logstash安装配置

安装logstash

# 安装logstash
yum install -y java

yum install -y lrzsz haveged
systemctl start haveged
systemctl  enable haveged


yum localinstall logstash-6.4.0.rpm -y

调试logstash,控制台输出

# 配置文件
vim  /etc/logstash/conf.d/fb.conf

# 标准输入
input {stdin{}}    

# 过滤数据
filter {
    grok {
        match => {"message" => "%{NUMBER:a1}	%{NUMBER:a2}	%{NUMBER:logType}	%{NUMBER:log_timestamp}	"}　　# NUMBER匹配数据的第几位，后面字段名
    }
    date {
        match => ["log_timestamp", "UNIX"]
    }
    ruby {
        code => "
            event.set('local_date', event.timestamp.time.localtime.strftime('%Y_%m_%d'))
        "
    }
}

# 标准输出
output {     
    stdout {
        #codec => line {
        #format => "%{message}"
        #}
    }
}

# 在前台启动可以看到输入，输出的结果。

# 指定配置文件启动，启动可能有点慢
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/fb.conf

# 输入
0    0    4    1573789909    UT001_2019-11-15-11:51:49.714364_808    0    10032    1    399    65118    65118    10000    10000    56    560111002    5601110020001    0    0    192.168.0.84    0    0    0    0


# 输出
{
       "@timestamp" => 2019-11-15T03:51:49.000Z,
          "message" => "0	0	4	1573789909	UT001_2019-11-15-11:51:49.714364_808	0	10032	1	399	65118	0	65118	10000	10000	56	560111002	5601110020001	0	0	192.168.0.84	0	0	0	0	0",
    "log_timestamp" => "1573789909",
          "logType" => "4",
               "a2" => "0",
         "@version" => "1",
             "host" => "kvm-233",
       "local_date" => "2019_11_15",
               "a1" => "0"
}