3.Logstash 入门教程 -配置案例

aaahd

　　3.Logstash 入门教程 -配置案例
　　介绍一个详细案例，讲述如何配置读取Apache日志，Syslog并根据自定义条件进行过滤和输出。
　　手工输入并解析数据
　　LS中可以通过Filter针对数据进行切片切块等操作，解析，装换，组装等等。。

input { stdin { } } #控制台输入
filter {
grok { #通过GROK来自动解析APACHE日志格式
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {#通过Date过滤器来自动识别日期格式。
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
output {
elasticsearch { host => localhost } #输出到ES中。
stdout { codec => rubydebug } #输出到控制台
}
　　启动LS：bin/logstash -f logstash-filter.conf
　　并在控制台输入：

127.0.0.1 - - [11/Dec/2013:00:01:45 -0800] "GET /xampp/status.php HTTP/1.1" 200 3891 "http://cadenza/xampp/navi.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0"

　　可以看到输出结果为：

{
"message" => "127.0.0.1 - - [11/Dec/2013:00:01:45 -0800] \"GET /xampp/status.php HTTP/1.1\" 200 3891 \"http://cadenza/xampp/navi.php\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\"",
"@timestamp" => "2013-12-11T08:01:45.000Z",
"@version" => "1",
"host" => "cadenza",
"clientip" => "127.0.0.1",
"ident" => "-",
"auth" => "-",
"timestamp" => "11/Dec/2013:00:01:45 -0800",
"verb" => "GET",
"request" => "/xampp/status.php",
"httpversion" => "1.1",
"response" => "200",
"bytes" => "3891",
"referrer" => "\"http://cadenza/xampp/navi.php\"",
"agent" => "\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\""
}
　　看到结果了吧，完成了两个操作
　　1.LS使用grok自动解析了日志格式，
　　2.针对timestamp进行Date格式识别，并复制给了@timestamp字段。
　　再进一步，从文件中输入并解析数据

input {
file { #通过Input配置，从文件中读取数据。
path => "/tmp/access_log"  #日志文件位置
start_position => "beginning"
#是否从头部开始读取。
#Logstash启动后，会在系统中记录一个隐藏文件，记录处理过的行号，
#当进行挂掉，重新启动后，根据该行号记录续读。
#所以start_position只会生效一次。
}
}
filter {
if [path] =~ "access" {#当路径包含access时，才会执行以下处理逻辑
mutate { replace => { "type" => "apache_access" } }
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}else if [path] =~ "error" { #IF-ElSE 配置方式。
mutate { replace => { type => "apache_error" } }
#使用Mutate 替换type的值为“apache_error”
} else {
mutate { replace => { type => "random_logs" } }
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
output {
elasticsearch {
host => localhost
}
stdout { codec => rubydebug }
}

　　再来看个案例：

output {
if [type] == "apache" {
if [status] =~ /^5\d\d/ { #如果status状态为5xx，发送给nagios。
nagios { ...  }
} else if [status] =~ /^4\d\d/ {#如果是4xx，发送到elasticSearch
elasticsearch { ... }
}
statsd { increment => "apache.%{status}" } #所有数据给statsd
}
}
　　处理SysLog案例：

处理SysLog案例：
input {
tcp {
port => 5000   #读取TCP端口
type => syslog #数据类型
}
udp {
port => 5000   #读取UDP端口
type => syslog #数据类型
}
}
filter {
if [type] == "syslog" {
grok { #解析日志格式。
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ] #添加字段
add_field => [ "received_from", "%{host}" ]     #添加字段
}
syslog_pri { }
date {  #日期格式处理，这里匹配了两种不同的日期格式。
match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output { #数据输出。
elasticsearch { host => localhost }
stdout { codec => rubydebug }
}
　　启动服务：
　　bin/logstash -f logstash-syslog.conf
　　发送测试数据：

telnet localhost 5000
Dec 23 12:11:43 louis postfix/smtpd[31499]: connect from unknown[95.75.93.154]
Dec 23 14:42:56 louis named[16000]: client 199.48.164.7#64817: query (cache) 'amsterdamboothuren.com/MX/IN' denied
Dec 23 14:30:01 louis CRON[619]: (www-data) CMD (php /usr/share/cacti/site/poller.php >/dev/null 2>/var/log/cacti/poller-error.log)
Dec 22 18:28:06 louis rsyslogd: [origin software="rsyslogd" swVersion="4.2.0" x-pid="2253" x-info="http://www.rsyslog.com"] rsyslogd was HUPed, type 'lightweight'.

　　查看结果：

{
"message" => "Dec 23 14:30:01 louis CRON[619]: (www-data) CMD (php /usr/share/cacti/site/poller.php >/dev/null 2>/var/log/cacti/poller-error.log)",
"@timestamp" => "2013-12-23T22:30:01.000Z",
"@version" => "1",
"type" => "syslog",
"host" => "0:0:0:0:0:0:0:1:52617",
"syslog_timestamp" => "Dec 23 14:30:01",
"syslog_hostname" => "louis",
"syslog_program" => "CRON",
"syslog_pid" => "619",
"syslog_message" => "(www-data) CMD (php /usr/share/cacti/site/poller.php >/dev/null 2>/var/log/cacti/poller-error.log)",
"received_at" => "2013-12-23 22:49:22 UTC",
"received_from" => "0:0:0:0:0:0:0:1:52617",
"syslog_severity_code" => 5,
"syslog_facility_code" => 1,
"syslog_facility" => "user-level",
"syslog_severity" => "notice"
}

狂奔的初学者

fdsafds

back_to_basics

多谢楼主分享