Logstash使用说明
1、输出插件
-
标准输入stdin
配置如下:
input { stdin { add_field => {"key" => "value"} codec => "plain" tags => ["add"] type => "std" } } output { stdout { codec => rubydebug } }
启动命令:bin/logstash -f stdin-test.conf,等到启动成功以后在控制台输出Hello World001进行测试如下:
Hello World001 { "message" => "Hello World001", "@version" => "1", "@timestamp" => 2019-09-05T15:40:58.763Z, "type" => "std", "key" => "value", "host" => "localhost.localdomain", "tags" => [ [0] "add" ] }
type、tags是Logstash特殊字段,相关配置示例:
input { stdin { type => "web" } } filter { if [type] == "web" { grok { match => ["message", %{COMBINEDAPACHELOG}] } } } output { if "_grokparsefailure" in [tags] { nagios_nsca { nagios_status => "1" } } else { elasticsearch {} } }
数据类型 类型说明 示例 bool 希尔值 true or false debug => true string 字符串 host =>hostname number 数值 port => 9600 array 数组 match => [“datetime”,“UNIX”,“ISO8601”] hash 哈希 option => {key1 => “value1”,key2 => “value2”} -
文件输入
配置文件示例如下:
Logstash会监听文件变化,同时跟踪被监听日志文件的当前读取位置。
input { file { path => ["/var/log/*.log","/var/log/message"] type => "system" start_position => "beginning" } }
配置项 配置说明 discover_interval 多长时间检查监听路径下是否有新文件,默认15秒 stat_interval 多长时间检查一次文件是否有更新,默认1秒 exclude 排除不需要监听的文件 start_position 从什么位置开始读取文件,默认是结束位置,“beginning”表示从头开始 close_older 文件超过这个时间无变化,就关闭对它的监听,默认3600秒 ignore_older 文件修改时间超过这个值,就忽略这个文件,默认一天 -
TCP输入
-
提供推送服务
不需要等待有新数据输入被监听的文档,推送结束就可以知道任务完成了。
input { #提供对外服务接口,例如backlog配置推送地址 tcp { port => 8866 } } output { stdout { codec => rubydebug } }
通过终端推送数据:nc 127.0.0.1 8866 < data
-
主动抓取,http_poller抓取
通过其他业务系统RESTful接口获取相关数据,配置示例如下:
input { http_poller { urls => { 0 => { method => get url => "http://127.0.0.1:8888/demo/format/json1" headers => { Accept => "application/json" } auth => { user => "zhasan" password => "123456" } } 1 => { method => get url => "http://127.0.0.1:8888/demo/format/json2" headers => { Accept => "application/json" } auth => { user => "zhasan" password => "123456" } } } request_timeout => 60 #60秒主动调用接口获取数据 interval => 60 codec => "json" } } output { stdout { codec => rubydebug } }
-
2、编解码
-
JSON编解码
配置示例:
input { file { path => "var/*.log" codec => "json" } }
-
多行事件编码
配置如下:
input { stdin { codec => multiline { #正则表达式,直到下一行数据匹配成功才会输出 pattern => "^\[" negate => true what => "previous" } } }
3、过滤器
-
date事件处理,logstash-filter-date插件
配置示例:
filter { grok { match => ["message","%{HTTPDATE:logdate}"] } date { #时间设置 match => ["logdate", "dd/MM/yyyy:HH:mm:ss Z"] } }
filter { grok { match => { #正则表达式匹配数据 "message" => "\s+(?<request_time>\d+(?:\.\d+)?)\s+" } } }
4、输出插件
-
输出到Elasticsearch
配置示例:
output { elasticsearch { #es集群地址 hosts => ["127.0.0.1:9200"] #索引名称设置,以+号开始默认为时间格式,索引不能有大写字母 index => "logstash-%{type}-%{+YYYY.MM.dd}" #文档类型 document_type => "%{type}" #批量发送数据2000条 flush_size => 2000 #10秒以后批量发送 idle_flush_time => 10 } }
-
发送email
配置示例:
output { email { port => "" address => "smtp.126.com" username => "test@126.com" password => "" authentication => "plain" use_tls => true from => "test@126.com" subject => "Warning: %{title}" to => "405414011@qq.com" via => "smtp" body => "%{message}%" } }
-
保存输出到文件
配置示例:
output { file { path => "/path/to/%{+yyyy}/%{+mm}/%{+dd}/%{+HH}/%{host}.log.gz" #默认输出JSON格式数据,以下设置为不改变原始数据格式 message_format => "%{message}" gzip => true } }
5、Mysql慢查询日志
配置示例:
input {
file {
type => "mysql-slow"
path => "var/log/myql/mysql-slow.log"
codec => multiline {
pattern => "^# User@Host:"
negate => true
what => "previous"
}
}
}
filter {
grok {
match => {"message" => "SELECT SLEEP"}
#成功时添加
add_tag => {"sleep_drop"}
#仅在失败时添加
tag_on_failure => [] # prevent default _grokparsefailure tag on real records
}
if "sleep_drop" in [tags] {
drop {}
}
grok {
match => [正则]
}
date {
match => ["timestamp","UNIX"]
remove_field => ["timestamp"]
}
}
6、Redis队列
-
配置示例:
input { redis { data_type => "pattern_channel" key => "logstash-*" host => "127.0.0.1" port => 6379 threads => 5 } }
-
进行测试
# redis-cli 127.0.0.1:6379> PUBLISH logstash-demochan "hello world" #结果如下 { "message" => "hello world", "@version" => "1", "@timestamp" => "2019-9-6T16:01:09.365Z" }