3、logstash安装

logstash安装

1、下载和解压

cd /home/zyplanke/elk

curl -L -O https://artifacts.elastic.co/downloads/logstash/logstash-6.8.3.tar.gz

tar -xvf logstash-6.8.3.tar.gz

2、配置

1、配置logstash

在config目录中，以复制logstash-sample.conf样例文件，得到文件logstash_file.conf。

编辑config/logstash_file.conf，内容如下

input {

beats {

port => 5044

}

}

output {

elasticsearch {

hosts => ["http://10.1.110.153:9200"]

index => "%{[fields][logcategory]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"

#user => "elastic"

#password => "changeme"

}

}

上面logstash_file.conf配置的：

input：logstash从filebeat接收数据的本地端口。

filter（可选）：进行转换改变

output：logstash结果传输到哪里（这里定义为传输到elasticsearch，若elasticsearch集群有多个节点则hosts内容应多个）。同时配置了索引名。注意这里使用了filebeat自定义字段。

2、elasticsearch 配置hosts => ["http://10.1.110.153:9200"] 为ip地址 有可能无法链接

[2024-02-02T17:19:40,147][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error.

{:url=>"http://10.1.110.53:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable:

[http://10.1.110.53:9200/][Manticore::SocketException] 拒绝连接 (Connection refused)"}

解决：因elasticsearch与logstash为一台机器 使用localhost

3、编写管理脚本 run_logstash.sh

授予执行权限：chmod +x run_logstash.sh

##################################################################################
# desc:    logstash运行管理脚本
###################################################################################
CURR_PWD=`pwd -P`

Usage()
{
        echo "*******************************************************"
        echo " Usage: "
        echo "  `basename $0`            : print this usage info "
        echo "  `basename $0` show       : show current running process "
        echo "  `basename $0` start      : start process"               
        echo "  `basename $0` stop       : stop process"
        echo "  `basename $0` kill       : froce kill process"
        echo ""
        exit 0
}

#判断参数的参数个数，如果不符合要求，则输出用法提示
if [ $# -ne 1 ];then
    Usage
fi

case $1 in
        "show")  # 显示当前正运行的进程
          echo ""
                echo " Currently, running processes as follows....."
                echo "*******************************************************"
                #ps -f | head -1
                ps -f -u `whoami` | grep -w "logstash" | grep -v "grep" | awk '{print $2}'  |xargs -r pwdx | grep -w "${CURR_PWD}" | awk -F: '{print $1}' | xargs -r ps -f -p | grep -v "grep"
                echo "*******************************************************"
                echo ""
                ;;

        "start")
                nohup ${CURR_PWD}/logstash -f ../config/logstash_file.conf &
                echo " starting...  "
                sleep 1
                echo " Please check the result via logs files or nohup.out!"
                echo ""
                ;;

        "stop")
                ps -f -u `whoami` | grep -w "logstash" | grep -v "grep" | awk '{print $2}'  |xargs -r pwdx | grep -w "${CURR_PWD}" | awk -F: '{print $1}' | xargs -r kill > /dev/null 2>&1
                echo " stoping...  "
                sleep 1
                echo " Please check the result by yourself!"
                echo ""
                ;;
        "kill")
                ps -f -u `whoami` | grep -w "logstash" | grep -v "grep" | awk '{print $2}'  |xargs -r pwdx | grep -w "${CURR_PWD}" | awk -F: '{print $1}' | xargs -r kill > /dev/null 2>&1
                sleep 5
                ps -f -u `whoami` | grep -w "logstash" | grep -v "grep" | awk '{print $2}'  |xargs -r pwdx | grep -w "${CURR_PWD}" | awk -F: '{print $1}' | xargs -r kill -9 > /dev/null 2>&1
                ;;
        *)
                echo " input error!!! "
                Usage
                ;;
esac
exit 0

4、启动

. run_logstash.sh start