参考文章:
Logstash之输出文件(一个文件,多个文件,多级目录的文件)到控制台|第二章-yellowcong
命令启动:
命令行启动:
[root@VMTest bin]# ./logstash -e 'input { stdin { } } output { stdout {codec => json} }'
[root@VMTest bin]# ./logstash -e 'input { stdin { } } output { stdout {codec => json} }'
[root@VMTest bin]# ./logstash -e 'input { stdin { } } output { stdout {} }'
示例2:
input {
file {
type => "zj_nginx_access"
path => ["/rsyslog/data/nginx/zjzc/nginx_access0*_log.*"]
ignore_older => 87400
}
file {
type => "uat_nginx_access"
path => ["/rsyslog/data/nginx/uat/nginx_access0*_log.*"]
ignore_older => 87400
}
文件输入插件的默认行为 是忽略那些文件 最后修改是大于86400s.
为了改变这个默认的行为和处理 文件(一天前的文件),我们可以指定不忽略老的文件
#=========================================================#
input{
file {
path => "/usr/local/log_test/*.log"
start_position => "beginning"
}
}
output {
file {
path => "/path/to/%{+yyyy-MM-dd-HH}/%{host}.log"
}
stdout {
codec => rubydebug
}
}
#=========================================================#
input {
stdin{
}
}
output {
stdout{
}
}
#=========================================================#
input {
file {
path =>[
#log files
"/home/husen/Desktop/log/test1.log",
"/home/husen/Desktop/log/test2.log"
]
type => "test"
start_position => "beginning"
sincedb_path => "/dev/null" #从头读
codec => multiline {
pattern => "^\<"
negate => true
what => "previous"
}
}
}
#=========================================================#
input{
file {
# /*/表示的是一个目录,多级目录,需要使用多个/*/
path => "/usr/local/log_test/*/*.log"
start_position => "beginning"
}
}
output {
# 实际生产场景中,最好不要这么用,因为日志过大,每次重头读日志耗费资源,也无必要。
# 此处适合测试场景
stdout { }
}
#=========================================================#
input {
file {
path => "/opt/logstash/1.log"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
output{
stdout{codec => rubydebug}
}
#=========================================================#
input{
file {
path => "/usr/local/log_test/*.log"
start_position => "beginning"
}
}
output {
stdout { }
}
示例1:
input{
file{
path => "D:/elasticsearch/logstash-2.3.0/nxlog_access.log"
start_position => beginning
}
}
filter{
grok{
match => {
"message" => "%{COMBINEDAPACHELOG}"
}
}
}
output{
elasticsearch{
hosts => ["127.0.0.1:9200"]
user => "es_admin"
password => "123456"
}
stdout{
codec => rubydebug
}
}