[root@bogon config]# vi jvm.options
#原来是
-Xmx1g
[root@bogon config]# cp logstash-sa在这里插入代码片
mple.conf logstash.conf
#安装完以后先用这个看看
[root@bogon bin]# ./logstash -e 'input {stdin{}} output{stdout{}}'
#这是启动
[root@bogon logstash7]# bin/logstash -f config/logstash.conf
或者
#!/bin/bash
nohup /export/logstash7/bin/logstash -f /export/logstash7/config/logstash.conf >> /export/logstash7/output.log 2>&1 &
/usr/local/logstash-6.6.2 #地址
bin/logstash -f config/logstash-nginx.conf #启动
cat access.log |wc -l #统计
cat /etc/redhat-release #查看版本
ps auxf|grep logstash
发送重载文件的命令 kill -1 进程号
netstat -antp |grep 9200
netstat -lntup
jps
192.xxx.xxx.132 - - [26/Apr/2019:00:00:20 -0700] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
$remote_addr ip地址 192.xxx.xxx.132
$remote_user 用户 -
[$time_local] 时间 [26/Apr/2019:00:00:20 -0700]
$request 方法和协议 GET /favicon.ico HTTP/1.1
$status 状态 200
$body_bytes_sent 数据字节 612
$http_referer 从哪个网址调过来的 没有就"-"
$http_user_agent 浏览器信息
$http_x_forwarded_for ip地址
HTTPD_COMMONLOG %{IPORHOST:clientip} %{HTTPDUSER:ident} %{HTTPDUSER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)
HTTPD_COMBINEDLOG %{HTTPD_COMMONLOG} %{QS:referrer} %{QS:agent}
#192.xxx.xxx.132/hello.html
{
"timestamp" => "26/Apr/2019:00:45:49 -0700",
"@timestamp" => 2019-04-26T07:45:50.535Z,
"ident" => "-",
"request" => "/hello.html",
"path" => "/usr/local/nginx/logs/access.log",
"referrer" => "\"-\"",
"host" => "bogon",
"message" => "192.xxx.xxx.132 - - [26/Apr/2019:00:45:49 -0700] \"GET /hello.html HTTP/1.1\" 404 154 \"-\" \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"",
"auth" => "-",
"clientip" => "192.xxx.xxx.132",
"type" => "nginxaccess",
"agent" => "\"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"",
"@version" => "1",
"httpversion" => "1.1",
"verb" => "GET",
"response" => "404",
"bytes" => "154"
}
/usr/local/logstash-6.6.2/vendor/bundle/jruby/2.3.0/gems/logstash-patterns-core-4.1.2/patterns/httpd
codecs 解码
target 替换 timestamp
vim /usr/local/logstash-6.6.2/config/logstash-nginx.conf
input {
file {
path => "/usr/local/nginx/logs/access.log"
type => "nginxaccess"
start_position => "beginning" #开始位置读取
}
}
filter {
grok {
match => { "message" => "%{HTTPD_COMBINEDLOG}" }
}
date {
match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
}
}
output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "nginx-%{+YYYY.MM.dd}"
}
}
或者 屏幕输出 sss|ssssdf|a1232|sss4
input {
stdin {
}
}
filter {
mutate {
split => ["message", "|"]
}
}
output {
stdout {
}
}
#记录的插件
[root@bogon logstash7]# cat Gemfile
安装插件:
#去这个网站看看有没有插件
https://github.com/logstash-plugins
cat Gemfile | grep kv
yum install ruby
wget https://rubygems.org/rubygems/rubygems-2.6.12.zip
unzip rubygems-2.6.12.zip
cd rubygems-2.6.12.zip
ruby setup.rb
gem -v
gem sources -l
gem sources --add https://gems.ruby-china.com/ --remove https://rubygems.org/
[root@bogon ~]# vim .gemrc
修改 ~/.gemrc 文件,增加 ssl_verify_mode: 0 配置, #忽略ssl验证
以便于 RubyGems 可以忽略 SSL 证书错误
/export/logstash7/bin #安装的插件的名字
[root@bogon bin]# ./logstash-plugin install logstash-input-jdbc #logstash-output-mongodb
[root@bogon bin]# ./logstash-plugin list
#!/bin/bash
nohup /export/www/admin-analysis.geenmay11.cn/public/logstash7/bin/logstash -f /export/www/admin-analysis.geenmay11.cn/public/logstash7/config/logstashka-fka-dev.conf >> /export/www/admin-analysis.geenmay11.cn/public/logstash7/output.log 2>&1 &