logstash5.x安装及简单运用
Logstash requires Java 8. Java 9 is not supported.
1、检测是否安装了java环境
1 2 3 4 | [root@node3 ~]# java -versionjava version "1.8.0_144"Java(TM) SE Runtime Environment (build 1.8.0_144-b01)Java HotSpot(TM) 64-Bit Server VM (build 25.144-b01, mixed mode) |
2、安装logstash,这里采用rpm安装
https://artifacts.elastic.co/downloads/logstash/logstash-5.6.1.rpm
yum install logstash
查看生成了哪些文件,查看logstash的执行文件位置:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | /etc/logstash/conf.d/etc/logstash/jvm.options/etc/logstash/log4j2.properties/etc/logstash/logstash.yml/etc/logstash/startup.options/usr/share/logstash/CHANGELOG.md/usr/share/logstash/CONTRIBUTORS/usr/share/logstash/Gemfile/usr/share/logstash/Gemfile.jruby-1.9.lock/usr/share/logstash/LICENSE/usr/share/logstash/NOTICE.TXT/usr/share/logstash/bin/cpdump/usr/share/logstash/bin/ingest-convert.sh/usr/share/logstash/bin/logstash/usr/share/logstash/bin/logstash-plugin/usr/share/logstash/bin/logstash-plugin.bat/usr/share/logstash/bin/logstash.bat/usr/share/logstash/bin/logstash.lib.sh/usr/share/logstash/bin/ruby/usr/share/logstash/bin/setup.bat/usr/share/logstash/bin/system-install/usr/share/logstash/data |
配置文件:
1、配置jvm
/etc/logstash/jvm.options
2、logstash的一些配置
/etc/logstash/logstash.yml
3、环境变量一些的配置
/etc/logstash/startup.options
4、日志与log4j2的配置
/etc/logstash/log4j2.properties
开始第一个任务:
1 2 3 | [root@node3 conf.d]# /usr/share/logstash/bin/logstash -e 'input { stdin {} } output { stdout {} }'WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaultsCould not find log4j2 configuration at path //usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console |
提示warning,解决办法:
1 2 3 4 | mkdir -p /usr/share/logstash/config/ln -s /etc/logstash/* /usr/share/logstash/configchown -R logstash:logstash /usr/share/logstash/config/bin/logstash -e 'input { stdin { } } output { stdout {} }' |
如果logstash不适用命令行执行,而是作为一个服务:
logstash启动:
/etc/init.d/logstash start
systemctl start logstash.service
开始编写配置文件进行logstash解析:
1、input插件中file插件的使用
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | [root@node3 conf.d]# cat file.conf input { file { path => ["/var/log/messages"] start_position => "beginning" }}output { stdout { codec => rubydebug }}[root@node3 conf.d]# /usr/share/logstash/bin/logstash -f file.conf |
2、多个log日志的输入、
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | [root@node3 conf.d]# cat file_more_choose.conf input { file { path => ["/var/log/messages"] start_position => "beginning" } file { path => ["/var/log/elasticsearch/my-elastic.log"] start_position => "beginning" }}output { stdout { codec => rubydebug }} |
[root@node3 conf.d]# /usr/share/logstash/bin/logstash -f file_more_choose.conf
但是发现只打印出elastic的日志,message的日志没有stdout,收集的日志是增量的,之前收集的日志已经存在sincedb中了,所以会默认从之后开始存
Path of the sincedb database file (keeps track of the current position of monitored log files) that will be written to disk. The default will write sincedb files to <path.data>/plugins/inputs/file NOTE: it must be a file path and not a directory path,这是一段sincedb_path的解释
检查配置文件的语法是否正确:
1 2 3 4 5 6 7 8 9 | -t, --config.test_and_exit Check configuration for valid syntax and then exit. (default: false)-r, --config.reload.automatic Monitor configuration changes and reload whenever it is changed. NOTE: use SIGHUP to manually reload the config (default: false)[root@node3 conf.d]# /usr/share/logstash/bin/logstash -f file.conf -tSending Logstash's logs to /var/log/logstash which is now configured via log4j2.propertiesConfiguration OK |
3、以elasticsearch插件输出:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | input { file { path => ["/var/log/logstash/logstash-plain.log"] start_position => "beginning" type => "logstash" }}output { elasticsearch { hosts => ["192.168.44.134:9200"] index => "logstash-log" codec => rubydebug }} |
4、根据插件type来定义输出插件:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | [root@node3 conf.d]# cat type.conf input { file { path => ["/var/log/logstash/logstash-plain.log"] start_position => "beginning" type => "logstash_2" } file { path => ["/var/log/messages"] start_position => "beginning" type => "system" }}output { if [type] == "logstash_2" { elasticsearch { hosts => ["192.168.44.134:9200"] index => "logstash_2" codec => rubydebug } } if [type] == "system" { stdout { codec => rubydebug } }} |
现在向messages日志中echo一段话:
1 | echo "`date +%F`" >> /var/log/messages |
然后开始执行:
1 2 3 4 5 6 7 8 9 10 | [root@node3 conf.d]# /usr/share/logstash/bin/logstash -f type.conf Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties{ "@version" => "1", "host" => "node3", "path" => "/var/log/messages", "@timestamp" => 2017-09-20T08:19:05.782Z, "message" => "2017-09-20", 这是刚刚echo新增的内容 "type" => "system"} |
查看es中的索引是否有生成:
标签:
ELK
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用heaptrack跟踪.NET程序的非托管内存泄露
· 开发者必知的日志记录最佳实践
· SQL Server 2025 AI相关能力初探
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 【自荐】一款简洁、开源的在线白板工具 Drawnix
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY
· Docker 太简单,K8s 太复杂?w7panel 让容器管理更轻松!