server1:elasticsearch
server2:logstash,apache
1.在server2上编辑logstash的的文件
[root@server2 conf.d]# pwd
/etc/logstash/conf.d
[root@server2 conf.d]# vim test.conf
input {
stdin {}
}
filter {
grok {
match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" }
}
}
output {
stdout {}
}
2.执行
[root@server2 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
在下面输入:55.3.244.1 GET /index.html 15824 0.043 会被拆分成指定的的格式
3.在server2上1安装apache,编写其默认发布页面进行访问产生相应的日志
[root@server2 conf.d]# yum install -y httpd
[root@server2 conf.d]# systemctl start httpd
[root@server2 conf.d]# cd /var/www/html/
[root@server2 html]# vim index.html
[root@server2 html]# cat index.html
www.westos.org
[root@foundation42 Desktop]# ab -c 1 -n 100 http://172.25.42.2/index.html 测试生成日志,如果没有ab命令安装httpd-tools
//logstash的相应目录下有httpd的配置输出格式的相应文件直接运用即可
[root@server2 html]# cd /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-patterns-core-4.1.2/patterns/
[root@server2 patterns]# cat httpd
4.编辑es.conf
input {
# stdin {}
# file {
# path => "/var/log/elasticsearch/my-es.log"
# start_position => "beginning"
# codec => multiline {
# pattern => "^\["
# negate => "true"
# what => "previous"
# }
# }
#
# syslog {
# port => 514
# }
file {
path => "/var/log/httpd/access_log"
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => "%{HTTPD_COMBINEDLOG" }
}
}
output {
stdout {}
elasticsearch {
hosts => ["172.25.42.1:9200"]
index => "apachelog-%{+YYYY.MM.dd}"
}
}
//执行:
[root@server2 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/es.conf
在ui界面通过索引查看其相应的信息即可