Prepare:
- 安装geoip-api-c,确保/usr/include/GeoIP.h存在;
- 源码编译安装Heka (容易出现问题);
- 下载GeoLiteCity.dat数据库。
配置文件举例:
1 [accesslogs]
2 type = "LogstreamerInput"
3 log_directory = "/home/dill/workspace/test/log/"
4 file_match = 'json\.log'
5 decoder = "MultiDecoder"
6
7 [MultiDecoder]
8 subs = ['JsonDecoder','GeoIpDecoder']
9 cascade_strategy = "all"
10 log_sub_errors = true
11
12 [JsonDecoder]
13 type = "SandboxDecoder"
14 filename = "lua_decoders/json.lua"
15
16 [JsonDecoder.config]
17 type = "testGeoIP"
18 map_fields = true
19 payload_keep = false
20
21 [GeoIpDecoder]
22 db_file = "/usr/local/share/GeoIP/GeoLiteCity.dat" #数据库文件地址,只能读取GeoLiteCity.dat数据库
23 source_ip_field = "clientIP" #源数据中含有IP的字段
24 target_field = "geoip" #用于存放解析结果的字段
28 [ElasticSearchOutput]
29 server = "http://localhost:9200"
30 message_matcher = "Type == 'testGeoIP'"
31 encoder = "ESJsonEncoder"
32 flush_interval = 500
33 flush_count = 1
34
35 [ESJsonEncoder]
36 index = "testGeoIP"
37 type_name = "ipParse"
38 #raw_bytes_fields = ["geoip"] #如果设定,解析geoip字段里面的json
39 fields = ["Uuid", "Timestamp", "Type", "Hostname", "Fields"] #如果没有“Filelds”,json里面的内容不能映射到ES