一、收集单个日志文件
注意事项:
- logstah 服务默认启动用户和组是 logstash
- 被收集的日志文件有读的权限并对写入的文件有写权限
- 而 logstash 是普通用户
1.1 编辑 logstash 配置文件
vim /etc/logstash/conf.d/test.conf
input {file {path => "/var/log/syslog"type => "systemlog"}
}output {elasticsearch {hosts => ["10.0.0.31:9200"] index => "logstash-lck-testindex"}
}1.2 检测配置文件语法是否正确和启动
#检测配置文件语法是否正确
root@ubuntu1804:~# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf -t
#启动
root@ubuntu1804:~# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
1.3 生成数据并验证
root@logstash1:~# echo "test" >> /var/log/syslog
二、收集多个日志文件
2.1 编辑 logstash 配置文件
vim /etc/logstash/conf.d/test.conf
input {file {path => "/var/log/syslog"type => "systemlog"start_position => "beginning"stat_interval => "3 second"} file {path => "/var/log/vmware*.log"type => "vmwarelog"start_position => "beginning"stat_interval => "3 second"}
}output {if [type] == "systemlog" {elasticsearch {hosts => ["10.0.0.31:9200"] index => "logstash-lck-testindex"}}if [type] == "vmwarelog" {elasticsearch {hosts => ["10.0.0.31:9200"] index => "logstash-lck-vmwarelog-%{+YYYY.MM.dd}"}}
}2.2 检测配置文件语法是否正确和启动
#检测配置文件语法是否正确
root@ubuntu1804:~# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf -t
#启动
root@ubuntu1804:~# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
2.3 启动服务,并验证
#注册成系统服务的启动
systemctl restart logstash.service
#压缩包方式的启动
root@ubuntu1804:~# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
2.4 创建索引方便查询日志
)
linux命令)
)
)
)
回答准确率)