ELK6.2.2(elasticsearch+logstash+kibana)开源日志分析平台搭建（三）：logstash简单收集

[superuser@ft3q-app48 elk]$ wget https://artifacts.elastic.co/downloads/logstash/logstash-6.2.2.tar.gz[/code] 
[superuser@ft3q-app48 elk]$ tar -zxvf logstash-6.2.2.tar.gz

[superuser@ft3q-app48 elk]$ mv logstash-6.2.2 logstash_bank

3编写一个配置文件

[superuser@ft3q-app47 logstash_bank]$ cat config/file-logstash-bank.conf
input{
file {
path => ["/logdata/bank/*/*/*.log"]
exclude => "*_*.log"
max_open_files => "18600"
codec => plain {
charset => "UTF-8"
}
}
}

filter{
mutate {
add_field => { "filepath" => "%{path}" }
}
mutate{
split => ["path","/"]
add_field =>   {
"idx" => "%{[path][2]}-%{[path][3]}-%{[path][4]}"
}
add_field =>   {
"filename" => "%{[path][5]}"
}
}
mutate{
split => ["filename","."]
add_field =>   {
"idx1" => "%{idx}-%{[filename][0]}"
}
}
mutate{
lowercase => [ "idx1" ]
}

}

output {
elasticsearch {
hosts => ["192.168.193.47:9200"]
index => "logstash-%{idx1}-%{+YYYY.MM.dd}"
user => elastic
password => elastic
}
}

输入：文件输入，监控*.log,不要监控log4j2归档的旧文件，如service_2018-03-25_1.log。

过滤：新增属性filepath,因为下面的split会将path属性变为数组。下面的过滤器就是我在试图拼索引，将路径的“/”转化为“-”，去掉".log"。索引不能为大写，最后转成小写。

输出：输出到es。地址、索引等信息。用户名密码参数是x-pack需要的。

4启动，后台运行。

[superuser@ft3q-app47 logs]$nohup  /home/superuser/elk/logstash_bank/bin/logstash  -f  /home/superuser/elk/logstash_bank/config/file-logstash-bank.conf --path.data /home/superuser/elk/logstash_bank/data_bank > /dev/null &

5观察日志没有报错，查看有无索引写入es，查看kibana

通过es的API curl -XGET '192.168.193.47:9200/_cat/indices?v&pretty'



通过kibana，需要新建查询索引，就能查看。