4、ELK-logstash部署-用于收集日志
部署在192.168.177.11服务上
#以下操作 两台服务器都要操作
1、下载并安装GPGKey: rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
2、准备yum仓库:vim /etc/yum.repos.d/logstash.repo
--------------------------------------------------
[logstash-2.1]
name=Logstash repository for 2.1.x packages
baseurl=http://packages.elastic.co/logstash/2.1/centos
gpgcheck=1 #如果不下载第一步的密钥GPGKEY的话、这里要 =0即可
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
-------------------------------------------------------
3、安装logstash: yum install -y logstash
4、安装jdk:yum install -y java
5、安装完后会在此路径下有一个logstash执行程序:/opt/logstash/bin/logstash
------------------------------使用单行命令收集日志-----------------------------------
1、基本的输入输出:
·stdin{} #收集键盘输入的内容
·stdout{} #输出收集到内容到终端
·执行命令:/opt/logstash/bin/logstash -e 'input{stdin{}} output{stdout{}}' #意思是将input{} 从哪里输入的内容、output{}输出到 哪里
·-e 执行(后期用-f带 脚本的形式执行)
·input{} 输入函数
·output{} 输出函数
·stdin{} 标准输入
·stdout{} 标准输出
-----------------------------------------------------------------
Settings: Default filter workers: 2
Logstash startup completed #表示启动成功
123121 #我输入的内容
2023-09-20T12:25:01.307Z logstash 123121 #输出的内容 logstash是主机名
-------------------------------------------------------------------------------------
-------------------------------------------
使用ruby格式输出日志:
·/opt/logstash/bin/logstash -e 'input{stdin{}} output{stdout{codec=>rubydebug}}'
#ruby是一门语言
-------------------------------------------------------------------------------------------------------------
[root@logstash ~]# /opt/logstash/bin/logstash -e 'input{stdin{}} output{stdout{codec=>rubydebug}}'
Settings: Default filter workers: 2
Logstash startup completed
输 出的日志格式不一样 、ruby是一门语言 #我输入的内容
{
"message" => "出的日志格式不一、ruby是一门语言",
"@version" => "1",
"@timestamp" => "2023-09-20T12:35:36.645Z",
"host" => "logstash"
}
---------------------------------------------------------------------------------------------------------------
#将日志推送给elasticsearch:192.168.177.10:9200
· /opt/logstash/bin/logstash -e 'input{ stdin{} } output{ elasticsearch { hosts => ["192.168.177.10:9200"] } }'
#这里只需要推给集群中的一个即可、它们会互相备份
----------------------------------------------------
[root@logstash ~]# /opt/logstash/bin/logstash -e 'input{ stdin{} } output{ elasticsearch { hosts => ["192.168.177.10:9200"] } }'
Settings: Default filter workers: 2
Logstash startup completed
im a xiaoxin
sryd dfgs dfg
#这里将输入的内容推送到es的web网页去了
#登录http://192.168.177.10:9200/_plugin/head/ 即可看到输入的内容
--------------------------------------------------------------------------- 
还可以将日志输出到屏幕、并且推送到es:
#先输出到屏幕、再推送到es
·/opt/logstash/bin/logstash -e 'input{ stdin{} } output{ stdout{codec=>rubydebug} elasticsearch { hosts => ["192.168.177.10:9200"] } }'
------------------------------------------------------------
[root@logstash ~]# /opt/logstash/bin/logstash -e 'input{ stdin{} } output{ stdout{codec=>rubydebug} elasticsearch { hosts => ["192.168.177.10:9200"] } }'
Settings: Default filter workers: 2
Logstash startup completed
xiaoxin jinjing nextyears together
{
"message" => "xiaoxin jinjing nextyears together",
"@version" => "1",
"@timestamp" => "2023-09-20T12:53:56.399Z",
"host" => "logstash"
}
#在一个output里写两个推送的目标即可
-----------------------------------------------------------------------------------------------------------------
-------------------------------------------------------用配置文件取收集日志(重点)--------------------------------------------------
1、创建logstash的配置文件、用于收集日志:
·vim /etc/logstash/conf.d/messages.conf
------------------------------------------------
input{
file{ #file 从文件里输入
path => "/var/log/messages" #文件的路径
type => "system" #标签 就是收集何种日志
start_position => "beginning" #从文件的哪里开始抄日志、beginning 表示从头开始抄(第一行)
}
}
output{
elasticsearch {
hosts => ["192.168.177.10:9200"]
index => "system-%{+YYYY.MM.dd}" #索引:可自定义 如果是MySQL的日志 :mysql system-%{+YYYY.MM.dd}
}
}
------------------------------------------------------------
2、启动logstash文件:
·/opt/logstash/bin/logstash -f /etc/logstash/conf.d/messages.conf & #运行在后台&
