Logstash
使用yum安装
编辑 repo
vim /etc/yum.repos.d/elasticsearch.repo
# 内容如下
[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
安装
sudo yum install logstash
配置 Logstash
https:
vim conf.d/insert.conf
input {
file {
path => "/log/insert.*.log"
}
}
filter {
mutate{
split=>["message"," | "]
add_field => {
"date" => "%{[message][0]}"
}
add_field => {
"type" => "%{[message][1]}"
}
add_field => {
"cid" => "%{[message][2]}"
}
add_field => {
"src" => "%{[message][3]}"
}
add_field => {
"rowOrEvent" => "%{[message][4]}"
}
add_field => {
"reason" => "%{[message][5]}"
}
remove_field => ["message", "host", "path", "@timestamp", "@version"]
}
}
output {
elasticsearch {
action => "index"
hosts => "192.168.1.171:9200"
index => "insert"
}
}
启动
sudo initctl start logstash