本文详细介绍了Logstash的配置文件结构、基本配置方法及实践案例,包括如何通过配置文件收集和输出日志,以及Logstash服务的启动和管理。同时,文章还提供了Logstash命令行参数的使用说明和常见配置项的解释。
一、简介。
通常,Logstash 的一个配置文件含 input{},filter{},output{} 三部分。其中,输入和输出是必须的元素,filter 元素是可选的。输入
元素获取数据源源数据,过滤器元素按照指定的要求修改数据,输出元素将数据写入目标。
说明:
(1)Linux 安装 Logstash,请阅读博文 Linux 安装 Logstash
二、测试标准输入输出。
./logstash -e 'input { stdin { } } output { stdout { } }'
说明:
(1)启动过程需要等待一会。
(2)输出字段说明
{
"message" => "你\\xE5测试", # 消息的具体内容
"@version" => "1", # 事件版本号,一个事件就是一个ruby对象
"host" => "localhost.localdomain", # 标记事件的IP地址信息
"@timestamp" => 2019-09-05T06:12:08.212Z # 当前事件的发生时间
}
(3)退出,使用 CTRL+D
三、测试输出到文件。
./logstash -e 'input { stdin{} } output { file { path => "/home/test/logstash/log_%{+YYYY.MM.dd}_messages.log"}}'
查看文件内容
四、测试输出到Elasticsearch。
./logstash -e 'input { stdin{} } output { elasticsearch {hosts => ["localhost:9200"] index => "logstash_2_es_test-%{+YYYY.MM.dd}" }}'
[root@localhost bin]# ./logstash -e 'input { stdin{} } output { elasticsearch {hosts => ["localhost:9200"] index => "logstash_2_es_test-%{+YYYY.MM.dd}" }}'
Thread.exclusive is deprecated, use Thread::Mutex
Sending Logstash logs to /home/soft/logstash-7.3.0/logs which is now configured via log4j2.properties
[2019-09-05T14:42:45,948][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-09-05T14:42:45,966][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"7.3.0"}
[2019-09-05T14:42:47,572][INFO ][org.reflections.Reflections] Reflections took 43 ms to scan 1 urls, producing 19 keys and 39 values
[2019-09-05T14:42:48,536][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://localhost:9200/]}}
[2019-09-05T14:42:48,766][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://localhost:9200/][Manticore::SocketException] 拒绝连接 (Connection refused)"}
[2019-09-05T14:42:48,806][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//localhost:9200"]}
[2019-09-05T14:42:48,904][WARN ][org.logstash.instrument.metrics.gauge.LazyDelegatingGauge] A gauge metric of an unknown type (org.jruby.RubyArray) has been create for key: cluster_uuids. This may result in invalid serialization. It is recommended to log an issue to the responsible developer/development team.
[2019-09-05T14:42:48,908][INFO ][logstash.javapipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, :thread=>"#<Thread:0x5e9a8c1e run>"}
[2019-09-05T14:42:49,045][INFO ][logstash.javapipeline ] Pipeline started {"pipeline.id"=>"main"}
The stdin plugin is now waiting for input:
[2019-09-05T14:42:49,126][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2019-09-05T14:42:49,519][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2019-09-05T14:42:53,826][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://localhost:9200/][Manticore::SocketException] 拒绝连接 (Connection refused)"}
[2019-09-05T14:42:58,846][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://localhost:9200/][Manticore::ClientProtocolException] localhost:9200 failed to respond"}
[2019-09-05T14:43:03,881][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://localhost:9200/][Manticore::SocketException] Connection reset"}
[2019-09-05T14:43:08,994][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://localhost:9200/][Manticore::SocketException] Connection reset"}
[2019-09-05T14:43:14,266][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://localhost:9200/][Manticore::SocketException] Connection reset"}
[2019-09-05T14:43:19,314][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://localhost:9200/][Manticore::SocketException] Connection reset"}
[2019-09-05T14:43:24,349][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://localhost:9200/][Manticore::SocketException] Connection reset"}
[2019-09-05T14:43:29,592][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://localhost:9200/][Manticore::SocketException] Connection reset"}
[2019-09-05T14:43:34,599][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://localhost:9200/][Manticore::SocketException] Connection reset"}
[2019-09-05T14:43:39,614][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://localhost:9200/][Manticore::SocketException] Connection reset"}
[2019-09-05T14:43:44,626][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://localhost:9200/][Manticore::SocketException] Connection reset"}
[2019-09-05T14:43:49,645][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://localhost:9200/][Manticore::SocketException] Connection reset"}
[2019-09-05T14:43:54,659][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://localhost:9200/][Manticore::SocketException] Connection reset"}
[2019-09-05T14:44:00,710][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://localhost:9200/"}
[2019-09-05T14:44:01,135][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>7}
[2019-09-05T14:44:01,139][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>7}
[2019-09-05T14:44:54,963][INFO ][logstash.outputs.elasticsearch] Using default mapping template
[2019-09-05T14:44:55,090][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"index_patterns"=>"logstash-*", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s", "number_of_shards"=>1}, "mappings"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"*", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}
[2019-09-05T14:44:55,116][INFO ][logstash.outputs.elasticsearch] Installing elasticsearch template to _template/logstash
测试输出到ES
查看ES索引
查看ES数据
五、Logstash 配置文件。
Logstash 配置文件可以分别为两类:设置配置文件 和 管道配置文件。
1、设置配置文件。
设置文件已在Logstash安装中定义。Logstash包含以下设置文件:
- logstash.yml
- pipelines.yml
- jvm.options
- log4j2.properties
- startup.options
logstash.yml
包含 Logstash 配置标志。可以在此文件中设置标志,而不是在命令行传递标志。在命令行中设置的任何标志都会覆盖
logstash.yml文件中的相应设置。
pipelines.yml
包含在单个 Logstash 实例中运行多个管道的框架和说明。
jvm.options
包含JVM配置标志。使用此文件设置总堆空间的初始值和最大值。您还可以使用此文件为Logstash设置区域设置。在单独的行上
指定每个标志。此文件中的所有其他设置均被视为专家设置。
log4j2.properties
包含log4j 2库的默认设置。
startup.options
包含使用的选项system-install在脚本中/usr/share/logstash/bin建立相应的启动脚本为您的系统。安装Logstash软件包时,
system-install脚本将在安装过程结束时执行,并使用指定的设置startup.options来设置用户、组、服务名称和服务描述等选项。
默认情况下,Logstash服务安装在用户下logstash。该startup.options文件使您可以更轻松地安装Logstash服务的多个实例。您
可以复制文件并更改特定设置的值。请注意,startup.options启动时不会读取该文件。如果要更改Logstash启动脚本(例如,更
改Logstash用户或从其他配置路径读取),则必须重新运行system-install 脚本(以root身份)传递新设置。
2、管道配置文件
在定义Logstash处理管道的各个阶段时,可以创建管道配置文件。将管道配置文件放在 /etc/logstash/conf.d 目录中。Logstash尝
试仅加载具有.conf扩展名的文件,并忽略所有其他文件。
六、管道配置文件。
1、收集本地的 /var/log/messages 日志并输出到文件中
vi conf/logstash.conf
input {
file {
type => "syslog" # 事件的唯一类型
path => "/var/log/messages" # 日志路径
start_position => "beginning" # 第一次收集,从第一行开始收集,之后从新添加的日志收集
}
}output {
file {
path => "/home/test/logstash/%{type}.%{+yyyy.MM.dd}"
}
}
配置文件检查检查
./logstash -f ../config/logstash.conf -t
说明:
(1)返回 Configuration OK,表示配置没问题。
启动执行
./logstash -f ../config/logstash.conf
查看收集结果文件
七、启动 Logstash 服务。
我们不能让 ./logstash -f ../config/logstash.conf 一直在前台执行,之前我们已经介绍了Logstash尝试仅加载具有.conf扩展名的文件,并忽略所有其他文件,所以我们启动logstash服务。默认logstash安装完成之后是没有后台启动脚本的需要我们执行 ./system-install 脚本来生成
查看命令使用帮助
./system-install --help
说明:
(1)OPTIONSFILE 需要 startup.options文件的绝对路径。如果是使用 rpm安装,文件在/etc/logstash/startup.options;如果是二进制包解压安装,则在解压目录下的 config 目录下面。
(2)启动类型与服务器相关,比如 CentOS6 是 sysv,CentOS7 是systemd
执行脚本,生成启动文件
使用 init 脚本启动 logstash。
由于logstash服务运行服务的用户默认是logstash,所以我们需要先将之前生成的 /home/test/logstash/syslog.2019.09.05 授权给 logstash用户
chown logstash.logstash /home/test/logstash/syslog.2019.09.05 systemctl start logstash.service systemctl start logstash.service
八、收集多个日志文件。
九、Logstash 命令行参数
- -f --path.config pipeline路径,可以是文件或者文件夹
- --path.settings logstash 配置文件夹路径,其中包括 logstash.yml
- -e --config.string 指定pipeline 内容,多用于测试使用
- -w --pipeline.workers pipeline线程数,即filter_output 的处理线程数,默认为 cpu 核数。
- -b --pipeline.batch.size batcher 一次批量获取的待处理文档数,默认125,越大会占据越多的 heap 空间, 可通过 jvm.options 调整。
- -u --pipeline.batch.deay batcher 等待时长,默认5ms
十、logstash.yml 常见配置项
十一、logstash设置相关配置文件
logstash设置相关配置文件主要位于conf配置文件下,在logstash启动时使用。
- logstash.yml
logstash相关配置,如node.name,path.data等。其中这些配置的参数可以被命令行参数覆盖。
- jvm.options
jvm相关参数,比如heap、size等。
【一起学习】
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
