搭建ELK日志分析平台
(上)—— ELK介绍及搭建 Elasticsearch 分布式集群
http://blog.51cto.com/zero01/2079879
(下)—— 搭建kibana和logstash服务器
http://blog.51cto.com/zero01/2082794
ELK 日志相关
https://www.cnblogs.com/zhang-shijie/category/803469.html
logstash输出到elasticsearch多索引
https://blog.csdn.net/wangyangzhizhou/article/details/53314022
elasticsearch索引自动清理
https://www.cnblogs.com/kasumi/p/6479733.html
Logstash处理json格式日志文件的三种方法
https://blog.csdn.net/jiao_fuyou/article/details/49174269/
LogStash的Filter的使用
https://www.cnblogs.com/qq27271609/p/4762562.html
问题1:
elasticsearch: can not run elasticsearch as root
https://www.cnblogs.com/sandyyeh/p/8413724.html
问题2:
启动logstash 用-f
./logstash -f ../config/logstash-sample.conf
问题3:
Logstash.conf 不要配置5044的端口
问题4:
目前input只有tags上能带到输出里,可以做output条件判断
filter可以追加处理数据
问题5:
Logstash.conf demo
input { file { path => "/var/log/system.log" tags => ["system"] #codec => json #start_position => "beginning" #从文件开始处读写 } file { path => "/var/log/kibana.log" tags => ["kibana"] codec => json #start_position => "beginning" #从文件开始处读写 } } filter { mutate{ add_field => { "tmp2" => "1" } } } output { if "kibana" in [tags] { elasticsearch { hosts => ["http://127.0.0.1:9200"] index => "kibana.log" } } if "system" in [tags] { elasticsearch { hosts => ["http://127.0.0.1:9200"] index => "system.log" } } #elasticsearch { # hosts => ["http://127.0.0.1:9200"] # index => [id] #} stdout { codec => rubydebug } }