output>

   

<Route 2>

Path IIS_Logs => IIS_out

</Route>

   

Logstash 配置

   

input {

tcp {

port=>5545

type=>"iis-input"

codec => "json"

}

}

   

output {

if [type]=="iis-input" {

elasticsearch {

hosts => ["localhost:9200"]

index=>"logstash-%{type}-%{+YYYY.MM.dd}"

document_type=>"%{type}"

}

}

}

相關文章
相關標籤/搜索