1、官网下载logstash的tar包,注意版本要和es版本一致
下载完解压缩
tar -zxvf logstash-7.9.3.tar.gz
2、配置文件
logStash根目录下config文件夹中有个logstash-sample.conf配置模板,复制一份重名,我这里命名为std_es.conf
编辑内容
这里主要就是input和output,file这个可以无限加,就是多个数据源,中间add_field是添加字段,可以用于区分数据。
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
stdin {
}
file {
path => "/opt/audit/logs/log-distribute/*.log"
add_field => {
"uam-service" => "log-distribute"
}
}
file {
path => "/opt/audit/logs/log-gateway/*.log"
add_field => {
"uam-service" => "log-gateway"
}
}
file {
path => "/opt/audit/logs/log-rule/*.log"
add_field => {
"uam-service" => "log-rule"
}
}
}
output {
elasticsearch {
hosts => ["http://{es的ip}:9200"]
index => "{想要导入的index名,不用提前创建}"
#user => "elastic"
#password => "changeme"
}
}
3、启动
我这里是后台启动,所以用了nohup xxx &
主要是启动logstash脚本,关联配置文件std_es.conf
nohup ./bin/logstash -f config/std_es.conf &