官方文档: 传送门
例:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
input { file { type => "tms_inbound.log" path => "/JavaWeb/tms2.wltest.com/logs/tms_inbound.es.*.log" codec => json { charset => "UTF-8" } } file { type => "tms_outbound.log" path => "/JavaWeb/tms2.wltest.com/logs/tms_outbound.es.*.log" codec => json { charset => "UTF-8" } } } output { if [type] == "tms_inbound.log" { elasticsearch { hosts => "10.230.3.183:9200" index => 'tms_inbound.log-%{+YYYY.MM.dd}' codec => "json" } } else{ elasticsearch { hosts => "10.230.3.183:9200" index => 'tms_outbound.log-%{+YYYY.MM.dd}' codec => "json" } } } |
总结:如果我们要配置多个input,然后根据不同input的type来配置不同的到处方式。
下面是我个人在用的一个配置文件,一方面获取linux系统日志,一方面获取nginx日志
下面是个人配置源配置文件
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 |
input { file { type =>"nginxlog" path =>"/usr/local/nginx/logs/access.log" start_position => "beginning" sincedb_path => "/home/write" tags => "shooter_tag" #delimiter => "\n" discover_interval => 15 stat_interval => 1 sincedb_write_interval => 15 codec => "json" #codec => multiline { # pattern => "^\d" # negate => true # what => "previous" #} } file { path => "/var/log/messages" type => "systemlog" start_position => "beginning" stat_interval => "2" } } filter { mutate { gsub => ["message", "\\x", "\\\x"] } json { source => "message" remove_field => "message" remove_field => "severity" remove_field => "pid" remove_field => "logsource" remove_field => "timestamp" remove_field => "facility_label" remove_field => "type" remove_field => "facility" remove_field => "@version" remove_field => "priority" remove_field => "severity_label" } date { match => ["time_local", "ISO8601"] target => "@timestamp" } grok { match => { "time_local" => "(?<day>.{10})" } } grok { match => { "request" => "%{WORD:method} (?<url>.* )" } } grok { match => { "http_referer" => "(?<referer>-|%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?)" } } mutate { remove_field => "request" remove_field => "http_referer" rename => { "http_user_agent" => "agent" } rename => { "upstream_response_time" => "response_time" } rename => { "host" => "log_source" } rename => { "http_x_forwarded_for" => "x_forwarded_for" } split => { "x_forwarded_for" => ", " } split => { "response_time" => ", " } } #alter { # condrewrite => [ # "x_forwarded_for", "-", "0.0.0.0", # "x_forwarded_for", "unknown", "0.0.0.0", # "response_time", "-", "0", # "real_ip", "", "0.0.0.0" # ] #} } output { if [type] == "nginxlog" { elasticsearch { hosts => ["192.168.6.121:9200"] action=>"index" index => "nginx-tologs-%{+YYYY.MM.dd}" user => elastic password => changeme manage_template => true template_overwrite => true template_name => "mynginx" template => "/opt/logstash-5.6.4/template/mynginxtemplate.json" codec => json } file { flush_interval => 600 path => '/home/nginxlog/nginx_tologs-%{+YYYY.MM.dd}.log' } } if [type] == "systemlog" { elasticsearch { hosts => ["192.168.6.121:9200"] index => "logstash-systemlog-%{+YYYY.MM.dd}" } file { path => "/home/nginxlog/logstash-systemlog-%{+YYYY.MM.dd}" } } } |
- 本文固定链接: https://www.yoyoask.com/?p=2056
- 转载请注明: shooter 于 SHOOTER 发表
这个作者貌似有点懒,什么都没有留下。