官方文档:https://www.elastic.co/guide/en/logstash/current/index.html


  • 安装logstash

安装JDK8以上版本(不支持java9)

    

    • 二进制安装logstash6.1.3        

cd /usr/local

wget https://artifacts.elastic.co/downloads/logstash/logstash-6.1.3.tar.gz

tar axf logstash-6.1.3.tar.gz 

ln -s /usr/local/logstash-6.1.3/bin/logstash /usr/local/bin/

ln -s /usr/local/logstash-6.1.3/bin/logstash-plugin /usr/local/bin/

    • logstash测试

logstash包含输入(input)和输出(output)两个必要组成部分,过滤器(filter)可选部分。input收集数据,filter根据指令修改数据,output将数据写到指定位置。

测试

    logstash -e 'input { stdin { } } output { stdout {} }'

-e直接在命令行进行配置。

input { stdin { } }将输入作为标准输入

output { stdout { } }将标准输入作为标准输出打印 

logstash学习笔记_学习笔记

kibana是我的主机名


  • 测试向es中写数据

logstash -e 'input { stdin { } } output { elasticsearch { hosts => ["192.168.3.162:9200"] } stdout { codec => rubydebug }}'

logstash学习笔记_logstash_02

elasticsearch-head中查看 

logstash学习笔记_学习笔记_03

自定义index

logstash -e '

input 

{ stdin { } } 

output {

elasticsearch 

{ hosts => ["192.168.3.162:9200"] 

  index => "output-es-test-%{+YYYY.MM.dd}"

stdout 

{ codec => rubydebug }

}'

  • 将日志数据写入es

logstash -e '

input 

{ file 

path => "/usr/local/elasticsearch-6-node2/logs/*"

exclude => "*.gz"

start_position => beginning

ignore_older => 0

sincedb_path =>"/dev/null"

output {

elasticsearch 

{ hosts => ["192.168.3.162:9200"] 

  index => "file-es-test-%{+YYYY.MM.dd}"

stdout 

{ codec => rubydebug }

}'

start_position => "beginning"表示logstash开始位置为begin,默认为end

在elasticsearch-head中查看数据在kibana中设置图表

logstash学习笔记_学习笔记_04

logstash学习笔记_logstash_05

修改配置文件

cd /usr/local/logstash-6.1.3/config

修改jvm(文件里面有详细注释)

vim jvm.options

-Xms2g

-Xmx2g

-XX:+UseParNewGC

-XX:+UseConcMarkSweepGC

-XX:CMSInitiatingOccupancyFraction=75

-XX:+UseCMSInitiatingOccupancyOnly

-Djava.awt.headless=true

-Dfile.encoding=UTF-8

-Djruby.compile.invokedynamic=true

-Djruby.jit.threshold=0

-XX:+HeapDumpOnOutOfMemoryError

-Djava.security.egd=file:/dev/urandom

修改启动配置(文件里面有详细注释)(主要修改LS_HOME)

vim startup.options

LS_HOME=/usr/local/logstash-6.1.3

LS_SETTINGS_DIR="${LS_HOME}/config"

LS_OPTS="--path.settings ${LS_SETTINGS_DIR}"

LS_JAVA_OPTS=""

LS_PIDFILE=/var/run/logstash.pid

LS_USER=logstash

LS_GROUP=logstash

LS_GC_LOG_FILE=/var/log/logstash/gc.log

LS_OPEN_FILES=16384

LS_NICE=19

SERVICE_NAME="logstash"

SERVICE_DESCRIPTION="logstash"

编辑logstash配置文件(不要有其他无用的conf配置文件)

vim file-test.conf

input

{ file

{

path => "/usr/local/elasticsearch-6-node2/logs/*"

exclude => "*.gz"

start_position => beginning

ignore_older => 0

sincedb_path =>"/dev/null"

}

}

output {

elasticsearch

{ hosts => ["192.168.3.162:9200"]

  index => "file-es-test-%{+YYYY.MM.dd}"

}

stdout

{ codec => rubydebug }

}

执行(使用相对路径也可以)

logstash -f /usr/local/logstash-6.1.3/config/file-test.conf


  • 参考:

文件导入插件:https://www.elastic.co/guide/en/logstash/current/plugins-inputs-file.html

输出到es配置详解:https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html#plugins-outputs-elasticsearch-parent