cd /data/clzx/test/pp_res
tar -xvf logstash-6.7.0.tar.gz
mv logstash-6.7.0 /data/clzx/test/service
cd /data/clzx/test/service
cd /data/clzx/test/service/logstash-6.7.0/bin
---指定jdk目录
logstash
export JAVA_CMD="/data/clzx/jdk1.8.0_101/bin"
export JAVA_HOME="/data/clzx/jdk1.8.0_101/"
./logstash -e 'input { stdin { } } output { stdout {} }'
在logstash文件夹的下bin目录创建配置文件logstash.conf ,内容如下:
vi logstash.conf
input {
# 以文件作为来源
file {
# 日志文件路径
path => "F:\test\dp.log"
}
}
filter {
#定义数据的格式,正则解析日志(根据实际需要对日志日志过滤、收集)
grok {
match => { "message" => "%{IPV4:clientIP}|%{GREEDYDATA:request}|%{NUMBER:duration}"}
}
#根据需要对数据的类型转换
mutate { convert => { "duration" => "integer" }}
}
# 定义输出
output {
elasticsearch {
hosts => ["localhost:9200"] #Elasticsearch 默认端口
}
}
vi file_es.conf
input{
stdin {}
}
output {
elasticsearch {
hosts => ["134.64.14.137:9200"]
index => "yj_index"
}
stdout { codec => rubydebug}
}
./logstash -f ./file_es.conf
--------------------------
input{
file{
path =>"/data/clzx/test/service/logstash-6.7.0/bin/access_log.2018-04-10.log"
start_position=>"beginning"
}
}
filter{
grok{
match=>{
"message"=>"%{DATA:clientIp} - - \[%{HTTPDATE:accessTime}\] \"%{DATA:method} %{DATA:requestPath} %{DATA:httpversion}\" %{DATA:retcode} %{DATA:size} \"%{DATA:fromHtml}\" \"%{DATA:useragent}\""
}
remove_field=>"message"
}
date{
match=>["accessTime","dd/MMM/yyyy:HH:mm:ss Z"]
}
}
output{
elasticsearch {
hosts => ["134.64.14.137:9200"]
index => "yudq"
}
stdout{
codec=>rubydebug
}
}