Logstash配置

1.创建一个名为logstash-simple.conf的配置文件

input { stdin { } }
output {
  elasticsearch { host => localhost }
  stdout { codec => rubydebug }
}

2.启动

执行命令 logstash -f logstash-simple.conf 

将conf文件放在bin目录下，否则会找不到文件

使用过滤器filter

例如：grok  Logstash的grok模块对任意文本解析并结构化输出。Logstash默认带有120中匹配模式。本例中使用到%{COMBINEDAPACHELOG} 是logstash自带的匹配模式。

          data  解析log中的时间戳

修改配置文件 添加filter信息

input { stdin { } }
filter {
  grok {
    match => { "message" => "%{COMBINEDAPACHELOG}" }
  }
  date {
    match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
  }
}
output {
  elasticsearch { hosts => localhost }
  stdout { codec => rubydebug }
}

输入

127.0.0.1 - - [11/Dec/2013:00:01:45 -0800] "GET /xampp/status.php HTTP/1.1" 200 3891 "http://cadenza/xampp/navi.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0"

验证

http://localhost:9200/_search?pretty

{
        "_index" : "logstash-2013.12.11",
        "_type" : "logs",
        "_id" : "AV6ePYgOk0suU6xbiPtn",
        "_score" : 1.0,
        "_source" : {
          "request" : "/xampp/status.php",
          "agent" : "\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\"",
          "auth" : "-",
          "ident" : "-",
          "verb" : "GET",
          "message" : "127.0.0.1 - - [11/Dec/2013:00:01:45 -0800] \"GET /xampp/status.php HTTP/1.1\" 200 3891 \"http://cadenza/xampp/navi.php\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\"\r",
          "referrer" : "\"http://cadenza/xampp/navi.php\"",
          "@timestamp" : "2013-12-11T08:01:45.000Z",
          "response" : "200",
          "bytes" : "3891",
          "clientip" : "127.0.0.1",
          "@version" : "1",
          "host" : "WDD-PC",
          "httpversion" : "1.1",
          "timestamp" : "11/Dec/2013:00:01:45 -0800"
        }

从文件获取 未完待续

参考

http://blog.csdn.net/u012373815/article/details/51029826