elasticsearch 日志抓取使用
# rpm -ivhlogstash-2.3.3-1.noarch.rpm# /opt/logstash/bin/logstash -e 'input {stdin { } } output { stdout { codec => rubydebug } }'
Settings: Default pipeline workers: 1
Pipeline main started
hello #随便写
{
"message" => "hello",
"@version" => "1",
"@timestamp" => "2018-12-08T03:58:53.761Z",
"host" => "server5"
}
redhat
{
"message" => "redhat",
"@version" => "1",
"@timestamp" => "2018-12-08T03:59:05.366Z",
"host" => "server5"
}
^CSIGINT received. Shutting down the agent. {:level=>:warn}
stopping pipeline {:id=>"main"}
Pipeline main has been shutdown
# /opt/logstash/bin/logstash -e 'input {stdin { } } output { stdout { codec => rubydebug } elasticsearch { hosts => ["172.25.135.5"] index => "logstash-%{+YYYY.MM.dd}"} }'
# cd /etc/logstash/conf.d/
# ls
# vim es.conf
http://i2.运维网.com/images/blog/201812/08/0705f9c83240186ec0746841dfd5e97e.png
# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/es.conf
http://i2.运维网.com/images/blog/201812/08/a3397fef7d0ea5af7a470ceddc8cc917.png
# cat/tmp/testfile
custom format: asdjkl
# chmod 644 /var/log/messages
# logger"hello" #没有日志文件写一些,有可略过
# logger"hello"
# logger"hello"
# logger"hello"
# vim es.conf
input {
file {
path => "/var/log/messages"
start_position => "beginning"
}
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => ["172.25.135.5"]
index => "message-%{+YYYY.MM.dd}"
}
file {
path => "/tmp/testfile"
codec => line { format => "custom format: %{message}"}
}
}
# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/es.conf
# cd
# l.
. .bashrc .pki
.. .cache .sincedb_452905a167cf4509fd08acb964fdb20c
.bash_history.cshrc .ssh
.bash_logout .mysql_history .tcshrc
.bash_profile.oracle_jre_usage.viminfo
# cat .sincedb_452905a167cf4509fd08acb964fdb20c
267849 0 64768 517
# ls -i /var/log/messages
267849 /var/log/messages #两者id一样
http://i2.运维网.com/images/blog/201812/08/aa1587bebe8426a0f3b786ef00799be6.png
http://i2.运维网.com/images/blog/201812/08/fdc9f1c11ccf184456a488f02aa45320.png
# vim /etc/rsyslog.conf
.* @@172.25.135.5:514 #末尾添加,server7,8同样添加,同样重启以下服务
# /etc/init.d/elasticsearchrestart
# /etc/init.d/rsyslog restart
# vim es.conf
input {
file {
path => "/var/log/messages"
start_position => "beginning"
}
syslog {
port=> 514
}
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => ["172.25.135.5"]
index => "message-%{+YYYY.MM.dd}"
}
file {
path => "/tmp/testfile"
codec => line { format => "custom format: %{message}"}
}
}
# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/es.conf
#为了方便看:
可以给server7,8加点日志
# loggerserver2
# loggerserver2
# loggerserver2
# loggerserver3
# loggerserver3
# loggerserver3
刷新可以看出:
http://i2.运维网.com/images/blog/201812/08/7df73d92ac6b650fc48b9511075c3272.png
# cd
# l.
. .bash_profile.mysql_history .ssh
.. .bashrc .oracle_jre_usage .tcshrc
.bash_history.cache .pki .viminfo
.bash_logout .cshrc .sincedb_452905a167cf4509fd08acb964fdb20c
# rm -fr.sincedb_452905a167cf4509fd08acb964fdb20c
# cd -
/etc/logstash/conf.d
# ls
es.conf
# vim es.conf
input {
file {
path => "/var/log/elasticsearch/my-es.log"
start_position => "beginning"
}
syslog {
port=> 514
}
}
#filter {
multiline {
type => "eslog"
pattern => "^["
negate => true
what => "previous"
}
#}
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => ["172.25.135.5"]
index => "es-%{+YYYY.MM.dd}"
}
file {
path => "/tmp/testfile"
codec => line { format => "custom format: %{message}"}
}
}
# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/es.conf #新建eslog
刷新浏览器可以看出:
页:
[1]