02 - logstash 安装和简单使用
logstash 安装和简单使用
------------------------------------------------
1:安装jdk:
[root@elk03tools]# rpm -ivh jdk-8u221-linux-x64.rpm
warning: jdk-8u221-linux-x64.rpm: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:jdk1.8-2000:1.8.0_221-fcs ################################# [100%]
Unpacking JAR files...
2:安装logstash:
[root@elk03tools]# wget https://mirrors.tuna.tsinghua.edu.cn/elasticstack/7.x/yum/7.1.1/logstash-7.1.1.rpm
[root@elk03tools]# yum localinstall -y logstash-7.1.1.rpm
目录授权:
[root@elk03tools]# chown -R logstash.logstash /usr/share/logstash/
3: 测试logstash标准输入到标准输出:
[root@elk03tools]# /usr/share/logstash/bin/logstash -e 'input { stdin{} } output { stdout{ codec => rubydebug }}'
.......
The stdin plugin is now waiting for input:
....启动很慢,请耐心等待,出现input代表启动成功
输入:ggj ,返回:
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
"message" => "ggj",
"@timestamp" => 2019-09-06T14:40:22.382Z,
"host" => "elk126",
"@version" => "1"
}
4: 测试logstash标准输入到文件:
[root@elk03tools]# /usr/share/logstash/bin/logstash -e 'input { stdin{} } output { file { path => "/tmp/test_%{+YYYY.MM.dd}.log"}}'
.......
输入:
sadsd
[INFO ] 2019-09-06 22:49:51.269 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>1, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>125, :thread=>"#<Thread:0x12965992 run>"}
[INFO ] 2019-09-06 22:49:51.835 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
The stdin plugin is now waiting for input:
[INFO ] 2019-09-06 22:49:52.430 [Ruby-0-Thread-1: /usr/share/logstash/lib/bootstrap/environment.rb:6] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[INFO ] 2019-09-06 22:49:56.909 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2019-09-06 22:49:59.934 [[main]>worker0] file - Opening file {:path=>"/tmp/test_2019.09.06.log"}
j[INFO ] 2019-09-06 22:50:13.769 [[main]>worker0] file - Closing file /tmp/test_2019.09.06.log
查看文件是否有刚才输入的内容:
[root@elk03tmp]# cat test_2019.09.06.log
{"@timestamp":"2019-09-06T14:49:52.212Z","host":"elk126","@version":"1","message":"sadsd"}
[root@elk03tmp]#
5: 测试logstash标准输入到es(elasticsearch):
[root@elk03tools]# /usr/share/logstash/bin/logstash -e 'input { stdin{} } output { elasticsearch { hosts =>["192.168.6.124:9200"] index => "xujin_%{+YYYY.MM.dd}" }}'
.............
The stdin plugin is now waiting for input:
[INFO ] 2019-09-06 22:55:30.818 [Ruby-0-Thread-5: :1] elasticsearch - Installing elasticsearch template to _template/logstash
[INFO ] 2019-09-06 22:55:31.463 [Ruby-0-Thread-1: /usr/share/logstash/lib/bootstrap/environment.rb:6] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[INFO ] 2019-09-06 22:55:34.903 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
xujin test - to el(输入的内容)