RSS[logstash][geoip] 以public-IP取代priveate-IP
4 月 27
為了統計上的便利, 並取得全面性的資料樣態
需要把內部IP轉化為數據群體的一部分
在 logstash 設定的方法如下,
if [clientip] and [clientip] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
geoip {
database => "/opt/logstash-2.2.2/GeoLiteCity.dat"
source => "clientip"
target => "geoip"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
else {
mutate {
add_field => [ "lanip" => "real-public-ip-here" ]
}
geoip {
source => "lanip"
target => "geoip"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
remove_field => [ "lanip" ]
}
}
以上設定能將內部IP轉為外部IP