【记录】Logstash conf 配置文件介绍

最新推荐文章于 2024-08-11 14:35:01 发布
最新推荐文章于 2024-08-11 14:35:01 发布
阅读量1.4k 收藏 4
点赞数
分类专栏: logstash ubuntu spring 文章标签: elasticsearch ubuntu es
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/luoxuepeng/article/details/117605786
版权
spring 同时被 3 个专栏收录
7 篇文章 0 订阅
订阅专栏
ubuntu
4 篇文章 0 订阅
订阅专栏
logstash
2 篇文章 0 订阅
订阅专栏

 版本

logstash-7.13.1

官网参考

https://www.elastic.co/guide/en/logstash/current/config-examples.html

https://www.elastic.co/guide/en/logstash/current/configuration-file-structure.html

https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#conditionals

https://www.elastic.co/guide/en/logstash/current/input-plugins.html

https://www.elastic.co/guide/en/logstash/current/configuration-file-structure.html

confg 启动方式

bin/logstash -f logstash-simple.conf

conf的模板

# This is a comment. You should use comments to describe
# parts of your configuration.
input {
  ...
}

filter {
  ...
}

output {
  ...
}

样例1:

input {
  file {
    path => "/var/log/messages"
    type => "syslog"
  }

  file {
    path => "/var/log/apache/access.log"
    type => "apache"
  }
}

 

样例2

input { stdin { } }

filter {
  grok {
    match => { "message" => "%{COMBINEDAPACHELOG}" }
  }
  date {
    match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
  }
}

output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

样例3

input {
  file {
    path => "/tmp/access_log"
    start_position => "beginning"
  }
}

filter {
  if [path] =~ "access" {
    mutate { replace => { "type" => "apache_access" } }
    grok {
      match => { "message" => "%{COMBINEDAPACHELOG}" }
    }
  }
  date {
    match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
  }
}

output {
  elasticsearch {
    hosts => ["localhost:9200"]
  }
  stdout { codec => rubydebug }
}

样例4

input {
  file {
    path => "/tmp/*_log"
  }
}

filter {
  if [path] =~ "access" {
    mutate { replace => { type => "apache_access" } }
    grok {
      match => { "message" => "%{COMBINEDAPACHELOG}" }
    }
    date {
      match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
    }
  } else if [path] =~ "error" {
    mutate { replace => { type => "apache_error" } }
  } else {
    mutate { replace => { type => "random_logs" } }
  }
}

output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

input介绍

对于input可以从很多源获取数据

An input plugin enables a specific source of events to be read by Logstash.

azure_event_hubs

Receives events from Azure Event Hubs

azure_event_hubs

beats

Receives events from the Elastic Beats framework

logstash-input-beats

cloudwatch

Pulls events from the Amazon Web Services CloudWatch API

logstash-input-cloudwatch

couchdb_changes

Streams events from CouchDB’s _changes URI

logstash-input-couchdb_changes

dead_letter_queue

read events from Logstash’s dead letter queue

logstash-input-dead_letter_queue

elasticsearch

Reads query results from an Elasticsearch cluster

logstash-input-elasticsearch

exec

Captures the output of a shell command as an event

logstash-input-exec

file

Streams events from files

logstash-input-file

ganglia

Reads Ganglia packets over UDP

logstash-input-ganglia

gelf

Reads GELF-format messages from Graylog2 as events

logstash-input-gelf

generator

Generates random log events for test purposes

logstash-input-generator

github

Reads events from a GitHub webhook

logstash-input-github

google_cloud_storage

Extract events from files in a Google Cloud Storage bucket

logstash-input-google_cloud_storage

google_pubsub

Consume events from a Google Cloud PubSub service

logstash-input-google_pubsub

graphite

Reads metrics from the graphite tool

logstash-input-graphite

heartbeat

Generates heartbeat events for testing

logstash-input-heartbeat

http

Receives events over HTTP or HTTPS

logstash-input-http

http_poller

Decodes the output of an HTTP API into events

logstash-input-http_poller

imap

Reads mail from an IMAP server

logstash-input-imap

irc

Reads events from an IRC server

logstash-input-irc

java_generator

Generates synthetic log events

core plugin

java_stdin

Reads events from standard input

core plugin

jdbc

Creates events from JDBC data

logstash-integration-jdbc

jms

Reads events from a Jms Broker

logstash-input-jms

jmx

Retrieves metrics from remote Java applications over JMX

logstash-input-jmx

kafka

Reads events from a Kafka topic

logstash-integration-kafka

kinesis

Receives events through an AWS Kinesis stream

logstash-input-kinesis

log4j

Reads events over a TCP socket from a Log4j SocketAppender object

logstash-input-log4j

lumberjack

Receives events using the Lumberjack protocl

logstash-input-lumberjack

meetup

Captures the output of command line tools as an event

logstash-input-meetup

pipe

Streams events from a long-running command pipe

logstash-input-pipe

puppet_facter

Receives facts from a Puppet server

logstash-input-puppet_facter

rabbitmq

Pulls events from a RabbitMQ exchange

logstash-integration-rabbitmq

redis

Reads events from a Redis instance

logstash-input-redis

relp

Receives RELP events over a TCP socket

logstash-input-relp

rss

Captures the output of command line tools as an event

logstash-input-rss

s3

Streams events from files in a S3 bucket

logstash-input-s3

s3-sns-sqs

Reads logs from AWS S3 buckets using sqs

logstash-input-s3-sns-sqs

salesforce

Creates events based on a Salesforce SOQL query

logstash-input-salesforce

snmp

Polls network devices using Simple Network Management Protocol (SNMP)

logstash-input-snmp

snmptrap

Creates events based on SNMP trap messages

logstash-input-snmptrap

sqlite

Creates events based on rows in an SQLite database

logstash-input-sqlite

sqs

Pulls events from an Amazon Web Services Simple Queue Service queue

logstash-input-sqs

stdin

Reads events from standard input

logstash-input-stdin

stomp

Creates events received with the STOMP protocol

logstash-input-stomp

syslog

Reads syslog messages as events

logstash-input-syslog

tcp

Reads events from a TCP socket

logstash-input-tcp

twitter

Reads events from the Twitter Streaming API

logstash-input-twitter

udp

Reads events over UDP

logstash-input-udp

unix

Reads events over a UNIX socket

logstash-input-unix

varnishlog

Reads from the varnish cache shared memory log

logstash-input-varnishlog

websocket

Reads events from a websocket

logstash-input-websocket

wmi

Creates events based on the results of a WMI query

logstash-input-wmi

xmpp

Receives events over the XMPP/Jabber protocol

logstash-input-xmpp

输入源公共属性

The following configuration options are supported by all input plugins:

SettingInput typeRequired

add_field

hash

No

codec

codec

No

enable_metric

boolean

No

id

string

No

tags

array

No

type

string

No

详细说明

 

add_field

  • Value type is hash
  • Default value is {}

Add a field to an event

codec

  • Value type is codec
  • Default value is "json"

The codec used for input data. Input codecs are a convenient method for decoding your data before it enters the input, without needing a separate filter in your Logstash pipeline.

enable_metric

  • Value type is boolean
  • Default value is true

Disable or enable metric logging for this specific plugin instance by default we record all the metrics we can, but you can disable metrics collection for a specific plugin.

id

  • Value type is string
  • There is no default value for this setting.

Add a unique ID to the plugin configuration. If no ID is specified, Logstash will generate one. It is strongly recommended to set this ID in your configuration. This is particularly useful when you have two or more plugins of the same type, for example, if you have 2 redis inputs. Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.

input {
  redis {
    id => "my_plugin_id"
  }
}

Variable substitution in the id field only supports environment variables and does not support the use of values from the secret store.

tags

  • Value type is array
  • There is no default value for this setting.

Add any number of arbitrary tags to your event.

This can help with processing later.

type

  • Value type is string
  • There is no default value for this setting.

Add a type field to all events handled by this input.

Types are used mainly for filter activation.

 

文件的输入源

file

Streams events from files

logstash-input-file

标准输入源

stdin

Reads events from standard input

logstash-input-stdin

redis输入源

redis

Reads events from a Redis instance

logstash-input-redis

属性参考如下:

SettingInput typeRequired

batch_count

number

No

command_map

hash

No

data_type

string, one of ["list", "channel", "pattern_channel"]

Yes

db

number

No

host

string

No

path

string

No

key

string

Yes

password

password

No

port

number

No

ssl

boolean

No

threads

number

No

timeout

number

No

https://www.elastic.co/guide/en/logstash/current/plugins-inputs-redis.html

data_type

  • 必须字段.
  • 值可以是三个中的任何一个: listchannelpattern_channel
  • There is no default value for this setting.

Specify either list or channel. If data_type is list, then we will BLPOP the key. If data_type is channel, then we will SUBSCRIBE to the key. If data_type is pattern_channel, then we will PSUBSCRIBE to the key.

db

  • Value type is number
  • Default value is 0

The Redis database number.

host

  • Value type is string
  • Default value is "127.0.0.1"

The hostname of your Redis server.

path

  • Value type is string
  • There is no default value for this setting.
  • Path will override Host configuration if both specified.

The unix socket path of your Redis server.

key

  • This is a required setting.
  • Value type is string
  • There is no default value for this setting.

The name of a Redis list or channel.

password

  • Value type is password
  • There is no default value for this setting.

Password to authenticate with. There is no authentication by default.

port

  • Value type is number
  • Default value is 6379

The port to connect on.

实验

机器1: redis + springboot + logstash (192.168.1.100)

input 如下

input {
	file {
		path => "/home/lxp/logs/*.log"
		codec => multiline {
            pattern => "^(\[%{TIMESTAMP_ISO8601}\])"
            negate => true
            what => "previous"
        }
		type => "springboot"
		start_position => "beginning"
        sincedb_path => "NUL"
		
	}
}
 
filter {
 
}
 
output {
	if [type] == "springboot" {
		redis {
			data_type => "list"
			host => "192.168.1.110"
			db => "0"
			port => "6379"
			key => "logstash_service"
		}
		
		stdout { 
			codec => rubydebug 
		}
	}
	
}

机器2: Logstash + kibana + es

input {
	redis {
		key => "logstash_service"
		host => "192.168.1.110"
		port => 6379
		db => "0"
		data_type => "list"
		type  => "springboot"
	}
}
output {
    if [type] == "springboot" {
        elasticsearch {
            hosts => ["192.168.1.101:9200"]
            index => "spring-%{+YYYY.MM.dd}"
        }
    }
	stdout { 
		codec => rubydebug 
	}
}

 

十二月的雪7
关注
专栏目录
基于Logstash由SQLServer向Elasticsearch同步数据: logstash配置文件
iOS逆向与安全
03-14 485
官方文档:https://www.elastic.co/guide/en/logstash/current/pipeline.html。statement : sql 里面的字段首字母必须as 成小写,或者你直接小写也行,但是必须的小写。依赖DB中的特定字段,可能会涉及到原有表结构的修改。在删除数据时无法通过这种方式获得数据的变更。x_Loan_PreservationAdvanceList.sql 需要同步数据执行的Sql。解压完成后,进入解压后的logstash-7.2.0文件夹。
Logstash:多个配置文件conf
Elastic 中国社区官方博客
09-18 1万+
在前面的一篇文章“Logstash:处理多个input”中,我们介绍了如何使用在同一个配置文件中处理两个input的情况。在今天这篇文章中,我们来介绍如何来处理多个配置文件的问题。对于多个配置的处理方法,有多个处理方法: 多个pipeline 一个pipleline处理多个配置文件 一个pipeline含有一个逻辑的数据流,它从input接收数据,并把它们传入到队列里,经过worker......
logstash.conf
10-12
logstash简单配置,根据端口接收日志,根据ip分析物理地址,根据user-agent分析浏览器类型及系统类型等,输出日志到ES、文件和控制台。
logstash.conf配置,从文件读取日志
最新发布
卡布奇诺
08-11 518
使用mutate过滤器的gsub功能去除message字段中的\r用法:在filter标签内加上mutate {gsub => [# 第一个数组元素是字段名,第二个元素是正则表达式,第三个元素是替换后的文本# 这里我们将message字段里的\r替换为空字符串# 如果你也想去除\n,可以添加另一个替换规则"message" => "info日志第一行",
Logstash配置详解
yygr的博客
04-08 1万+
https://blog.csdn.net/hushukang/article/details/84423184 Logstash配置文件位于Logstash安装目录下bin/logstash.conf 启动命令: logstash -f logstash.conf 1. Input Plugin 1.1 从文件输入 从文件读取数据,如常见的日志文件。文件读取通常要解决几个问题: No. 问题 解决办法 1 文件内容如何只被读取一次?即重启Logstash时,从
(精华)2020年10月2日 微服务 logstash的使用
热门推荐
时光隧道
09-04 45万+
if (!(Test-Path -Path $PROFILE)) { New-Item -ItemType File -Path $PROFILE -Force }
LogStash的配置详解
趣学程序
06-27 4779
配置语法logstash主要配置input、filter、output区段Logstash用{}来定义区域。区域内可以包括插件去预定义,可以在一个区域内定义多个插件。插件区域则可以定义键值对来设置。示例:input { stdin{} syslog{}}数据类型Logstash支持少量的数据值类型:•booldebug => true•stringhost => "loc...
logstash配置文件的写法解析
qq_40673345的博客
12-19 2239
手动输入log,终端打印出消息 /opt/logstash/bin/logstash -e 'input{stdin{}}output{stdout{codec=>rubydebug}}' 然后你会发现终端在等待你的输入。没问题,敲入 test_str,回车,返回下面的结果就是OK的! 从test.conf文件中写入 一、最基础终端输入输出 input { ...
vsftpd-grok-patterns:用于解析 vsftpd 日志记录Logstash 配置和 grok 模式
07-06
包含的 Logstash 配置文件需要消息字段中的 vsftpd 日志数据,当您使用 Logstash 的syslog输入接收 vsftpd 日志记录时,这是开箱即用的。 测试 在test/目录中,有一个测试套件试图确保以前支持的日志行不会因为...
logstash配置文件说明
大团猿的博客
10-28 1692
logstash配置语句详解 logstash配置文件包含三个配置部分,分别为:input{}、filter{}、output{}。 {} 定义区域,区域内可以定义一个或多个插件,通过插件对数据进行收集,加工处理,输出。 数据类型: 布尔值类型: ssl_enable => true 字节类型: bytes => “1MiB” 字符串类型: name => “xkops” 数值类型: port => 22 数组: match => [“datetime”,“UNIX”] 哈希
logstash-config:我的(不是这样)私有logstash配置
05-07
Logstash配置 这些是我的私有logstash配置文件。 它们是为Arch Linux和我使用的软件创建的。 说明在文件中。 由于这是我的第一个logstash设置,因此某些配置可能很奇怪。 如果您比我还了解任何其他信息,请提出问题(或提出要求)。 请不要担心,如果这会破坏您系统上的任何内容,我将不承担任何责任。 安装 如果其中有任何内容,请备份/etc/logstash/conf.d文件夹。 # rm -rf /etc/logstash/* # git clone https://github.com/dasJ/logstash-config /etc/logstash # systemctl start logstash
logstash-config-maker:在浏览器中进行 logstash 配置!
05-31
Logstash 配置工具 该项目面向希望开始使用。 它提供了一个基于 Web 的 UI 来创建 Logstash 配置文件。 创建的配置文件可以下载并与 Logstash 一起使用。 未来,用户界面还将允许用户在线测试他们的配置文件。 开发设置 先决条件 ,用于依赖管理 我们走吧! 打开终端窗口 克隆这个 repo git clone .../logstash-config-maker.git cd logstash-config-maker 安装依赖 bower install 在浏览器中加载用户界面 open index.html
logstash配置文件
08-30
配置文件logstash的stdin、file、tcp、udp、syslog、beats、grok、elasticsearch插件配置
Logstash配置语法
weixin_45880055的博客
08-11 4007
文章目录Logstash基本语法组成Logstash输入插件(Input)Logstash编码插件(Codec)Logstash过滤器插件(Filter插件)Logstash输出插件(output) Logstash基本语法组成 logstash之所以功能强大和流行,还与其丰富的过滤器插件是分不开的,过滤器提供的并不单单是过滤的功能,还可以对进入过滤器的原始数据进行复杂的逻辑处理,甚至添加独特的事件到后续流程中。 Logstash配置文件有如下三部分组成,其中input、output部分是必须配置,filt
Logstash配置
hxtxgfzs的博客
09-20 293
1.创建一个名为logstash-simple.conf配置文件 input { stdin { } } output { elasticsearch { host => localhost } stdout { codec => rubydebug } }2.启动 执行命令 logstash -f logstash-simple.conf  将conf文件放在bin目录下
logstash.conf示例
Xx__WangQi的博客
06-07 322
input { file { path => "/Users/yiruan/dev/elk7/logstash-7.0.1/bin/movies.csv" start_position => "beginning" sincedb_path => "/dev/null" } } filter { csv { separator => "," columns => ["id", "content", "genr.
Logstashconf文件
qq_39446651的博客
08-20 1963
Logstash是一个开源的、服务端的数据处理pipeline(管道),它可以接收多个源的数据、然后对它们进行转换、最终将它们发送到指定类型的目的地。Logstash是通过插件机制实现各种功能的,读者可以在https://github.com/logstash-plugins 下载各种功能的插件,也可以自行编写插件。 Logstash实现的功能主要分为接收数据、解析过滤并转换数据、输出数...
ElasticSearch | logstash.conf
GC怪兽的Blog
05-03 285
input { file { path => "F:\Worker\SpringRainDoctor炜\elastic\item.json" start_position => "beginning" sincedb_path => "/dev/null" } } filter { csv { separator => "," ...
logstash 下的config中syslo.conf 作用
05-21
syslog.confLogstash 中用于处理 Syslog 格式的日志的配置文件。Syslog 是一种广泛使用的日志格式,用于网络设备、服务器和应用程序等的日志记录。syslog.conf 配置文件中定义了 Logstash 如何解析和处理 Syslog...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

十二月的雪7

你的鼓励将是我创作最大的动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值