一、Logstash簡介
Logstash 是一個實時數據收集引擎,可收集各類型數據並對其進行分析,過濾和歸納。按照自己條件分析過濾出符合數據導入到可視化界面。它可以實現多樣化的數據源數據全量或增量傳輸,數據標准格式處理,數據格式化輸出等的功能,常用於日志處理。工作流程分為三個階段:
(1)input數據輸入階段,可接收oracle、mysql、postgresql、file等多種數據源;
(2)filter數據標准格式化階段,可過濾、格式化數據,如格式化時間、字符串等;
(3)output數據輸出階段,可輸出到elasticsearch、mongodb、kfka等接收終端。
二、下載
說明:由於我安裝的Elasticsearch版本為6.3.1,因此我下載logstash版本為6.31
https://artifacts.elastic.co/downloads/logstash/logstash-6.3.1.tar.gz
解壓:
[root@master mnt]# tar -zxvf logstash-6.3.1.tar.gz
[root@master mnt]# mv logstash-6.3.1 logstash
簡單輸出到控制台,觀察是否安裝成功:
[root@master bin]# ./logstash -e 'input { stdin { } } output { stdout {} }'
日志:
Sending Logstash's logs to /mnt/logstash/logs which is now configured via log4j2.properties [2019-04-24T16:19:14,090][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.queue", :path=>"/mnt/logstash/data/queue"} [2019-04-24T16:19:14,111][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.dead_letter_queue", :path=>"/mnt/logstash/data/dead_letter_queue"} [2019-04-24T16:19:15,079][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified [2019-04-24T16:19:15,168][INFO ][logstash.agent ] No persistent UUID file found. Generating new UUID {:uuid=>"1a5ca4ad-02a5-4f48-91d7-1373799f0fd2", :path=>"/mnt/logstash/data/uuid"} [2019-04-24T16:19:16,754][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.3.1"} [2019-04-24T16:19:22,045][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50} [2019-04-24T16:19:22,329][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x4eb0dbdb run>"} The stdin plugin is now waiting for input: [2019-04-24T16:19:22,503][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]} [2019-04-24T16:19:22,966][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
輸入:aaaaaaaa,發現安裝成功
aaaaaaaaaa { "message" => "aaaaaaaaaa", "host" => "master", "@timestamp" => 2019-04-24T08:21:07.403Z, "@version" => "1" }
命令行參數:logstash命令
|
1
2
3
4
5
|
參數:
執行 -e bin
/logstash
-e
''
文件 --config 或 -f bin
/logstash
-f agent.conf
測試 --configtest 或 -t 用來測試 Logstash 讀取到的配置文件語法是否能正常解析。
日志 --log 或 -l Logstash 默認輸出日志到標准錯誤。生產環境下你可以通過 bin
/logstash
-l logs
/logstash
.log 命令來統一存儲日志。
|
實例操作:
以輸出到Elasticsearch為例:接收控制台輸入,Logstash解析輸出到ElasticSearch集群
[root@master bin]# cat test_es.conf input{ stdin{} } output{ elasticsearch{ hosts=>["192.168.200.100:9200"] index=>"testeslogstash" } stdout{codec=>rubydebug} }
運行:
[root@master bin]# ./logstash -f /mnt/logstash/bin/test_es.conf
結果:
所以搭建成功。