logstash

 收集java日志

参考文章https://blog.csdn.net/cj2580/article/details/52416044（重要）

测试

input {
    stdin {
        codec => multiline {
            pattern => "^["                        //以"["开头进行正则匹配
            negate => true                          //正则匹配成功
            what => "previous"                      //和前面的内容进行合并
        }
    }
}
output {
    stdout {
        codec => rubydebug 
    }
}

配置文件

#vim /etc/logstash/conf.d/java.conf
input {
        file {
                path => "/var/log/elasticsearch/cluster.log"
                type => "elk-java-log"
                start_position => "beginning"
                stat_interval => "2"
                codec => multiline {
                        pattern => "^["
                        negate => true
                        what => "previous"
                }
        }
}
output {
        if [type] == "elk-java-log" {
                elasticsearch {
                        hosts => ["192.168.1.31:9200"]
                        index => "elk-java-log-%{+YYYY.MM.dd}"
                }
        }
}

注意：配置文件要把所以的注释去掉 要不然报错，解析不了

logstash -f /etc/logstash/conf.d/java.conf -t

systemctl restart logstash

5.head插件查看

6.kibana添加日志