[root@web02 ~]# cat /etc/logstash/conf.d/nginx.conf
input {
file {
path => "/var/log/nginx/access_log_jason.log"
codec => "json"
type => "nginx-access-log"
}
}
filter {
}
output {
elasticsearch {
hosts => ["10.0.0.18:9200"]
index => "nginx-access-log-%{+YYYY.MM.dd}"
}
stdout{
codec => rubydebug
}
}
#正则匹配[ ] 两个括号之间的内容
[root@web04 conf.d]# cat codec.conf
input{
stdin {
codec => multiline{
pattern => "^\["
negate => true
what => "previous"
}
}
}
filter{
}
output{
stdout{
codec => rubydebug
}
}
[root@web04 conf.d]# cat demo.conf
input {
stdin{}
}
filter {
}
output {
elasticsearch{
hosts => ["10.0.0.18:9200"]
index => "logstash-%{+YYYY.MM.dd}"
}
stdout{
codec => rubydebug
}
}
=====================================
多行正则匹配
[root@web04 conf.d]# cat file.conf
input {
file{
path => ["/var/log/messages","/var/log/secure"]
type => "system-log"
start_position => "beginning"
}
file {
path => ["/var/log/elasticsearch/my-es.log","/var/log/elasticsearch/my-es.log.2018-01-15"]
type => "es-log"
start_position => "beginning"
codec => multiline{
pattern => "^\["
negate => true
what => "previous"
}
}
}
filter {
}
output {
if [type] == "system-log" {
elasticsearch {
hosts => ["10.0.0.18:9200"]
index => "system-log-%{+YYYY.MM}"
}
}
if [type] == "es-log" {
elasticsearch {
hosts => ["10.0.0.18:9200"]
index => "es-log-%{+YYYY.MM}"
}
}
}
================================
syslog 插件
[root@web04 conf.d]# cat sys.log
input {
syslog{
type => "system-syslog"
port => 514
}
}
output {
elasticsearch {
hosts => ["10.0.0.18:9200"]
index => "system-syslog-%{+YYYY.MM}"
}
}
===============
#TCP 通过端口传送到一个文件
[root@web04 conf.d]# cat tcp.conf
input {
tcp {
type => "tcp"
port => "6666"
mode => "server"
}
}
filter {
}
output {
stdout {
codec => rubydebug
}
}