logstash入门
安装
wget https://artifacts.elastic.co/downloads/logstash/logstash-6.5.4.tar.gz
cd /usr/local/
mv logstash-6.5.4.tar.gz ./ && tar -zxvf logstash-6.5.4.tar.gz
#定义logstash的数据文件input地址
mkdir -p /home/logstash/log
#默认内存1g,修改为256m(这里我内存小, 不修改会报错)
cd /usr/local/logstash-6.5.4/bin
vim config/jvm.options
-Xms256m
-Xmx256m
HelloWorld
https://doc.yonyoucloud.com/doc/logstash-best-practice-cn/get_start/hello_world.html
运行
在终端中,像下面这样运行命令来启动 Logstash 进程:
bin/logstash -e ‘input{stdin{}}output{stdout{codec=>rubydebug}}’
然后你会发现终端在等待你的输入。没问题,敲入 Hello World,回车,然后看看会返回什么结果!
结果
{
“message” => “Hello World”,
“@version” => “1”,
“@timestamp” => “2014-08-07T10:30:59.937Z”,
“host” => “raochenlindeMacBook-Air.local”,
}
编辑文件my.conf
为了不用每次都-e 指定配置内容,编辑配置文件。
vim my.conf
input 指定为file,定时读取目录下的文件,默认15秒
output 允许定义多个, 这里定义为控制台和es.如果没有es可以去掉
input {
file {
path => ["/home/logstash/*.log"]
codec => json {
charset => "UTF-8"
}
}
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => "127.0.0.1:9200"
}
}
然后 bin/logstash -f my.conf启动
在/home/logstash下放一个temp.json配置数据,如图:
stdout输出
处理文件后删除
1.mode设置为read
2.file_completed_action设置为delete 或者 log_and_delete
具体配置
input{
file {
path => ["/tmp/logstash/*.log", "/var/logstash/*.txt"]
type => "system"
start_position => "beginning"
mode => "read"
file_completed_action => "log_and_delete"
file_completed_log_path => "/tmp/logstash/log/completed.log"
}
}
output{
stdout{
codec=>rubydebug
}
}
参考:
https://blog.csdn.net/chenxun_2010/article/details/78688657
https://blog.csdn.net/linxiyimeng007/article/details/80968577
https://www.elastic.co/downloads/logstash
https://doc.yonyoucloud.com/doc/logstash-best-practice-cn/output/elasticsearch.html