logstash 配置

编辑于 2022-03-18 12:14:01 阅读 1357

输入

input {
    #标准输入
    stdin {
        codec => "plain"
    }

    http {
        host => "0.0.0.0"
        port => "8099"
    }

    #rsyslog
    syslog{
        type => "system-syslog"
        port => 514
    }

    #beats系列,如filebeat
    beats {
        port => 5044
        host => "0.0.0.0"
    }

    #从文件读取数据
    file{
        path => ['/var/log/nginx/access.log']  #要输入的文件路径
        type => 'nginx_access_log'
        start_position => "beginning"
    }
    # path  可以用/var/log/*.log,/var/log/**/*.log,如果是/var/log则是/var/log/*.log
    # type 通用选项. 用于激活过滤器
    # start_position 选择logstash开始读取文件的位置,begining或者end。
    # 还有一些常用的例如:discover_interval,exclude,sincedb_path,sincedb_write_interval等可以参考官网

    #rsyslog 通过网络将系统日志消息读取为事件
    syslog{
        port =>"514"
        type => "syslog"
    }
    # port 指定监听端口(同时建立TCP/UDP的514端口的监听)
    #从syslogs读取需要实现配置rsyslog:
    # cat /etc/rsyslog.conf   加入一行
    # *.* @172.17.128.200:514   #指定日志输入到这个端口,然后logstash监听这个端口,如果有新日志输入则读取
    # service rsyslog restart   #重启日志服务

    #kafka 将 kafka topic 中的数据读取为事件
    kafka{
        bootstrap_servers=> "kafka01:9092,kafka02:9092,kafka03:9092"
        topics => ["access_log"]
        #group_id => "logstash-file"
        codec => "json"
    }
    # bootstrap_servers 用于建立群集初始连接的Kafka实例的URL列表。
    # topics  要订阅的主题列表,kafka topics
    # group_id 消费者所属组的标识符,默认为logstash。kafka中一个主题的消息将通过相同的方式分发到Logstash的group_id
    # codec 通用选项,用于输入数据的编解码器。
}

还有很多的input插件类型,可以参考官方文档来配置。

输出

output {
    elasticsearch {
        hosts => ["elasticsearch:9200"]
        index => "system-syslog-%{+YYYY.MM}"
    }
    file {
       path => "/var/log/nginx/%{host}/save.txt"
       codec => line { format => "%{message}" }
    }
    kafka {
        codec => json
        topic_id => "mytopic"
    }
    stdout { codec => rubydebug}
}

调试

logstash -e 'input { stdin{} } filter { grok { patterns_dir => "/usr/share/logstash/patterns" match => { "message" => "%{NGINX_ACCESS}" } }} output { stdout {} }' 

#接着输入
172.19.0.1 - - [08/Mar/2022:08:20:29 +0000] "GET / HTTP/1.1" 404 153 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0" "-"
#响应
{
          "bytes" => "153",
           "host" => "centos8.localdomain",
       "@version" => "1",
           "verb" => "GET",
          "agent" => "\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0\"",
        "request" => "/",
    "httpversion" => "1.1",
     "@timestamp" => 2022-03-18T09:47:04.498Z,
        "message" => "172.19.0.1 - - [08/Mar/2022:08:20:29 +0000] \"GET / HTTP/1.1\" 404 153 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0\" \"-\"",
      "forwarder" => "\"-\"",
       "clientip" => "172.19.0.1",
          "ident" => "-",
      "timestamp" => "08/Mar/2022:08:20:29 +0000",
       "response" => "404",
       "referrer" => "\"-\""
}

#/usr/share/logstash/patterns/nginx
NGINX_ACCESS %{IPORHOST:clientip} (?:-|(%{WORD}.%{WORD})) %{USER:ident} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent} %{QS:forwarder}

默认patterns:/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-patterns-core-4.3.2/patterns

调试工具:http://grokdebug.herokuapp.com/

代码

https://github.com/chudaozhe/efk/tree/master/logstash

相关链接

https://www.cnblogs.com/wzxmt/p/11031110.html

https://www.jmsite.cn/blog-855.html

https://www.elastic.co/guide/en/logstash/7.17/input-plugins.html

https://www.elastic.co/guide/en/logstash/7.17/filter-plugins.html

https://www.elastic.co/guide/en/logstash/7.17/output-plugins.html

广而告之,我的新作品《语音助手》上架Google Play了,欢迎下载体验