題外内容:
因本IIS伺服器經過硬體負載均衡進行代理轉,導緻IIS無法直接識别出外部用戶端IP位址,是以需要安裝x_forward_for功能用于識别,參考如下文章:https://blog.csdn.net/hzfw2008/article/details/105066565/
一、Windows下載下傳安裝Logstash
下載下傳位址:https://www.elastic.co/cn/downloads/logstash
備注:下載下傳解壓後,即可直接使用,不需要額外安裝JAVA
二、設定IIS的格式輸出
三、IIS輸出的日志内容
2021-09-18 00:01:55 10.224.48.91 GET /news_d.aspx 220.181.108.83 3ww.junhua.net 200 35
四、Logstash解釋IIS配置檔案
input {
file {
path => ["C:/inetpub/logs/wmsvc/W3SVC2/*.log"]
type => "web-iis"
}
}
filter {
grok {
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:serverip} %{WORD:method} %{URIPATH:page} %{IPORHOST:clientip} %{NUMBER:status} %{NUMBER:respone_time}"]
}
geoip {
source => "clientip"
target => "geoip"
add_field => ["[geoip][coordinates]","%{[geoip][longitude]}"]
add_field => ["[geoip][coordinates]","%{[geoip][latitude]}"]
}
}
output {
elasticsearch {
user => "elastic"
password => "password"
hosts => ["http://10.224.14.14:9200","http://10.224.14.15:9200","http://10.224.14.16:9200"]
index => "logstash-%{type}-%{+YYYY.MM.dd}"
}
}