jarosite/logstash nginx filter

## logstash nginx filter
filter {
    # Format Nginx Error logs
    if [type] =~ /nginx_.*_error/ {
        grok {
            match => {
                "message" => [
                    "%{DATESTAMP:timestamp} \[%{DATA:severity}\] (%{NUMBER:pid:int}#%{NUMBER}: \*%{NUMBER}|\*%{NUMBER}) %{GREEDYDATA:message}",
                    "%{DATESTAMP:timestamp} \[%{DATA:severity}\] %{GREEDYDATA:message}",
                    "%{DATESTAMP:timestamp} %{GREEDYDATA:message}"
                        ]
            }
            overwrite => [ "message" ]
        }

        grok {
            match =>  { "message" => [ "%{DATA:nginx_error}, %{GREEDYDATA:message}"] }
            overwrite => [ "message" ]
        }
        kv {
            field_split  => ","
            value_split  => ":"
            trimkey      => " "
            trim         => "\""
            exclude_keys => [ "host"]
        }
        mutate {
            strip => ["client", "server", "request", "upstream", "referrer"]
        }
        grok {
            match       => { "upstream" => [ "%{URIPROTO}://%{IPORHOST:upstream_ip}(?::%{POSINT:upstream_port})?%{URIPATH:upstream_request}%{URIPARAM:upstream_qs}" ] }
            remove_field => [ "message", "upstream", "port"]
        }


        if "/ping/ad" in [request] {
            mutate {
                add_tag => [ "ad_ping_drop" ]
            }
        }
        grok {
            match   => { "request" => [ "GET /ping/?(ad)?\?h=%{DATA:qs_host}&" ] }
        }

        if [upstream_ip] {
            cidr {
              add_tag => ["ec2_ip"]
              address => ["%{upstream_ip}"]
              network => [
                "10.0.0.0/8"
              ]
            }

            mutate {
                add_field => { "upstream_host" => "%{upstream_ip}" }
            }

            if "ec2_ip" in [tags] {
                dns {
                    reverse => ["upstream_host"]
                    action  => "replace"
                }
            }

            if [upstream_port] {
                mutate {
                    add_field => { "upstream_addr" => "%{upstream_host}:%{upstream_port}" }
                }
            }
            else {
                mutate {
                    add_field => { "upstream_addr" => "%{upstream_host}" }
                }
            }
        }

        date {
            match => [ "timestamp", "yy/MM/dd HH:mm:ss" ]
            remove_field => [ "timestamp" ]
        }
    }
    # Handle Regular Nginx access logs
    else if [type] =~ /^nginx_/ {
        urldecode {
            field   => "query_strings"
        }
        kv {
            source       => "query_strings"
            prefix       => "qs_"
            field_split  => "&?"
            remove_field => [ "query_strings" ]
        }

        if [upstream_status] == "-" {
            mutate {
                remove_field => [ "upstream_status" ]
            }
        }

        if [upstream_response_time] == "-" {
            mutate {
                remove_field => [ "upstream_response_time" ]
            }
        }

        if [upstream_addr] and [upstream_addr] != "-" {
            mutate {
                split => [ "upstream_addr", ":" ]
            }

            cidr {
              add_tag => ["ec2_ip"]
              address => ["%{upstream_addr[0]}"]
              network => [
                "10.0.0.0/8"
              ]
            }

            mutate {
                add_field => [ "upstream_host" , "%{upstream_addr[0]}" ]
                add_field => [ "upstream_ip" , "%{upstream_addr[0]}" ]
                add_field => [ "upstream_port" , "%{upstream_addr[1]}" ]
            }

            mutate {
                remove_field => [ "upstream_addr" ]
            }

            if "ec2_ip" in [tags] {
                dns {
                    reverse => ["upstream_host"]
                    action  => "replace"
                }
            }
            mutate {
                add_field => { "upstream_addr" => "%{upstream_host}:%{upstream_port}" }
            }
        }

        cidr {
          add_tag => ["private_ip"]
          address => ["%{remote_addr}"]
          network => [
            "10.0.0.0/8",
            "127.0.0.0/8",
            "169.254.0.0/16",
            "172.16.0.0/12",
            "192.168.0.0/16"
          ]
        }

        # Only GeoIP on logs we care about
        if [type] in ["nginx_gator", "nginx_web"] {
            if "private_ip" not in [tags] {
                geoip {
                    fields   => [ "country_code2", "latitude", "longitude", "location", "region_name", "city_name" ]
                    source   => "remote_addr"
                    database => "/mnt/data/GeoIPCity.dat"
                }
            }
        }
    }
}
	filter {
	# Format Nginx Error logs
	if [type] =~ /nginx_.*_error/ {
	grok {
	match => {
	"message" => [
	"%{DATESTAMP:timestamp} \[%{DATA:severity}\] (%{NUMBER:pid:int}#%{NUMBER}: \%{NUMBER}\|\%{NUMBER}) %{GREEDYDATA:message}",
	"%{DATESTAMP:timestamp} \[%{DATA:severity}\] %{GREEDYDATA:message}",
	"%{DATESTAMP:timestamp} %{GREEDYDATA:message}"
	]
	}
	overwrite => [ "message" ]
	}

	grok {
	match => { "message" => [ "%{DATA:nginx_error}, %{GREEDYDATA:message}"] }
	overwrite => [ "message" ]
	}
	kv {
	field_split => ","
	value_split => ":"
	trimkey => " "
	trim => "\""
	exclude_keys => [ "host"]
	}
	mutate {
	strip => ["client", "server", "request", "upstream", "referrer"]
	}
	grok {
	match => { "upstream" => [ "%{URIPROTO}://%{IPORHOST:upstream_ip}(?::%{POSINT:upstream_port})?%{URIPATH:upstream_request}%{URIPARAM:upstream_qs}" ] }
	remove_field => [ "message", "upstream", "port"]
	}


	if "/ping/ad" in [request] {
	mutate {
	add_tag => [ "ad_ping_drop" ]
	}
	}
	grok {
	match => { "request" => [ "GET /ping/?(ad)?\?h=%{DATA:qs_host}&" ] }
	}

	if [upstream_ip] {
	cidr {
	add_tag => ["ec2_ip"]
	address => ["%{upstream_ip}"]
	network => [
	"10.0.0.0/8"
	]
	}

	mutate {
	add_field => { "upstream_host" => "%{upstream_ip}" }
	}

	if "ec2_ip" in [tags] {
	dns {
	reverse => ["upstream_host"]
	action => "replace"
	}
	}

	if [upstream_port] {
	mutate {
	add_field => { "upstream_addr" => "%{upstream_host}:%{upstream_port}" }
	}
	}
	else {
	mutate {
	add_field => { "upstream_addr" => "%{upstream_host}" }
	}
	}
	}

	date {
	match => [ "timestamp", "yy/MM/dd HH:mm:ss" ]
	remove_field => [ "timestamp" ]
	}
	}
	# Handle Regular Nginx access logs
	else if [type] =~ /^nginx_/ {
	urldecode {
	field => "query_strings"
	}
	kv {
	source => "query_strings"
	prefix => "qs_"
	field_split => "&?"
	remove_field => [ "query_strings" ]
	}

	if [upstream_status] == "-" {
	mutate {
	remove_field => [ "upstream_status" ]
	}
	}

	if [upstream_response_time] == "-" {
	mutate {
	remove_field => [ "upstream_response_time" ]
	}
	}

	if [upstream_addr] and [upstream_addr] != "-" {
	mutate {
	split => [ "upstream_addr", ":" ]
	}

	cidr {
	add_tag => ["ec2_ip"]
	address => ["%{upstream_addr[0]}"]
	network => [
	"10.0.0.0/8"
	]
	}

	mutate {
	add_field => [ "upstream_host" , "%{upstream_addr[0]}" ]
	add_field => [ "upstream_ip" , "%{upstream_addr[0]}" ]
	add_field => [ "upstream_port" , "%{upstream_addr[1]}" ]
	}

	mutate {
	remove_field => [ "upstream_addr" ]
	}

	if "ec2_ip" in [tags] {
	dns {
	reverse => ["upstream_host"]
	action => "replace"
	}
	}
	mutate {
	add_field => { "upstream_addr" => "%{upstream_host}:%{upstream_port}" }
	}
	}

	cidr {
	add_tag => ["private_ip"]
	address => ["%{remote_addr}"]
	network => [
	"10.0.0.0/8",
	"127.0.0.0/8",
	"169.254.0.0/16",
	"172.16.0.0/12",
	"192.168.0.0/16"
	]
	}

	# Only GeoIP on logs we care about
	if [type] in ["nginx_gator", "nginx_web"] {
	if "private_ip" not in [tags] {
	geoip {
	fields => [ "country_code2", "latitude", "longitude", "location", "region_name", "city_name" ]
	source => "remote_addr"
	database => "/mnt/data/GeoIPCity.dat"
	}
	}
	}
	}
	}