logstash.conf

input {
    beats {
        port => "5044"
    }
}
filter {
    if "gorlogs" in [tags] {
        ruby {
            code => "
                array = event.get('message').split(' ')
                array.each_with_index do |item, index|
                    if item == 'Host:'
                        event.set('Host:', array[index + 1])
                    elsif item == 'GET'
                        event.set('Method', 'GET')
                        event.set('Url', array[index + 1])
                    elsif item == 'POST'
                        event.set('Method', 'POST')
                        event.set('Url', array[index + 1])
                    elsif item == 'User-Agent:'
                        event.set('User-Agent', array[index + 1])
                    elsif item == 'user-agent:'
                        temp = ''
                        i = index
                        until array[i + 1].include?('accept') do
                            temp = temp + array[i + 1] + ' '
                            i += 1
                        end
                        event.set('user-agent', temp)
                    elsif item == 'X-Real-IP:'
                        event.set('clientip', array[index + 1])
                    end
                end
            "
            remove_field => ['host', '@version', '_version', 'input', 'prospector', 'beat', 'message', 'offset', 'log']
        }
        geoip {
            source => "clientip"
            target => "geoip"
            fields => ["country_name", "region_name", "city_name", "location", "ip"]
        }
        useragent {
            source => "user-agent"
            target => "devices"
        }
    }

    if "normallogs" in [tags] {
        json {
            source => "message"
        }
    }
}
output {
    if "gorlogs" in [tags] {
        elasticsearch {
            hosts => [ "localhost:9200" ]
            index => "logstash-gor-%{+YYYY.MM.dd}"
        }
    }
    if "normallogs" in [tags] {
        elasticsearch {
            hosts => [ "localhost:9200" ]
            index => "logstash-%{+YYYY.MM.dd}"
        }
    }
}