(上)—— ELK介绍及搭建 Elasticsearch 分布式集群
http://blog.51cto.com/zero01/2079879
(下)—— 搭建kibana和logstash服务器
http://blog.51cto.com/zero01/2082794
ELK 日志相关
https://www.cnblogs.com/zhang-shijie/category/803469.html
logstash输出到elasticsearch多索引
https://blog.csdn.net/wangyangzhizhou/article/details/53314022
elasticsearch索引自动清理
https://www.cnblogs.com/kasumi/p/6479733.html
Logstash处理json格式日志文件的三种方法
https://blog.csdn.net/jiao_fuyou/article/details/49174269/
LogStash的Filter的使用
https://www.cnblogs.com/qq27271609/p/4762562.html
问题1:
elasticsearch: can not run elasticsearch as root
https://www.cnblogs.com/sandyyeh/p/8413724.html
问题2:
启动logstash 用-f
./logstash -f ../config/logstash-sample.conf
问题3:
Logstash.conf 不要配置5044的端口
问题4:
目前input只有tags上能带到输出里,可以做output条件判断
filter可以追加处理数据
问题5:
Logstash.conf demo
input {
file {
path => "/var/log/system.log"
tags => ["system"]
#codec => json
#start_position => "beginning" #从文件开始处读写
}
file {
path => "/var/log/kibana.log"
tags => ["kibana"]
codec => json
#start_position => "beginning" #从文件开始处读写
}
}
filter {
mutate{
add_field => {
"tmp2" => "1"
}
}
}
output {
if "kibana" in [tags] {
elasticsearch {
hosts => ["http://127.0.0.1:9200"]
index => "kibana.log"
}
}
if "system" in [tags] {
elasticsearch {
hosts => ["http://127.0.0.1:9200"]
index => "system.log"
}
}
#elasticsearch {
# hosts => ["http://127.0.0.1:9200"]
# index => [id]
#}
stdout {
codec => rubydebug
}
}