ELK6.5 Nginx 日誌蒐集-04 logstash 安裝
阿新 • • 發佈:2018-12-07
node1:elasticsearch、kibana、logstash
node2:filebeat
1、如前文,下載 logstash 6.5.0 版 安裝
# rpm -ivh logstash-6.5.0-x86_64.rpm
進入配置檔案目錄,修改配置檔案
# cd /etc/logstash/conf.d
# vim logstash.conf
[[email protected] conf.d]# cat logstash.conf input { beats { port => 5044 host => "0.0.0.0" } } filter { if [fileset][module] == "nginx" { if [fileset][name] == "access" { grok { match => { "message" => ["%{IPORHOST:remote_ip} - %{DATA:user_name} \[%{HTTPDATE:time}\] \"%{WORD:method} %{DATA:request_url} HTTP/%{NUMBER:http_version}\" %{NUMBER:response_code} %{NUMBER:body_sent_bytes} \"%{DATA:referrer_url}\" \"%{DATA:agent}\" \"%{DATA:xforward}\""] } remove_field => "message" } mutate { add_field => { "read_timestamp" => "%{@timestamp}" } } date { match => [ "time", "dd/MMM/YYYY:H:m:s Z" ] #target => "@timestamp" #remove_field => "time" } useragent { source => "agent" target => "user_agent" remove_field => "agent" } geoip { source => "remote_ip" target => "[geoip]" } } else if [fileset][name] == "error" { grok { match => { "message" => ["%{DATA:[nginx][error][time]} \[%{DATA:[nginx][error][level]}\] %{NUMBER:[nginx][error][pid]}#%{NUMBER:[nginx][error][tid]}: (\*%{NUMBER:[nginx][error][connection_id]} )?%{GREEDYDATA:[nginx][error][message]}"] } remove_field => "message" } mutate { add_field => { "read_timestamp" => "%{@timestamp}" } } date { match => [ "[nginx][error][time]", "YYYY/MM/dd H:m:s" ] #remove_field => "[nginx][error][time]" } } } } output { elasticsearch { hosts => "127.0.0.1:9200" index => "logstash-nginx-%{+YYYY-MM-dd}" } }
2,啟動 logstash
檢視埠,看是否啟動成功
寫的不好、歡迎指正:VX:85862870