编辑docker-compose.yml,内容如下:
version: '3'
services:
logstash02:
image: logstash:6.4.1
hostname: logstash02
container_name: logstash02
ports:
- "5045:5045" #设置端口
environment:
XPACK_MONITORING_ENABLED: "false"
pipeline.batch.size: 10
volumes:
- ./logstash/logstash.conf:/usr/share/logstash/pipeline/logstash.conf
network_mode: "host"
restart: always
./logstash/logstash.conf文件内容如下:
input {
beats {
port => "5045"
}
}
filter {
}
output {
if [type] == "wineventlog" {
if [event_id] != 4662 {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "ldap_log_%{+YYYY.MM.dd}"
document_type => "security_log"
}
}
}
rabbitmq {
host => "127.0.0.1"
port => 5672
durable => true
exchange => "abc"
exchange_type => "fanout"
user => "abcuser"
password => "abcpass"
}
}然后运行docker-compose up启动logstash容器,在进行logstash测试的时候,
/usr/share/logstash/bin/logstash -e 'input { stdin{} } output { stdout{ codec => rubydebug }}'会提示 logstash实例已存在,如果要运行多个logstash实例,则需要通过命令定义path.data,如下:
bin/logstash -f <config_file.conf> --path.data PATH
/usr/share/logstash/bin/logstash --path.data /usr/share/logstash/data02 -e 'input { stdin{} } output { stdout{ codec => rubydebug }}'输出如下:
输出到ES、文件:
/usr/share/logstash/bin/logstash --path.data /usr/share/logstash/data02 -e 'input { stdin{} } output { elasticsearch {hosts => ["127.0.0.1:9200"] index => "logstashtest_%{+YYYY.MM.dd}" }}'
/usr/share/logstash/bin/logstash -e 'input { stdin{} } output { file { path => "/tmp/test_%{+YYYY.MM.dd}.log"}}'
