https://www.elastic.co/cn/downloads/logstash官网
一、下载logstash
[[email protected] ~]# cd /usr/local/src/
[[email protected] src]# wget https://artifacts.elastic.co/downloads/logstash/logstash-6.4.2.tar.gz
[[email protected] src]# tar xf logstash-6.4.2.tar.gz
[[email protected] src]# cd logstash-6.4.2
[[email protected] logstash-6.4.2]# bin/logstash -f logstash.conf
could not find java; set JAVA_HOME or ensure java is in PATH
没有找到java 请下载安装JDK
JDK1.8官网下载
https://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
[[email protected] src]# wget http://download.oracle.com/otn-pub/java/jdk/8u191-b12/2787e4a523244c269598db4e85c51e0c/jdk-8u191-linux-x64.tar.gz?AuthParam=1540276120_a53a7ca68560d86acefed40e892da884
[[email protected] src]# tar xf jdk-8u191-linux-x64.tar.gz
[[email protected] src]# mv jdk1.8.0_191/ jdk
[[email protected] src]# pwd
/usr/local/src
[[email protected]hi src]# vim /etc/profile
JDK1.8
JAVA_HOME=/usr/local/src/jdk
JRE_HOME=/usr/local/src/jdk/jre
PATH=$PATH:$JAVA_HOME/bin:$JRE_HOME/bin
CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar:$JRE_HOME/lib
export JAVA_HOME JRE_HOME PATH CLASSPATH
[[email protected] src]# source /etc/profile
[[email protected] src]# java -version
java version "1.8.0_191"
Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.191-b12, mixed mode)
二、[[email protected] logstash-6.4.2]# bin/logstash -e 'input { stdin { } } output { stdout {} }'
[[email protected] logstash-6.4.2]# vim logs.conf
input {
file {
path => "/usr/local/nginx/logs/access.log"
type => "error"//type是给结果增加一个type属性,值为"error"的条目
start_position => "beginning"//从开始位置开始读取
# 使用 multiline 插件,传说中的多行合并
codec => multiline {
# 通过正则表达式匹配,具体配置根据自身实际情况而定
pattern => "^\d"
negate => true
what => "previous"
}
}}
可配置多种处理规则,他是有顺序,所以通用的配置写下面
filter {
grok {
match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" }
}}
output {
# 输出到 elasticsearch
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "error-%{+YYYY.MM.dd}"//索引名称
}}
[[email protected] logstash-6.4.2]# bin/logstash -f logs.conf