[root@server2 conf.d]# vim syslog.conf
[root@server2 conf.d]# cat syslog.conf
input {
stdin {
codec => multiline {
pattern => “EOF”##以EOF结尾
negate => “true”
what => “previous”
}
}
}
output{
stdout {}
}
过滤
3.在server2上添加过滤文件
[root@server2 ~]# cd /etc/logstash/conf.d
[root@server2 conf.d]# ls
[root@server2 conf.d]# vim test.conf
input {
stdin {}
}
filter {
grok {
match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" }
}
}
output {
stdout {}
}
执行
root@server2 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
在下面输入:55.3.244.1 GET /index.html 15824 0.043 会被拆分成指定的的格式
过滤apache日志
[root@server2 conf.d]# vim es.conf
[root@server2 conf.d]# cat es.conf
input {
file {
path => "/var/log/httpd/access_log"
start_position => "beginning"
}
}
filter{
grok {
match => { "message" => "%{HTTPD_COMBINEDLOG}" }
}
}
output {
stdout {}
elasticsearch {
hosts => ["172.25.32.1:9200"]
index => "apache-%{+YYYY.MM.dd}"
}
}
[root@server2 ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/es.conf