(一)含义:
logstash是一种分布式日志收集框架,开发语言是JRuby,当然是为了与Java平台对接,不过与Ruby语法兼容良好,非常简洁强大,经常与ElasticSearch,Kibana配置,组成著名的ELK技术栈,非常适合用来做日志数据的分析。
当然它可以单独出现,作为日志收集软件,你可以收集日志到多种存储系统或临时中转系统,如MySQL,redis,kakfa,HDFS, lucene,solr等并不一定是ElasticSearch
(二)安装
1,下载和安装。通过官网进行下载目前最新的版本 https://www.elastic.co/cn/downloads/logstash
[root@localhost local]# wget https://artifacts.elastic.co/downloads/logstash/lo gstash-5.4.0.tar.gz --2017-05-22 17:05:29-- https://artifacts.elastic.co/downloads/logstash/logstash-5.4.0.tar.gz Resolving artifacts.elastic.co... 174.129.40.40, 184.72.234.88, 184.73.227.9, ... Connecting to artifacts.elastic.co|174.129.40.40|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 92546670 (88M) [application/x-gzip] Saving to: “logstash-5.4.0.tar.gz” 100%[======================================>] 92,546,670 9.10M/s in 14s 2017-05-22 17:05:44 (6.52 MB/s) - “logstash-5.4.0.tar.gz” saved [92546670/92546670] [root@localhost local]# tar xf logstash-5.4.0.tar.gz
2,常用的命令
[root@localhost local]# logstash/bin/logstash -V logstash 2.2.2
常用的选项有:
选项:
-f , 指定加载一个后缀为.conf文件的logstash配置模块
-e , 命令行指定参数 , 通常用来调试
-w, 指定logstash的工作线程数
-l, 指定logstash的默认日志写入到一个文件中,如果不指定,默认是标准输出
--quiet 静默模式,仅仅只有error级别信息输出
--verbose info级别的log输出
--debug debug 级别的log输出.
-V, --version 查看logstash的版本
-p, --pluginpath PATH 加载自定义的logstash插件
-t, --configtest 检查logstash配置是否有效
-h, --help 打印帮助
(三)常用的模型
(1)input => output
(2)input => filter => output
具体的解释如下:
a . input常用的输入源有:file ,syslog,redis,log4j,tomcat_log,nging.log,以及各种业务log
b.filter常用的选项有:
grok:支持正则提取任何非结构化数据或结构化数据,其中logstash内置120多种正则,比如常见的时间,ip,用户名,等等也支持自定义正则解析
mutate:修改字段名,删除,更新等操作,转换字段类型等
drop: 删除某些时间,如debug
clone:拷贝一份事件副本,用来添加或删除字段
geoip : 通过ip获取地理位置信息,在做kibana区域统计图非常酷炫
ruby: 支持原生的ruby代码,操作事件,实现强大的其他功能
c.output常用的输出选项有:
elasticsearch 比较常用
file:写入文件
redis:写入队列
hdfs:写入HDFS,需插件支持
zabbix: zabbix监控
mongodb:写入mongodb库
codecs:编码插件,常用来处理json数据或者多行数据源
(四)常见的操作
(1),-e使用命令行调试。结束已ctrl+d直接结束:
[root@localhost logstash]# /usr/local/logstash/bin/logstash -e "input{stdin{}}
output{stdout{}}"
Settings: Default pipeline workers: 1
Logstash startup completed
hello world
2017-05-22T09:28:04.364Z localhost.localdomain hello world
test
2017-05-22T09:28:52.170Z localhost.localdomain test(2),-f调试。如果配置比较多的话,可以写成以.conf结尾的配置文件里,然后使用-f 命令进行加载。
[root@localhost etc]# vim hello.conf
input{stdin{}}
output{stdout{}}
[root@localhost etc]# /usr/local/logstash/bin/logstash -f hello.conf --configte
st
Configuration OK
[root@localhost etc]# /usr/local/logstash/bin/logstash -f hello.conf
Settings: Default pipeline workers: 1
Logstash startup completed
hello world
2017-05-22T09:40:23.044Z localhost.localdomain hello world备注:下面是logstash服务脚步
#! /bin/sh
#
# /etc/rc.d/init.d/logstash
#
# Starts Logstash as a daemon
#
# chkconfig: 2345 90 10
# description: Starts Logstash as a daemon.
### BEGIN INIT INFO
# Provides: logstash
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: S 0 1 6
# Short-Description: Logstash
# Description: Starts Logstash as a daemon.
### END INIT INFO
. /etc/rc.d/init.d/functions
NAME=logstash
DESC="Logstash Daemon"
DEFAULT=/etc/sysconfig/$NAME
if [ `id -u` -ne 0 ]; then
echo "You need root privileges to run this script"
exit 1
fi
# The following variables can be overwritten in $DEFAULT
PATH=/bin:/usr/bin:/sbin:/usr/sbin
# See contents of file named in $DEFAULT for comments
LS_USER=root
LS_GROUP=root
LS_HOME=/home/logstash
LS_HEAP_SIZE="1500m"
LS_JAVA_OPTS="-Djava.io.tmpdir=${LS_HOME}"
LS_LOG_FILE=/var/log/logstash/$NAME.log
LS_CONF_DIR=/etc/logstash/index.conf
LS_OPEN_FILES=163840
LS_NICE=19
LS_OPTS=""
LS_PIDFILE=/var/run/$NAME.pid
# End of variables that can be overwritten in $DEFAULT
if [ -f "$DEFAULT" ]; then
. "$DEFAULT"
fi
# Define other required variables
PID_FILE=${LS_PIDFILE}
DAEMON="/home/logstash/bin/logstash"
DAEMON_OPTS="agent -f ${LS_CONF_DIR} -w 18 -l ${LS_LOG_FILE} ${LS_OPTS}"
#
# Function that starts the daemon/service
#
do_start()
{
if [ -z "$DAEMON" ]; then
echo "not found - $DAEMON"
exit 1
fi
if pidofproc -p "$PID_FILE" >/dev/null; then
failure
exit 99
fi
# Prepare environment
HOME="${HOME:-$LS_HOME}"
JAVA_OPTS="${LS_JAVA_OPTS}"
ulimit -n ${LS_OPEN_FILES}
cd "${LS_HOME}"
export PATH HOME JAVA_OPTS LS_HEAP_SIZE LS_JAVA_OPTS LS_USE_GC_LOGGING
test -n "${JAVACMD}" && export JAVACMD
nice -n ${LS_NICE} runuser -s /bin/sh -c "exec $DAEMON $DAEMON_OPTS" ${LS_USER} > /dev/null 1>&1 < /dev/null &
RETVAL=$?
local PID=$!
# runuser forks rather than execing our process.
usleep 500000
JAVA_PID=$(ps axo ppid,pid | awk -v "ppid=$PID" '$1==ppid {print $2}')
PID=${JAVA_PID:-$PID}
echo $PID > $PID_FILE
[ $PID = $JAVA_PID ] && success
}
#
# Function that stops the daemon/service
#
do_stop()
{
killproc -p $PID_FILE $DAEMON
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f ${PID_FILE}
}
case "$1" in
start)
echo -n "Starting $DESC: "
do_start
touch /var/run/$NAME
;;
stop)
echo -n "Stopping $DESC: "
do_stop
rm /var/run/$NAME
;;
restart|reload)
echo -n "Restarting $DESC: "
do_stop
do_start
;;
status)
echo -n "$DESC"
status -p $PID_FILE
exit $?
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|status|restart}" >&2
exit 3
;;
esac
echo
exit 0
