今天读取ngin的access.log文件到elasticsearch中,日期死活读不出来,配置如下:
grok {
match => {
"message" => ["%{IPORHOST:[nginx][access][remote_ip]} - %{DATA:[nginx][access][user_name]} \[%{HTTPDATE:[nginx][access][time]}\] \"%{WORD:[nginx][access][method]} %{DATA:[nginx][access][url]} HTTP/%{NUMBER:[nginx][access][http_version]}\" %{NUMBER:[nginx][access][response_code]} %{NUMBER:[nginx][access][body_sent][bytes]} \"%{DATA:[nginx][access][referrer]}\" \"%{DATA:[nginx][access][agent]}\""]
}
remove_field => "message"
}
date {
match => [ "timestamp","dd/MMM/YYYY:HH:mm:ss Z" ]
}
useragent {
source => "[nginx][access][agent]"
target => "[nginx][access][user_agent]"
remove_field => "[nginx][access][agent]"
}
geoip {
source => "[nginx][access][remote_ip]"
target => "[nginx][access][geoip]"
}找了半天原因,最后发行问题出在:
date {
match => [ "timestamp","dd/MMM/YYYY:HH:mm:ss Z" ]
}
默认locale是读取系统的。改成
date {
match => [ "timestamp","dd/MMM/YYYY:HH:mm:ss Z" ]
locale => "en_US"
}完美!