# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
###logstash输入:从/var/log/messages输入,类型为system,起始位
input {
file {
path => "D:/***/blog/storage/logs/sql/*.log"
type => "sql-log" ###用于判断,如果插入ES,可以拼接ES索引
} ###监听第一个地址
file {
path => "D:/***/blog/storage/logs/*.log"
type => "query-log"
} ###监听第一个地址
}
filter {
###判断类型为监听sql日志,进行此操作
if [type] == "sql-log"{
###判断行数据是否包含[ ,不包含删除
if [message] =~ /^\[/{
mutate {
remove_field => ["@version","event","log"]
}
}else{
drop{}
}
}
###判断类型为监听普通请求日志,进行此操作
if [type] == "query-log"{
grok{
match => {
###截取message信息:找出{与}中间内容,
###{前加\
###由于}找到的是第一个出现位置,所以用\}空格 来区分
###如果自己插入的日志可以自己来生成标记位置,如:"(?<temMsg>(start).*?(end))"
###temMsg为自己起变量,可以自定义
"message" => "(?<temMsg>(\{).*?(\} ))"
}
}
if [message] =~ /^\[/{
mutate {
rename => {"temMsg" => "message"} ###重命名,将temMsg命名message
###remove_field => ["@version","event","log"]
}
mutate{
add_field => { "@message" => "%{message}"} ###添加字段@message
}
json {
source => "@message" ###指定字段来源
remove_field => [ "@message", "message","@version","event","log","header","accept-encoding","accept","user-agent","upgrade-insecure-requests","cache-control","connection","content-length","host","","","","","",""] ###删除字段
}
}else{
drop{}
}
}
}
###logstash输出:输出给elasticsearch(以IP地址指定位置)
output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "laravel-log-%{type}" ###生成ES 不同类型索引
}
# 日志输出:
stdout {
codec => json_lines
}
}
sql-log监测日志内容,文本内容如下
[2022-06-06 02:57:25]insert into `users` (`name`, `email`, `password`) values ('admin1', 'admin1@qq.com', '123')
----------------------------------------------------------------------------------------------------
[2022-06-06 05:51:26]select * from `users` where `users`.`id` = '1' limit 1
-------------------------------------------------------------------------------------------
query-log监测日志内容,文本内容如下
[2022-06-06 18:30:42] local.INFO: Uri:user/test {"params":{"s":"/user/test","id":"3"},"header":{"accept-language":["zh-CN,zh;q=0.9"],"accept-encoding":["gzip, deflate"],"accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"],"user-agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"],"upgrade-insecure-requests":["1"],"cache-control":["max-age=0"],"connection":["keep-alive"],"host":["blog.com"],"content-length":[""],"content-type":[""]},"method":"GET","url":"http://blog.com/user/test","ip":"127.0.0.1","port":80,"source":"我是第三个参数"}
[2022-06-06 18:35:34] local.INFO: Uri:user/test {"params":{"s":"/user/test","id":"3"},"header":{"accept-language":["zh-CN,zh;q=0.9"],"accept-encoding":["gzip, deflate"],"accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"],"user-agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"],"upgrade-insecure-requests":["1"],"cache-control":["max-age=0"],"connection":["keep-alive"],"host":["blog.com"],"content-length":[""],"content-type":[""]},"method":"GET","url":"http://blog.com/user/test","ip":"127.0.0.1","port":80,"source":"我是第三个参数"}
[2022-06-06 18:36:25] local.INFO: Uri:user/test {"params":{"s":"/user/test","id":"3"},"header":{"accept-language":["zh-CN,zh;q=0.9"],"accept-encoding":["gzip, deflate"],"accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"],"user-agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"],"upgrade-insecure-requests":["1"],"cache-control":["max-age=0"],"connection":["keep-alive"],"host":["blog.com"],"content-length":[""],"content-type":[""]},"method":"GET","url":"http://blog.com/user/test","ip":"127.0.0.1","port":80,"source":"我是第三个参数"}