1、以nginx日志为例,首先IP要转换为经纬度,以下是logstash中的日志解析
input {
beats {
port => 6114
}
}
filter {
grok {
match => { "message" => [ "%{IPORHOST:Client_IP} (%{WORD:ident}|-) (%{USERNAME:auth}|-) \[%{HTTPDATE:timestamp}\] \"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) \"(?:%{NOTSPACE:referrer}|-)\" %{QS:agentname}",
"%{IPORHOST:Client_IP} %{DATA:ident} %{DATA:auth} \[%{HTTPDATE:timestamp}\] \"%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} %{NUMBER:bytes} \"%{DATA:referrer}\" %{QS:agentname}",
"%{IPORHOST:Client_IP} %{DATA:ident} %{DATA:auth} \[%{HTTPDATE:timestamp}\] \"%{DATA:request}\" %{NUMBER:response} %{NUMBER:bytes}"
]}
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" , "MMM dd HH:mm:ss","MMM d HH:mm:ss"]
}
geoip {
source => "Client_IP"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
output {
elasticsearch {
hosts => ["192.168.25.22:9200"]
index => "logstash-nginx"
workers => 1
template_overwrite => true
}
stdout { codec => rubydebug }
}
2、在kibana中maps添加报表
添加图层
添加索引
need-to-insert-img
从索引模式中选择索引
need-to-insert-img
索引添加后地图中出现绿色的点:
need-to-insert-img
系统默认是外网题图,以下是将地图修改成高德地图:
修改kibana的配置文件,在文件最后添加:
map.tilemap.url: 'http://webrd02.is.autonavi.com/appmaptile?lang=zh_cn&size=1&scale=1&style=7&x={x}&y={y}&z={z}'
上面是kibana7的格式,kibana6如下:
tilemap.url: 'http://webrd02.is.autonavi.com/appmaptile?lang=zh_cn&size=1&scale=1&style=7&x={x}&y={y}&z={z}'
