개요

설정(centos7)

다운로드
https://www.elastic.co/kr/downloads/logstash

글로벌 설정
/etc/logstash/logstash.yml

path.data: /var/lib/logstash
path.logs: /var/log/logstash

IIS 설정

/etc/logstash/conf.d/iis.conf

input {
  beats {
    port => 5044
    host => "0.0.0.0"
    client_inactivity_timeout => 86400
  }
}
 
 
filter {
 
        # ignore log comments
        if [message] =~ "^#" {
                drop {}
        }
 
        # check that fields match your IIS log settings
        grok {
        match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} (%{URI:referer})? %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:time_taken}"]
        }
 
        # set the event timestamp from the log
        # https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html
        date {
                match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
                timezone => "Etc/UCT"
        }
 
        # matches the big, long nasty useragent string to the actual browser name, version, etc
        # https://www.elastic.co/guide/en/logstash/current/plugins-filters-useragent.html
        useragent {
                source=> "useragent"
                prefix=> "browser_"
        }
 
        mutate {
                remove_field => [ "log_timestamp"]
        }
}
 
output {
    stdout { codec => rubydebug }
        elasticsearch { hosts => ["localhost:9200"] }
}

서비스시작
/
```
systemctl start logstash
```