Logstash
https://www.elastic.co/guide/en/logstash/5.6/index.html
软件包下载
https://www.elastic.co/cn/downloads/logstash
5版本安装
https://www.elastic.co/guide/en/logstash/5.6/installing-logstash.html
https://www.elastic.co/cn/downloads/past-releases#logstash
input文档:
https://www.elastic.co/guide/en/logstash/5.6/plugins-inputs-file.html
默认logstash服务启动是logstash用户,系统日志文件对其他用户不可读。
解决办法:
- logstash服务改为root启动
- 日志文件给读的权限644
[root@es1 ~]# ll /var/log/messages
# chmod 644 /var/log/messages
rpm包安装的logstash:
/etc/logstash/conf.d/ #配置文件
/usr/share/logstash/bin/logstash #logstash命令
/var/log/logstash/logstash-plain.log #日志文件
systemctl restart logstash #重启服务
收集系统日志:
file表示从文件收集
type:log类型,自定义
path:路径
start_position:从文件开始位置读
stat_interval:间隔时间读取一次
output:输出
index:索引可以自定义修改
file和elasticsearch同时存在,输出到es的同时,也输出到/tmp/123.txt文件
[root@es1 conf.d]# cat system.conf
input {
file {
type => "messageslog"
path => "/var/log/messages"
start_position => "beginning"
stat_interval => 5
}
}
output {
elasticsearch {
hosts => ["192.168.1.9:9200"]
index => "logstash-system-log-%{+YYYY.MM.dd}"
}
file {
path => "/tmp/123.txt"
}
}
-f 指定服务读取的配置文件,-t表示配置文件测试校验。
[root@es1 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/system.conf -t
Configuration OK
查看/tmp/123.txt文件
[root@es1 logstash]# more /tmp/123.txt
{"@version":"1","host":"es1","path":"/var/log/messages","@timestamp":"2021-12-12T02:21:12.332Z","message":"Dec 11 00
:05:04 localhost journal: Runtime journal is using 8.0M (max allowed 189.4M, trying to leave 284.2M free of 1.8G ava
ilable → current limit 189.4M).","type":"messageslog"}
{"@version":"1","host":"es1","path":"/var/log/messages","@timestamp":"2021-12-12T02:21:12.348Z","message":"Dec 11 00
:05:04 localhost kernel: Initializing cgroup subsys cpuset","type":"messageslog"}
{"@version":"1","host":"es1","path":"/var/log/messages","@timestamp":"2021-12-12T02:21:12.383Z","message":"Dec 11 00
:05:04 localhost kernel: Initializing cgroup subsys cpu","type":"messageslog"}
