Logstash官網最新版下載地址以及YUM源:https://www.elastic.co/cn/downloads/logstash
Logstash最常見的運行方式即命令行運行 ./bin/logstash -f logstash.conf 然后通過ctrl+c結束,這種方式的優點在於運行方便,但是缺點也很明顯,不便於管理,同時如果遇到服務器重啟,則維護成本會更高一些,如果在生產環境運行logstash建議還是使用服務的方式運行
1、修改config目錄下的 startup.optins
JAVA_HOME=/usr/local/java/jdk1.8.0_171 LS_HOME=/usr/local/logstash-6.2.4 LS_OPTS="--path.settings ${LS_SETTINGS_DIR} --path.config /usr/local/logstash-6.2.4/logstash.d" #我們把logstash的配置文件*.conf都放在/usr/local/logstash-6.2.4/logstash.d目錄下面 LS_USER=root LS_GROUP=root
2、創建服務
以root身份執行logstash命令創建服務
# /usr/local/logstash-6.2.4/bin/system-install
執行完后,會生成一個環境變量文件 /etc/default/logstash
另一個生成的則是主要的服務文件 /etc/systemd/system/logstash.service :
[Unit] Description=logstash [Service] Type=simple User=root Group=root # Load env vars from /etc/default/ and /etc/sysconfig/ if they exist. # Prefixing the path with '-' makes it try to load, but if the file doesn't # exist, it continues onward. EnvironmentFile=-/etc/default/logstash EnvironmentFile=-/etc/sysconfig/logstash ExecStart=/usr/local/logstash-6.2.4/bin/logstash "--path.settings" "/usr/local/logstash-6.2.4/config" "--path.config" "/usr/local/logstash-6.2.4/logstash.d" Restart=always WorkingDirectory=/ Nice=19 LimitNOFILE=16384 [Install] WantedBy=multi-user.target
# systemctl start logstash
# systemctl enable logstash
3、日志查看
默認情況下日志會保存在以下兩個位置
- /var/log/messages
- /usr/local/logstash/logs
/logstash/config/logstash.yml:主要用於控制logstash運行時的狀態
/logstash/config/startup.options:logstash 運行相關參數
配置參數說明:
logstash.yml 參數 用途 默認值 node.name 節點名稱 主機名稱 path.data /數據存儲路徑 LOGSTASH_HOME/data/ pipeline.workers 輸出通道的工作workers數據量(提升輸出效率) cpu核數 pipeline.output.workers 每個輸出插件的工作wokers數量 1 pipeline.batch.size 每次input數量 125 path.config 過濾配置文件目錄 config.reload.automatic 自動重新加載被修改配置 false or true config.reload.interval 配置文件檢查時間 path.logs 日志輸出路徑 http.host 綁定主機地址,用戶指標收集 “127.0.0.1” http.port 綁定端口 5000-9700 log.level 日志輸出級別,如果config.debug開啟,這里一定要是debug日志 info log.format 日志格式 * plain* path.plugins 自定義插件目錄
startup.options參數:
JAVACMD=/usr/bin/java 本地jdk
LS_HOME=/opt/logstash logstash所在目錄
LS_SETTINGS_DIR="${LS_HOME}/config" 默認logstash配置文件目錄
LS_OPTS="–path.settings ${LS_SETTINGS_DIR}" logstash啟動命令參數 指定配置文件目錄
LS_JAVA_OPTS="" 指定jdk目錄
LS_PIDFILE=/var/run/logstash.pid logstash.pid所在目錄
LS_USER=logstash logstash啟動用戶
LS_GROUP=logstash logstash啟動組
LS_GC_LOG_FILE=/var/log/logstash/gc.log logstash jvm gc日志路徑
LS_OPEN_FILES=65534 logstash最多打開監控文件數量
示例logstash配置文件:
input { file { path => "/usr/local/nginx/logs/ad-access.log" type => "nginx--ad" start_position => "beginning" } beats { port => "5044" } } filter { grok { match => { "message" => "%{MYNGINX}" } } mutate { convert => [ "elapsed", "float" ] convert => [ "serverelapsed", "float" ] } } output { if [type] == "nginx--ad" { elasticsearch { hosts=> ["172.17.213.61:9200"] index=> "nginx-ad.%{+YYYY-MM}" } } else { elasticsearch { hosts => ["172.17.213.60:9200", "172.17.213.61:9200"] index => "adsdk.%{+YYYY-MM-DD}" manage_template => false template_overwrite => true template_name => "adsdk-template" template => "/usr/local/logstash-6.2.4/adsdk.template" document_type => "adsdk" } } }