在conf.d目录下创建文件logs.conf用于收集*.log中的日志
input {
tcp {
port => 4560
codec => json
}
file {
path => "/data/securityopdata/synctool/logs/*.log"
type => "logfile"
start_position => "beginning"
#sincedb_path => "/dev/null"
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
what => "previous"
negate => true
}
add_field => {
HOSTNAME => "XXX的空间"
project_name => "synctool"
}
}
file {
path => "/data/securityopdata/syncapi/logs/*.log"
type => "logfile"
start_position => "beginning"
#sincedb_path => "/dev/null"
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
what => "previous"
negate => true
}
add_field => {
HOSTNAME => "XXXXX的空间"
project_name => "syncapi"
}
}
}
filter{
if([project_name] == "syncapi" or [project_name] == "synctool"){
grok {
match => {
"message" => "%{TIMESTAMP_ISO8601:createTime}\s*\[\s*%{WORD:level}\s*\]\s*\[\s*(?<logger_name>.*?)\s*\]\s*(?<message>.*)"
}
overwrite => ["message"]
}
}
date {
match => ["createTime","yyyy-MM-dd HH:mm:ss","UNIX"]
#target => "asdfasf"
}
}