elk日志过滤文档

vi /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-patterns-core-4.1.2/patterns/grok-patterns

1. # DYZHENGZE 添加自定义正则
2. DYTIME (?:(d{4}-d{2}-d{2} d{2}:d{2}:d{2}))
3. DYLEVELS (?:[[A-Z]+])
4. DYMESSAGE (?:[sS]*)

vi /etc/logstash/conf.d/file.conf

1. input {
2. beats {
3. host => "192.168.130.134"
4. port => 5044
5. }
6. }
7. filter {
8. grok {
9. match => {
10. # "message" => "(?<datelogs>(?:.*)?) (?<levels>(?:[[A-Z]+])?) (?<message>(?:[sS]*)?)"
11. "message" => "%{DYTIME:datelogs} %{DYLEVELS:levels} %{DYMESSAGE:message}"
12. }
13. overwrite => ["message"]
14. remove_field => ["[beat][version]", "[beat][hostname]", "@version", "tags", "[beat][name]"]
15. }
16. }
17. # filter {
18. # mutate {
19. # rename => {"message" => "new_message"}
20. # }
21. # }
22. output {
23. elasticsearch {
24. hosts => ["192.168.130.134:9200"]
25. index => "dylog-%{+YYYY.MM.dd}"
26. }
27. }
28. # output {stdout{codec => rubydebug}}

037105729970
123456

日期

https://www.jianshu.com/p/cbb708b2e464?from=singlemessage

https://www.cnblogs.com/cp-miao/p/7205914.html

echo “2019-11-07 20:01:30 [DEBUG] HV000234: Using org.hibernate.validator.internal.engine.scripting.DefaultScriptEvaluatorFactory” >> /logstest/config-client.debug.log2019-11-09
echo “2019-11-07 20:01:30 [INFO] HV000234: Using org.hibernate.validator.internal.engine.scripting.DefaultScriptEvaluatorFactory” >> /logstest/config-client.debug.log2019-11-09
echo “ at org.springframework.cloud.config.client.ConfigServicePropertySourceLocator.locate(ConfigServicePropertySourceLocator.java:136)” >> /logstest/config-client.debug.log2019-11-09
echo “ at org.springframework.cloud.config.client.ConfigServicePropertySourceLocator.locate(ConfigServicePropertySourceLocator.java:136)” >> /logstest/config-client.debug.log2019-11-09
echo “ at org.springframework.cloud.config.client.ConfigServicePropertySourceLocator.locate(ConfigServicePropertySourceLocator.java:136)” >> /logstest/config-client.debug.log2019-11-09
echo “ at org.springframework.cloud.config.client.ConfigServicePropertySourceLocator.locate(ConfigServicePropertySourceLocator.java:136)” >> /logstest/config-client.debug.log2019-11-09
echo “ at org.springframework.cloud.config.client.ConfigServicePropertySourceLocator.locate(ConfigServicePropertySourceLocator.java:136)” >> /logstest/config-client.debug.log2019-11-09
echo “2019-11-07 22:01:30 [INFO] HV000234: Using org.hibernate.validator.internal.engine.scripting.DefaultScriptEvaluatorFactory” >> /logstest/config-client.debug.log2019-11-09

rpm -ivh http://192.168.130.150/ELK/filebeat-6.8.5-x86_64.rpm
curl -s http://192.168.130.150/ELK/fbeat/filebeat.sh -o /etc/filebeat/filebeat.yml
mkdir /logstest
systemctl restart filebeat && systemctl enable filebeat
echo “2019-11-07 20:01:30 [INFO] HV000234: Using org.hibernate.validator.internal.engine.scripting.DefaultScriptEvaluatorFactory” >> /logstest/config-client.debug.log2019-11-09
ps -ef | grep filebeat

curl -s http://192.168.130.150/ELK/fbeat/filebeat.sh -o /etc/filebeat/filebeat.yml
systemctl restart filebeat