Q:非洲食人族的酋长吃什么?

logstash 怎么配置多入多出?

Logstash | 作者 Sher | 发布于2019年11月06日 | 阅读数:174

ELK +filebeat version 7.4.2
 
filebeat.yml配置:
#=========================== Filebeat inputs =============================

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

#mysql error
- type: log
enabled: true
paths:
- /var/log/mysql/error.log
tags: ["mysql_error"]
# nginx error
- type: log
enable: true
paths:
- /var/log/nginx/error.log
tags : ["nginx_error"]
#nginx access
- type: log
enable: true
paths:
- /var/log/nginx/*access.log
tags: ["nginx_access"]
#mysql slowlog
- type: log
enable: true
paths:
- /var/log/mysql/mysql-slow.log
tags: ["mysql_slow"]
#- c:\programdata\elasticsearch\logs\*

#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["localhost:5044","localhost:5045","localhost:5046","localhost:5047"]
 
pipeplines.yml配置:
# This file is where you define your pipelines. You can define multiple.
# For more information on multiple pipelines, see the documentation:
# https://www.elastic.co/guide/e ... .html

#- pipeline.id: main
# path.config: "/etc/logstash/conf.d/*.conf"


- pipeline.id: nginx-access
path.config: "/etc/logstash/lmm_homestead_pipelines/nginx-access.conf"
- pipeline.id: nginx-error
path.config: "/etc/logstash/lmm_homestead_pipelines/nginx-error.conf"
- pipeline.id: mysql-error
path.config: "/etc/logstash/lmm_homestead_pipelines/mysql-error.conf"
- pipeline.id: mysql-slowlog
path.config: "/etc/logstash/lmm_homestead_pipelines/mysql-slowlog.conf"

其中一个通道nginx-access配置,其他都是一样格式的:
input {
beats {
port => 5046
host => "0.0.0.0"
}
}
filter {
if "nginx_access" in [tags] {
grok {
match => { "message" => ["%{IPORHOST:[nginx][access][remote_ip]} - %{DATA:[nginx][access][user_name]} \[%{HTTPDATE:[nginx][access][time]}\] \"%{WORD:[nginx][access][method]} %{DATA:[nginx][access]<a data-cke-saved-href="} HTTP/%{NUMBER:" href="} HTTP/%{NUMBER:">} HTTP/%{NUMBER:[nginx][access][http_version]}\"
%{NUMBER:[nginx][access][response_code]} %{NUMBER:[nginx][access][body_sent][bytes]} \"%{DATA:[nginx][access][referrer]}\" \"%{DATA:[nginx][access][agent]}\""] }
remove_field => "message"
}
mutate {
add_field => { "read_timestamp" => "%{@timestamp}" }
}
date {
match => [ "[nginx][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
remove_field => "[nginx][access][time]"
}
useragent {
source => "[nginx][access][agent]"
target => "[nginx][access][user_agent]"
remove_field => "[nginx][access][agent]"
}
geoip {
source => "[nginx][access][remote_ip]"
target => "[nginx][access][geoip]"
}
}
}
output {
if "nginx_access" in [tags] {
elasticsearch {
hosts => localhost
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-nginx-access-%{+YYYY.MM.dd}"
}
}
}
 
 
logstash系统运行日志没有报错,filebeat也没有报错,检查elasticsearch运行正常,日志文件有写入日志。
但是就是没有生成配置的索引。
已邀请:

要回复问题请先登录注册