一、前言
- 本文描述了如何把日志文件通过配置
logstash写入elasticsearch
二、内容
1、配置单个文件夹
- 已知:文件夹位于:
H:\work\projectName\runtime\log\202009\25.log - 配置文件内容如下所示:
input {
file {
path => "H:/abnorwork/projectName/runtime/log/*/*.log"
start_position => "beginning"
stat_interval => "3"
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "system-log-%{+YYYY.MM.dd}"
}
}
windows下logstash启动。 logstash下载,注意别和es相差太多版本
cd D:\ProgramFiles\ELK\logstash-7.2.0\bin
logstash.bat -f ../logstash_test.conf
- 配置文件
logstash_test.conf写哪都可以,只要你能够正确指定。我的配置文件写在logstash-7.2.0 根目录,也是bin 的同级目录
2、配置多个文件夹
- 1、
logstash配置文件编写
[root@linux-elk1 ~]# vim /etc/logstash/conf.d/system-log.conf
input {
file {
path => "/var/log/messages"
type => "systemlog"
start_position => "beginning"
stat_interval => "3"
}
file {
path => "/var/log/secure"
type => "securelog"
start_position => "beginning"
stat_interval => "3"
}
}
output {
if [type] == "systemlog" {
elasticsearch {
hosts => ["192.168.1.31:9200"]
index => "system-log-%{+YYYY.MM.dd}"
}
}
if [type] == "securelog" {
elasticsearch {
hosts => ["192.168.1.31:9200"]
index => "secure-log-%{+YYYY.MM.dd}"
}
}
}
- 2、给日志文件赋予可读权限并重启
logstash
[root@linux-elk1 ~]# chmod 644 /var/log/secure
[root@linux-elk1 ~]# chmod 644 /var/log/messages
[root@linux-elk1 ~]# systemctl restart logstash
- 3、向被收集的文件中写入数据;是为了马上能在
elasticsearch的web界面和klbana的web界面里面查看到数据。
[root@linux-elk1 ~]# echo "test" >> /var/log/secure
[root@linux-elk1 ~]# echo "test" >> /var/log/messages
-
4、在
kibana界面添加system-log索引模式
-
5、在
kibana界面添加secure-log索引模式
-
6、
kibana查看日志
