출처 : http://edbaker.weebly.com/blog/iis-logstash-elasticsearch-nxlog
iis.conf내용
input {
file {
type => "IISLog"
path => "H:/iislog/*.log"
start_position => "beginning"
}
}
filter {
# ignore log comments
if [message] =~ "^#" {
drop {}
}
# check that fields match your IIS log settings
grok {
match => {"message" => "%{TIMESTAMP_ISO8601:date-time} %{IPORHOST:s-ip} %{WORD:cs-method} %{URIPATH:cs-uri-stem} %{NOTSPACE:cs-uri-query} %{NUMBER:s-port} %{NOTSPACE:cs-username} %{IPORHOST:c-ip} %{NOTSPACE:useragent} %{NUMBER:sc-status} %{NUMBER:sc-substatus} %{NUMBER:win32status} %{NUMBER:sc-bytes} %{NUMBER:cs-bytes} %{NUMBER:timetaken}"}
}
# set the event timestamp from the log
# https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html
date {
match => [ "timeofevent", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Etc/UCT"
}
}
# output logs to console and to elasticsearch
output {
stdout { codec => rubydebug }
elasticsearch { hosts => ["localhost:9200"]
index => "iis"
document_type => "main"
}
}
# output logs to console and to elasticsearch
output {
stdout { codec => rubydebug }
elasticsearch { hosts => ["localhost:9200"]
index => "iis"
document_type => "main"
}
}
엘라스틱서치에 인덱스 생성
PUT /iis
맵핑 생성
PUT /iis/_mapping/main
{
"main": {
"properties": {
"date-time": {"type": "date", "format": "yyyy-MM-dd HH:mm:ss"},
"s-ip": {"type": "text"},
"cs-method": {"type": "text"},
"cs-uri-stem": {"type": "text"},
"cs-uri-query": {"type": "text"},
"s-port": {"type": "integer"},
"cs-username": {"type": "text"},
"c-ip": {"type": "text"},
"useragent": {"type": "text"},
"sc-status": {"type": "integer"},
"sc-substatus": {"type": "integer"},
"win32status": {"type": "integer"},
"sc-bytes": {"type": "integer"},
"cs-bytes": {"type": "integer"},
"timetaken": {"type": "integer"}
}
}
}