原理
配置geoip pipeline
关联到具体的index pattern
日志写入式执行geoip 形成新的日志段
步骤
1 配置pipeline
#!/bin/bash curl -X PUT "localhost:9200/_ingest/pipeline/geoip?pretty" -H ‘Content-Type: application/json‘ -d‘ { "description" : "Add geoip info", "processors" : [ { "geoip" : { "field" : "http_x_forwarded_for" } } ] } ‘
替换 http_x_forwarded_for 为任意适合你的变量
2 配置nginx pattern
{ "index": { "lifecycle": { "name": "nginxdelete" }, "number_of_replicas": "0", "default_pipeline": "geoip" } }
3 验证
{ "_index": "nginx-2021.08.30", "_type": "_doc", "_id": "TdzYlnsBf-nChSXeMWI6", "_version": 1, "_score": null, "_source": { "scheme": "https", "remote_addr": "171.224.237.174", "geoip": { "continent_name": "Asia", "country_iso_code": "VN", "location": { "lon": 106, "lat": 16 } } "http_x_forwarded_for": "171.224.237.174" } }