语法格式
logstash中行为事件,流程:事件---input---codec---filter---codec----output
input{
#注释
stdin{
}
}
#可以不用写
filter{
}
output{
elasticsearch{
hosts => ["ip:9200"]
index = "test-%{+YYYY.DD.mm}"
}
stdout{
codec => "rubydebug"
}
}
rsyslog日志收集
input{
file{
path => ["/var/log/messages","/var/log/secure"]
type => "system-log"
start_postition => "beginning"
}
}
filter{
}
output{
elasticsearch{
hosts => ["ip:9200"]
index => "system-log-%{+YYYY.MM}"
}
}
es 日志收集
input{
file{
path => ["/var/log/messages","/var/log/secure"]
type => "system-log"
start_postition => "beginning"
file{
path => "/var/log/elasticsearch/es.log"
type => "es-log"
start_postition => "beginning"
codec => multiline{
pattern =>"^\["
negate => true
what => "prevIoUs"
}
syslog{
type => "system-syslog"
port => 514
}
}
}
}
filter{
}
output{
if [type]=="system-log"{
elasticsearch{
hosts => ["ip:9200"]
index => "system-log-%{+YYYY.MM}"
}
}
if [type]=="es-log"{
elasticsearch{
hosts => ["ip:9200"]
index => "system-log-%{+YYYY.MM}"
}
}
if [type]=="system-syslog"{
elasticsearch{
hosts => ["ip:9200"]
index => "system-syslog-%{+YYYY.MM}"
}
}
stdout{
codec => "rubydebug"
}
}
tcp 日志收集
input{
tcp{
type => "tcp"
port => "6666"
mode => "server"
}
}
output{
stdout{
codec => rubydebug
}
}
