ELK -- Logstash安装与配置

Logstash

使用yum安装

编辑 repo

vim /etc/yum.repos.d/elasticsearch.repo

# 内容如下

[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

安装

sudo yum install logstash

配置 Logstash

# 参考
https://www.elastic.co/guide/en/logstash/current/configuration-file-structure.html

# input项配置源数据，此处为监听 "/log"目录下满足"insert.*.log"匹配的所有日志文件
# filter项过滤input输入的数据, "insert.*.log"中每条日志形式如:"2018-01-15 | type | cid | src | eventId | reason", 所以使用" | "拆分每条日志
# output项是输出数据，此处为输出至ElasticSearch

# 新建配置文件 insert.conf
vim conf.d/insert.conf

# 内容如下

input {
    file {
        path => "/log/insert.*.log"
    }
}

filter {
    mutate{
        split=>["message"," | "]
        add_field => {
            "date" => "%{[message][0]}"
        }
        add_field => {
            "type" => "%{[message][1]}"
        }
        add_field => {
            "cid" => "%{[message][2]}"
        }
        add_field => {
            "src" => "%{[message][3]}"
        }
        add_field => {
            "rowOrEvent" => "%{[message][4]}"
        }
        add_field => {
            "reason" => "%{[message][5]}"
        }
        remove_field => ["message", "host", "path", "@timestamp", "@version"]
    }

}

output {
    elasticsearch {
        action => "index"
        hosts  => "192.168.1.171:9200"
        index  => "insert"
    }
}

启动

# https://www.elastic.co/guide/en/logstash/current/running-logstash.html
sudo initctl start logstash