Skip to content
- 官网下载logstash 、elasticsearch
- logstash
解压后执行下面命令启动(遇到错误google一下吧)
./bin
/logstash
-f
/usr
/local
/logstash
-6
.2
.4
/config
/conf
/logstash
-nodejs
.conf
input
{
file {
path
=> "/data/logs/nodejs/sms\.log\.2018*"
start_position
=> "beginning"
sincedb_path
=> "/home/xch9758/sincedb/nodejs.db"
}
}
filter
{
grok
{
match
=> [
"message","%{TIME} %{GREEDYDATA:priority} %{GREEDYDATA:category} requestId\[%{GREEDYDATA:requestId}\] msg\[%{GREEDYDATA:msg}\] channel\[%{GREEDYDATA:channel}\] msgid\[%{GREEDYDATA:msgid}\] maskMobile\[%{GREEDYDATA:maskMobile}\] mobile\[%{GREEDYDATA:mobile}\] content\[%{GREEDYDATA:content}\] appId\[%{GREEDYDATA:appId}\] tplId\[%{GREEDYDATA:tplId}\] type\[%{GREEDYDATA:type}\] tag\[%{GREEDYDATA:tag}\] req_channel\[%{GREEDYDATA:req_channel}\] sendTimes\[%{GREEDYDATA:sendTimes}\] reportTime\[%{GREEDYDATA:reportTime}\]",
"message","%{TIME} %{GREEDYDATA:priority} %{GREEDYDATA:category} requestId\[%{GREEDYDATA:requestId}\] msg\[%{GREEDYDATA:msg}\] channel\[%{GREEDYDATA:channel}\] msgid\[%{GREEDYDATA:msgid}\] maskMobile\[%{GREEDYDATA:maskMobile}\] mobile\[%{GREEDYDATA:mobile}\] status\[%{GREEDYDATA:status}\] otherParam\[%{GREEDYDATA:otherParam}\] reportTime\[%{GREEDYDATA:reportTime}\]"
]
}
}
output
{
elasticsearch
{
hosts
=> "10.21.200.53:9200"
index
=> "logstash-nodejs_sms-%{+YYYY-MM-dd}"
}
stdout
{
codec
=> rubydebug
}
}
- elasticsearch
这个比较简单,root用户不能启动;su elasticsearch ./bin/elasticsearch
搜索某个index:/logstash-nodejs/_search?q=*&pretty&size=100
查看有多少index:/_cat/indices?v
- logstash+elasticsearch的版本需要统一,跨度太大会出现致命错误,导致两者无法通信