1目的
简单收集某一路径下的*.log,在kibana展现出来。
2下载,解压,重命名
[superuser@ft3q-app48 elk]$ wget https://artifacts.elastic.co/downloads/logstash/logstash-6.2.2.tar.gz[superuser@ft3q-app48 elk]$ tar -zxvf logstash-6.2.2.tar.gz[superuser@ft3q-app48 elk]$ mv logstash-6.2.2 logstash_bank3编写一个配置文件
[superuser@ft3q-app47 logstash_bank]$ cat config/file-logstash-bank.conf
input{
file {
path => ["/logdata/bank/*/*/*.log"]
exclude => "*_*.log"
max_open_files => "18600"
codec => plain {
charset => "UTF-8"
}
}
}
filter{
mutate {
add_field => { "filepath" => "%{path}" }
}
mutate{
split => ["path","/"]
add_field => {
"idx" => "%{[path][2]}-%{[path][3]}-%{[path][4]}"
}
add_field => {
"filename" => "%{[path][5]}"
}
}
mutate{
split => ["filename","."]
add_field => {
"idx1" => "%{idx}-%{[filename][0]}"
}
}
mutate{
lowercase => [ "idx1" ]
}
}
output {
elasticsearch {
hosts => ["192.168.193.47:9200"]
index => "logstash-%{idx1}-%{+YYYY.MM.dd}"
user => elastic
password => elastic
}
}
输入:文件输入,监控*.log,不要监控log4j2归档的旧文件,如service_2018-03-25_1.log。
过滤:新增属性filepath,因为下面的split会将path属性变为数组。下面的过滤器就是我在试图拼索引,将路径的“/”转化为“-”,去掉".log"。索引不能为大写,最后转成小写。
输出:输出到es。地址、索引等信息。用户名密码参数是x-pack需要的。
4启动,后台运行。
[superuser@ft3q-app47 logs]$nohup /home/superuser/elk/logstash_bank/bin/logstash -f /home/superuser/elk/logstash_bank/config/file-logstash-bank.conf --path.data /home/superuser/elk/logstash_bank/data_bank > /dev/null &5观察日志没有报错,查看有无索引写入es,查看kibana
通过es的API curl -XGET '192.168.193.47:9200/_cat/indices?v&pretty'
扫描二维码关注公众号,回复:
1015614 查看本文章
通过kibana,需要新建查询索引,就能查看。
