1.配置Logstash
[root@Logstash logstash]# vim /usr/local/logstash/config/nginx_log.conf
input {
beats {
port => "5044"
}
}
filter {
if [type] == "nginx"{
grok {
match => { "message" => "%{NGINXACCESS}" }
}
}
date {
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
target => ["datetime"]
}
geoip {
source => "clientip"
}
}
output {
if [fields][logsource] == "nginx_access"{
elasticsearch {
hosts => ["192.168.200.130:9200"]
index => "nginx_access"
}
}
if [fields][logsource] == "nginx_error"{
elasticsearch {
hosts => ["192.168.200.130:9200"]
index => "nginx_error"
}
}
stdout { codec => rubydebug }
}
2.配置filebeat:
[root@mobanji filebeat]# egrep -v "#|^$" filebeat.yml
filebeat.prospectors:
- type: log
fields:
logsource: nginx_access
log_type: access_log
paths:
- /usr/local/nginx/logs/access.log
- type: log
fields:
logsource: nginx_error
log_type: error_log
paths:
- /usr/local/nginx/logs/error.log
output.logstash:
hosts: ["192.168.200.131:5044"]