搜索结果正在快递途中

logstash 怎么配置多入多出?

Logstash | 作者 Sher | 发布于2019年11月06日 | 阅读数:2054
分享到:QQ空间新浪微博微信QQ好友印象笔记有道云笔记
ELK +filebeat version 7.4.2
 
filebeat.yml配置:
#=========================== Filebeat inputs =============================



filebeat.inputs:



# Each - is an input. Most options can be set at the input level, so

# you can use different inputs for various configurations.

# Below are the input specific configurations.



#mysql error

- type: log

  enabled: true

  paths:

    - /var/log/mysql/error.log

  tags: ["mysql_error"]

# nginx error

- type: log

  enable: true

  paths:

    - /var/log/nginx/error.log

  tags : ["nginx_error"]

#nginx access

- type: log

  enable: true

  paths:

    - /var/log/nginx/*access.log

  tags: ["nginx_access"]

#mysql slowlog

- type: log

  enable: true

  paths:

    - /var/log/mysql/mysql-slow.log

  tags: ["mysql_slow"]

    #- c:\programdata\elasticsearch\logs\*

    

#----------------------------- Logstash output --------------------------------

output.logstash:

  # The Logstash hosts

    hosts: ["localhost:5044","localhost:5045","localhost:5046","localhost:5047"]
 
pipeplines.yml配置:
# This file is where you define your pipelines. You can define multiple.

# For more information on multiple pipelines, see the documentation:

#   https://www.elastic.co/guide/e ... .html



#- pipeline.id: main

  #  path.config: "/etc/logstash/conf.d/*.conf"





- pipeline.id: nginx-access

  path.config: "/etc/logstash/lmm_homestead_pipelines/nginx-access.conf"

- pipeline.id: nginx-error

  path.config: "/etc/logstash/lmm_homestead_pipelines/nginx-error.conf"

- pipeline.id: mysql-error

  path.config: "/etc/logstash/lmm_homestead_pipelines/mysql-error.conf"

- pipeline.id: mysql-slowlog

  path.config: "/etc/logstash/lmm_homestead_pipelines/mysql-slowlog.conf"

其中一个通道nginx-access配置,其他都是一样格式的:
input {

    beats {

        port => 5046

        host => "0.0.0.0"

    }

}

filter {

    if "nginx_access" in [tags] {

        grok {

            match => { "message" => ["%{IPORHOST:[nginx][access][remote_ip]} - %{DATA:[nginx][access][user_name]} \[%{HTTPDATE:[nginx][access][time]}\] \"%{WORD:[nginx][access][method]} %{DATA:[nginx][access]<a data-cke-saved-href="} HTTP/%{NUMBER:" href="} HTTP/%{NUMBER:">} HTTP/%{NUMBER:[nginx][access][http_version]}\" 

%{NUMBER:[nginx][access][response_code]} %{NUMBER:[nginx][access][body_sent][bytes]} \"%{DATA:[nginx][access][referrer]}\" \"%{DATA:[nginx][access][agent]}\""]  }

            remove_field => "message"

        }

        mutate {

            add_field => { "read_timestamp" => "%{@timestamp}"  }

        }

        date {

            match => [ "[nginx][access][time]", "dd/MMM/YYYY:H:m:s Z"  ]

            remove_field => "[nginx][access][time]"

        }

        useragent {

            source => "[nginx][access][agent]"

            target => "[nginx][access][user_agent]"

            remove_field => "[nginx][access][agent]"

            }

        geoip {

            source => "[nginx][access][remote_ip]"

            target => "[nginx][access][geoip]"

        }

    }

}

output {

    if "nginx_access" in [tags] {

        elasticsearch {

            hosts => localhost

            manage_template => false

            index => "%{[@metadata][beat]}-%{[@metadata][version]}-nginx-access-%{+YYYY.MM.dd}"

        }

    }

}
 
 
logstash系统运行日志没有报错,filebeat也没有报错,检查elasticsearch运行正常,日志文件有写入日志。
但是就是没有生成配置的索引。
2019-11-06 添加评论

没有找到相关结果

    已邀请:
    为什么被折叠? 0 个回复被折叠

    要回复问题请先登录注册

    Copyright © 2024 · CC BY-NC-SA 3.0

    本站服务器及带宽由 提供赞助