RSS[logstash][geoip] 以public-IP取代priveate-IP
4 月 27
為了統計上的便利, 並取得全面性的資料樣態
需要把內部IP轉化為數據群體的一部分
在 logstash 設定的方法如下,
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | if [clientip] and [clientip] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" { geoip { database => "/opt/logstash-2.2.2/GeoLiteCity.dat" source => "clientip" target => "geoip" add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ] }else { mutate { add_field => [ "lanip" => "real-public-ip-here" ] } geoip { source => "lanip" target => "geoip" add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ] } mutate { remove_field => [ "lanip" ] } } |
以上設定能將內部IP轉為外部IP