GeoIP 是最常见的免费 IP 地址归类查询库,同时也有收费版可以采购。GeoIP 库可以根据 IP 地址提供对应的地域信息,包括国别,省市,经纬度等,对于可视化地图和区域统计非常有用。
首先下载地图库
[root@monitor src]# curl -O http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
解压并移动到指定目录
[root@monitor src]# gunzip GeoLiteCity.dat.gz
[root@monitor src]# mv GeoLiteCity.dat /opt/logstash/vendor/geoip/
编辑配置文件,filter里更改为如下内容:
if [type] == “nginx” {
grok {
match => { “message” => “%{NGINXACCESS}” }
}
geoip {
source => “remote_addr”
target => “geoip”
database => “/opt/logstash/vendor/geoip/GeoLiteCity.dat”
add_field => [ “[geoip][coordinates]”, “%{[geoip][longitude]}” ]
add_field => [ “[geoip][coordinates]”, “%{[geoip][latitude]}” ]
remove_field => [ “[geoip][latitude]”, “[geoip][longitude]” ]
}
mutate {
convert => [ “[geoip][coordinates]”, “float”]
}
}重启logstash服务
[root@monitor geoip]# /etc/init.d/logstash restart
Killing logstash (pid 29959) with SIGTERM
Waiting logstash (pid 29959) to die…
Waiting logstash (pid 29959) to die…
logstash stopped.
logstash started.
打开浏览器,查看日志新加入的field
创建可视化
