今天读取ngin的access.log文件到elasticsearch中,日期死活读不出来,配置如下:
grok { match => { "message" => ["%{IPORHOST:[nginx][access][remote_ip]} - %{DATA:[nginx][access][user_name]} \[%{HTTPDATE:[nginx][access][time]}\] \"%{WORD:[nginx][access][method]} %{DATA:[nginx][access][url]} HTTP/%{NUMBER:[nginx][access][http_version]}\" %{NUMBER:[nginx][access][response_code]} %{NUMBER:[nginx][access][body_sent][bytes]} \"%{DATA:[nginx][access][referrer]}\" \"%{DATA:[nginx][access][agent]}\""] } remove_field => "message" } date { match => [ "timestamp","dd/MMM/YYYY:HH:mm:ss Z" ] } useragent { source => "[nginx][access][agent]" target => "[nginx][access][user_agent]" remove_field => "[nginx][access][agent]" } geoip { source => "[nginx][access][remote_ip]" target => "[nginx][access][geoip]" }找了半天原因,最后发行问题出在:
date { match => [ "timestamp","dd/MMM/YYYY:HH:mm:ss Z" ] }
默认locale是读取系统的。改成
date { match => [ "timestamp","dd/MMM/YYYY:HH:mm:ss Z" ] locale => "en_US" }完美!