elk之[logstash-input-file]插件使用详解

https://www.cnblogs.com/xing901022/p/4805586.html

http://www.cnblogs.com/xing901022/p/4802822.html      [Logstash]使用详解

https://www.cnblogs.com/kevingrace/p/5919021.html    ELK实时日志分析平台环境部署--完整记录--内容比较多详细

https://www.elastic.co/guide/en/logstash/current/index.html    官方文档

https://blog.csdn.net/m0_37886429/article/details/72385641    logstash收集日志

https://blog.csdn.net/onlyxufeifei/article/details/79694483           elasticsearch-head复合查询的使用，对记录的操作

 

 

---

 

一、安装配置kibana

5.1 下载解压缩

 [admin@node21 elk]$ wget https://artifacts.elastic.co/downloads/kibana/kibana-6.2.4-linux-x86_64.tar.gz

[admin@node21 elk]$ tar -xzf kibana-6.2.4-linux-x86_64.tar.gz

5.2 修改config/kibana.yml

[admin@node21 elk]$ vi kibana-6.2.4-linux-x86_64/config/kibana.yml 
#server.host: "localhost"
server.host: "192.168.100.21"   #设置自己机器的IP
#elasticsearch.url: "http://localhost:9200"
elasticsearch.url: "http://192.168.100.21:9200"

5.3 启动Kibana

进入kibana/bin/目录

[admin@node21 bin]$ ./kibana &

页面访问：192.168.100.21:5601

---

 1、logstash 收集多个系统日志及换行设置  注意空格

 [root@tes datas]# cat /opt/datas/logstash-test-if.conf

input {
file {
path => "/opt/datas/test.txt"
type => "system"
start_position => "beginning"
sincedb_path => "/dev/null"
}

 

file {
path => "/var/log/elk/my-application.log"
type => "system-message"
start_position => "beginning"
codec => multiline {
pattern => "^\["
negate => true
what => "previous"
}
}
}
output {
if [type] == "system" {
elasticsearch {
hosts => ["100.16.3.108:9200"]
index => "system-%{+YYYY.MM.dd}"
}
}

 

if [type] == "system-message" {
elasticsearch {
hosts => ["100.16.3.108:9200"]
index => "system-message%{+YYYY.MM.dd}"
}
}
}

 2、logstash处理日志追加    （打开源文件，然后手动追加，会翻倍复制原文本，如果在文本外面用echo >> 追加就不会）

[root@test ~]# cat /opt/datas/file.conf
input {
file {
path => "/root/test.txt"
type => "test"
start_position => "end"
sincedb_path => "/dev/null"
}

}
output {
if [type] == "test" {
elasticsearch {
hosts => ["192.168.33.118:9200"]
index => "test-%{+YYYY.MM.dd}"
}
}

}