测试案例-编写logstash配置文件(logstash节点执行)
这里采用循序渐进的方式展开,可以先写一个简单的测试输出到屏幕。 编写一个将数据输出到屏幕的配置文件:
vi /etc/logstash/conf.d/test01.conf
input {
beats {
port => 5044 #接收来自192.168.92.17运行的filebeat,发送给192.168.92.16:5044
}
}
output {
stdout { } #这里是默认输出到192.168.92.16(logstash节点)的黑屏幕上面
}修改/etc/logstash/logstash.yml文件,添加如下字段:
#文件的87行,设置管道配置文件路径为/etc/logstash/conf.d
path.config: /etc/logstash/conf.d #conf.d目录自己创建手动启动 Logstash 进程并加载指定的配置文件,启动方式如下:(-f后面的文件使用绝对路径来测试,没问题)
logstash -f /etc/logstash/conf.d/test01.conf出现 Successfully started Logstash APl endpoint 就表示启动成功。
启动成功后,我们尝试访问nginx站点,然后生成的日志数据输出到屏幕上。
{
"ecs" => {
"version" => "1.12.0"
},
"agent" => {
"id" => "029c6c1b-a31d-422d-a8f3-467785cacc07",
"version" => "7.17.10",
"hostname" => "filebeat01",
"ephemeral_id" => "dbe22ac1-7219-4b78-a1cf-9c3cb6052a83",
"name" => "filebeat01",
"type" => "filebeat"
},
"@version" => "1",
"tags" => [
[0] "beats_input_codec_plain_applied"
],
"event" => {
"dataset" => "nginx.ingress_controller",
"module" => "nginx",
"timezone" => "+08:00"
},
"message" => "192.168.92.1 - - [13/Mar/2026:13:33:19 +0800] \"GET /icons/poweredby.png HTTP/1.1\" 200 15443 \"http://192.168.92 .17/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 Edg/143.0.0.0 \" \"-\"",
"@timestamp" => 2026-03-13T12:51:29.768Z,
"service" => {
"type" => "nginx"
},
日志文件已经传输过来了,接下来测试把这些数据写入到elasticsearch中。
重新编写配置文件:(vi /etc/logstash/conf.d/test02.conf)(修改地点是logstash节点)
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => ["192.168.92.14"]
index => "nginx-%{+YYYY.MM.dd}"
}
}手动启动 Logstash 进程并加载指定的配置文件,启动方式如下:(-f后面的文件使用绝对路径来测试,没问题)
logstash -f /etc/logstash/conf.d/test02.conf尝试访问nginx(浏览器上输入192.168.92.17:80)查看 elasticsearch-head中是否有新的索引被创建出来。
