1.需要开发在java程序配置发送到logstash的日志输出
2.我们在elk服务器配置logstash配置
配置tcp socket的input输入规则
input {
tcp {
host => "0.0.0.0"
mode => "server"
port => 8212 #启动logstash监听的tcp端口
tcp_keep_alive => false
dns_reverse_lookup_enabled => true
type => "kht_luan"
codec => "json"
enable_metric => false
id => input2
add_field => {
"key" => "value"
}
}
}
filter {
date {
match => [ "timeMillis", "UNIX_MS" ]
}
}
output {
if [type] == "kht_luan" {
elasticsearch {
action => "index"
hosts => "127.0.0.1:9211" #elasticsearch的ip地址+端口
index => "kht_luan_%{+YYYY.MM}"
user => "elastic"
password => "******"
}
}
}
配置完成后启动,会发现有一个8212的端口。
我们需要把这个服务器的ip地址和端口给到研发人员,并开放给需要传输日志服务器的端口权限
如果是多项目的话,我们可以配置多个tcp的inpu规则,监听多个端口,实现一个项目一个端口,每个项目设置不同的type,output规则根据不同的type类型输出到不同的index。
多项目收集配置多端口类似以下配置:(根据上述文件稍加改动,以下仅为实例)
input {
tcp {
host => "0.0.0.0"
mode => "server"
port => 9611
tcp_keep_alive => false
dns_reverse_lookup_enabled => true
type => "test"
codec => "json"
enable_metric => false
id => input1
add_field => {
"key" => "value"
}
}
tcp {
host => "0.0.0.0"
mode => "server"
port => 9612
tcp_keep_alive => false
dns_reverse_lookup_enabled => true
type => "java"
codec => "json"
enable_metric => false
id => input2
add_field => {
"key" => "value"
}
}
}
filter {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:log_time}" }
}
date {
match => ["log_time", "yyyy-MM-dd HH:mm:ss,SSS"]
target => "@timestamp"
}
}
output {
if [type] == "test" {
elasticsearch {
action => "index"
hosts => "127.0.0.1:9200"
index => "testtomcatlog_%{+YYYY.MM}"
}
}
if [type] == "java" {
elasticsearch {
action => "index"
hosts => "127.0.0.1:9200"
index => "javatomcatlog_%{+YYYY.MM}"
}
}
}