1、使用filebeta收集nginx访问日志，并通过geoip展示ip归属地

安装
yum install filebeat-5.3.2-x86_64.rpm -y

filebeat 收集单个类型日志并写入 redis
Filebeat 支持将数据直接写入到 redis 服务器，本步骤为写入到 redis 当中的一个可以，另外 filebeat 还支持写入到 elasticsearch、logstash 等服务器。

/etc/filebeat/filebeat.yml
filebeat.prospectors:
- input_type: log
 paths:
 - /var/log/nginx/access.log
 exclude_lines: ["^DBG","^$"] #不收取的
 #include_lines: ["^ERR", "^WARN"] #只收取的
 document_type: system-log-1512 #类型，会在每条日志中插入标记
output.redis:
 hosts: ["192.168.37.102:6379"]
 key: "system-log-1512" #为了后期日志处理，建议自定义 key 名称
 db: 1 #使用第几个库
 timeout: 5 #超时时间
 password: 123456 #redis 密码

启动 filebeat 服务
systemctl start filebeat

配置 logstash 从 redis 读取上面的日志

/etc/logstash/conf.d/redis-systemlog-es.conf
input {
 redis {
 host => "192.168.37.102"
 port => "6379"
 db => "1"
 key => "system-log-1512"
 data_type => "list"
}
}
output {
 if [type] == "system-log-1512" {
 elasticsearch {
 hosts => ["192.168.37.101:9200"]
 index => "system-log-1512"
}}
}

下载geoip
wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz
tar xf GeoLite2-City.tar

配置 logstash 使用地址库

/etc/logstash/conf.d/redis-es.conf
input {
 redis {
 host => "192.168.37.102"
 port => "6379"
 db => "1"
 key => "system-log-1512"
 data_type => "list"
 password => "123456"
}
 redis {
 host => "192.168.37.102"
 port => "6379"
 db => "0"
 key => "tomcat-accesslog-1512"
 data_type => "list"
 password => "123456"
 codec => "json"
} 
}
filter {
 if [type] == "tomcat-accesslog-1512" { 
 geoip {
 source => "clientip" 
 target => "geoip"
 database => "/etc/logstash/GeoLite2-City_20170502/GeoLite2-
City.mmdb" 
 add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
 add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
 }
 mutate {
 convert => [ "[geoip][coordinates]", "float"]
} } }
output {
 if [type] == "nginx-accesslog-1512" {
 elasticsearch {
 hosts => ["192.168.15.101:9200"]
 index => "logstash-tomcat-accesslog-1512-%{+YYYY.MM.dd}"
 }
# jdbc {
# connection_string => 
"jdbc:mysql://192.168.37.102/elk?user=elk&password=123456&useUnicode=true&ch
aracterEncoding=UTF8"
# statement => ["INSERT INTO elklog(host,clientip,status,AgentVersion) 
VALUES(?,?,?,?)", "host","clientip","status","AgentVersion"]
# }
}}

重启 logstash 服务并写入日志数据

systemctl restart logstash
cat tets.log >> nginx_access_log.2017-05-30.log

验证 kibana 界面是否可以看到地图数据