updates nginx pipeline w/ less geoip fields

2026-01-09 10:55:46 +00:00 · 2025-11-07 20:08:25 +01:00
parent 871b42855c
commit f41a31ca71
1 changed files with 27 additions and 21 deletions
--- a/roles/elasticsearch/templates/logstash-conf.d/nginx_pipeline.conf.j2
+++ b/roles/elasticsearch/templates/logstash-conf.d/nginx_pipeline.conf.j2
@@ -5,26 +5,33 @@ input {
 }

 filter {
- grok {
-   match => [ "message" , "%{COMBINEDAPACHELOG}+%{GREEDYDATA:extra_fields}"]
-   overwrite => [ "message" ]
- }
- mutate {
-   convert => ["response", "integer"]
-   convert => ["bytes", "integer"]
-   convert => ["responsetime", "float"]
- }
- # geoip {
- #   source => "clientip"
- #   add_tag => [ "nginx-geoip" ]
- # }
- date {
-   match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
-   remove_field => [ "timestamp" ]
- }
- # useragent {
- #   source => "agent"
- # }
+  grok {
+    match => [ "message" , "%{COMBINEDAPACHELOG}+%{GREEDYDATA:extra_fields}"]
+    overwrite => [ "message" ]
+  }
+
+  mutate {
+    rename => { "extra_fields" => "real_ip" }
+    gsub => [ "real_ip", "\"", "" ] # remove qoutes
+    gsub => [ "real_ip", " ", "" ]  # remove whitespace
+
+    # fix
+    convert => ["http.response.status_code", "integer"]
+    convert => ["http.response.body.bytes", "integer"]
+    convert => ["responsetime", "float"]
+    remove_field => ["host.containerized"]
+  }
+
+  geoip {
+    source => "real_ip"
+    target => "geoip"
+    fields => ["city_name", "region_name", "country_name", "region_iso_code", "country_code2", "location"]
+  }
+
+  date {
+    match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
+    remove_field => [ "timestamp" ]
+  }
 }

 output {
@@ -36,4 +43,3 @@ output {
    document_type => "nginx_logs"
  }
 }
-