配置Logstash
TypeScript
# cat syslog02.conf
#filename:syslog02.conf #注意这个是要用#号注释掉
input{
file{
path => ["/var/log/*.log"]
}
}
output{
elasticsearch {
#建议将搜索引擎不要和应用部署到一台服务器,我们介绍就同台服务器
hosts => ["192.168.1.1:9200"]
}
}查看配置文件是否有问题:
TypeScript
# ../bin/logstash -f syslog02.conf -t
Sending Logstash's logs to /usr/local/logstash/logs which is now configured via log4j2.properties
[2016-12-01T09:54:46,512][FATAL][logstash.runner ] The given configuration is invalid. Reason: Expected one of #, input, filter, output at line 1, column 1 (byte 1) after在output -> elasticsearch下增加一个index配置:
TypeScript
cat syslog02.conf
#filename:syslog02.conf
input{
file{
path => ["/var/log/*.log"]
format => json
}
}
output{
elasticsearch {
hosts => ["192.168.1.1:9200"]
index => "syslog02_log%{jsonsrt}"
}
}再次简测配置文件:
TypeScript
# ../bin/logstash -f syslog02.conf -t
Sending Logstash's logs to /usr/local/logstash/logs which is now configured via log4j2.propertiesConfiguration OK
[2016-12-01T11:40:56,791][INFO ][logstash.runner ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash启动并在后台执行:
TypeScript
# ../bin/logstash -f syslog02.conf &hosts:["127.0.0.1:9200","127.0.0.2:9200"]
action:指定es的行为,index, delete, create, update
默认为index:index a document(该document就是一个来自于logstash的event)
delete:通过id删除一个document(需要指定document_id)
create:index a document(如果该document已经在index中存在,则失败)
update:通过id更新一个document
cacert:验证server合法性的.cer或.pem文件路径
codec:
document_id
document_type
index:默认值:logstash-%{+YYYY.MM.dd}
便于删除老数据
在语法解析的时候,看到+号开头的,会自动认为后面是时间格式,尝试用时间格式来解析后续字符串。所以,之前处理过程中不要给自定义的字段起一个+号开头的名字
索引名中不能有大写字母
有时也会自定义为:logstash-%{servicename}-%{+YYYY.MM.dd}
user:进入es cluster的用户
password:进入es cluster的密码
timeout:Set the timeout for network operations and requests sent Elasticsearch. If a timeout occurs, the request will be retried.
flush_size:默认500,logstash攒够500条数据再一次性向es发送
idle_flush_time:默认1s,如果1s内没攒够500条还是会一次性将攒的数据发出去给es