Logstash读取tomcat的catalina日志格式

一、Logstash读取tomcat的catalina.out日志
1、读取单个日志文件

input {
    file {
        path => "/elk/log/catalina.txt"    #日志的路径
        start_position => "beginning"      #从哪里开始读取日志，这里是从开始读取
        sincedb_path => "/dev/null"
    }
}
filter {
    grok {
        match => { "message" => "(\[\s?%{LOGLEVEL:level}\] %{DATA:class} %{DATA:logtime} - )?%{GREEDYDATA:message}" } #检索日志的格式
    }
    geoip {
        source => "clientip"    #将ip地址检索出来
    }
}
output {
    elasticsearch {
        hosts => ["localhost:9200"]    #elasticsearch地址
        index => "catalina-%{+YYYY.MM.dd}"  #索引的名称
        id => "output_1"      #自定义id
    }
}

2、读取多个日志文件

input {
    file {
            type => "tzclaim"
            path => "/app/MT/tomcat-tzclaim/logs/catalina.out"
                        tags => ["aaa"]
    }
    file {
            type => "interface"
            path => "/app/MT/tomcat-interface/logs/catalina.out"
                        tags => ["bbb"]
    }
}
filter {
        grok {
                match => { "message" => "(\[\s?%{LOGLEVEL:level}\] %{DATA:class} %{DATA:logtime} - )?%{GREEDYDATA:msg}" }
        }
}

output {
    if "aaa" in [tags] {
                elasticsearch {
                        hosts => ["10.10.0.xx:9200"]
                        index => "tomcat-36-tz-%{+YYYY.MM.dd}"
                        id => "output_3"
                              }
                       }
    if "bbb" in [tags] {
                elasticsearch {
                        hosts => ["10.10.0.xx:9200"]
                        index => "tomcat-36-it-%{+YYYY.MM.dd}"
                        id => "output_4"
                              }
                      }
}