logstash插件
输入插件(input)
Input:输入插件。
Input plugins | Logstash Reference [8.11] | Elastic
-
所有输入插件都支持的配置选项
| Setting | Input type | Required | Default | Description |
|---|---|---|---|---|
| add_field | hash | No | {} | 添加一个字段到一个事件 |
| codec | codec | No | plain | 用于输入数据的编解码器 |
| enable_metric | boolean | No | true | |
| id | string | No | 添加一个ID插件配置,如果没有指定ID,则Logstash将生成一个ID。强烈建议配置此ID,当两个或多个相同类型的插件时,这个非常有用的。例如,有两个文件输入,添加命名标识有助于监视 | |
| tags | array | No | 添加任意数量的标签,有助于后期处理 | |
| type | string | No | 为输入处理的所有事件添加一个字段,自已随便定义,比如linux系统日志,定义为syslog |
stdin
-
标准输入
# cat /etc/logstash/config.d/stdtest.conf
input {stdin {
}
}
filter {
}
output {stdout {}
}
file
-
从文件中读取内容
File input plugin | Logstash Reference [8.11] | Elastic
| Setting | Input type | Required | Default | Description |
|---|---|---|---|---|
| close_older | number | No | 3600 | 单位秒,打开文件多长时间关闭 |
| delimiter | string | No | \n | 每行分隔符 |
| discover_interval | number | No | 15 | 单位秒,多长时间检查一次path选项是否有新文件 |
| exclude | array | No | 排除监听的文件,跟path一样,支持通配符 | |
| max_open_files | number | No | 打开文件最大数量 | |
| path | array | YES | 输入文件的路径,可以使用通配符 例如/var/log/*/.log,则会递归搜索 | |
| sincedb_path | string | No | sincedb数据库文件的路径,用于记录被监控的日志文件当前位置 | |
| sincedb_write_interval | number | No | 15 | 单位秒,被监控日志文件当前位置写入数据库的频率 |
| start_position | string, one of ["beginning", "end"] | No | end | 指定从什么位置开始读取文件:开头或结尾。默认从结尾开始,如果要想导入旧数据,将其设置为begin。如果sincedb记录了此文件位置,那么此选项不起作用 |
| stat_interval | number | No | 1 | 单位秒,统计文件的频率,判断是否被修改。增加此值会减少系统调用次数。 |
# cat /etc/logstash/conf.d/filetest.conf
input {file {path => "/var/log/messages"}
}
filter {
}
output {stdout {}
}
TCP
-
通过TCP套接字读取事件,即接收数据。与标准输入和文件输入一样,每个事件都被定位一行文本。
# cat /etc/logstash/conf.d/tcptest.conf
input {tcp {port => 12345}
}
filter {
}
output {stdout{}
}
在其他主机上安装nc工具,对logstash发送信息,即可被读取出来。
[root@vm4 ~]# yum -y install nc
[root@vm4 ~]# nc 10.1.1.13 12345
haha
在vm3上验证查看
{"@version" => "1","@timestamp" => 2019-07-02T15:28:00.301Z,"port" => 33778,"type" => "nc","message" => "haha","host" => "vm4.cluster.com"
}
Beats
-
从Elastic Beats框架接收事件
logstash配置文件
# cat /etc/logstash/conf.d/filebeattest.conf
input {beats {port => 5044host => "0.0.0.0"}
}filter {}
output {stdout { }
}
filebeat配置文件 filebeat.prospectors:- type: logpaths:- /var/log/messagestags: ["system-log","123"]fields:level: debug output.logstash:hosts: ['127.0.0.1:5044']
过滤插件(filter)
参考: Filter plugins | Logstash Reference [8.11] | Elastic
Filter:过滤,将日志格式化。
有丰富的过滤插件:
-
Grok正则捕获
-
date时间处理
-
JSON编解码
-
数据修改Mutate
-
geoip等。
所有的过滤器插件都支持以下配置选项:
| Setting | Input type | Required | Default | Description |
|---|---|---|---|---|
| add_field | hash | No | {} | 如果过滤成功,添加任何field到这个事件。例如:add_field => [ "foo_%{somefield}", "Hello world, from %{host}" ],如果这个事件有一个字段somefiled,它的值是hello,那么我们会增加一个字段foo_hello,字段值则用%{host}代替。 |
| add_tag | array | No | [] | 过滤成功会增加一个任意的标签到事件例如:add_tag => [ "foo_%{somefield}" ] |
| enable_metric | boolean | No | true | |
| id | string | No | ||
| periodic_flush | boolean | No | false | 定期调用过滤器刷新方法 |
| remove_field | array | No | [] | 过滤成功从该事件中移除任意filed。例:remove_field => [ "foo_%{somefield}" ] |
| remove_tag | array | No | [] | 过滤成功从该事件中移除任意标签,例如:remove_tag => [ "foo_%{somefield}" ] |
json(关注)
-
JSON解析过滤器,接收一个JSON的字段,将其展开为Logstash事件中的实际数据结构。
示例: 将原信息转成一个大字段,key-value做成大字段中的小字段
# cat /etc/logstash/conf.d/jsontest.conf
input {stdin {}
}
filter {json {source => "message"target => "content"}
}
output {stdout {}
}
对标准输入的内容进行json格式输出
把输出内容定向到target指定的content
[root@vm3 bin]# ./logstash --path.settings /etc/logstash -r -f /etc/logstash/conf.d/jsontest.conf
输入测试数据
{"ip":"10.1.1.1","hostname":"vm3.cluster.com"}
输出测试数据
{"content" => {"hostname" => "vm3.cluster.com","ip" => "10.1.1.1"},"@timestamp" => 2019-07-02T11:57:36.398Z,"@version" => "1","host" => "vm3.cluster.com","message" => "{\"ip\":\"10.1.1.1\",\"hostname\":\"vm3.cluster.com\"}"
}
示例: 直接将原信息转成各个字段
# cat /etc/logstash/conf.d/jsontest.conf
input {stdin {}
}
filter {json {source => "message"}
}
output {stdout {}
}
[root@vm3 bin]# ./logstash --path.settings /etc/logstash -r -f /etc/logstash/conf.d/jsontest.conf
输入测试数据
{"ip":"10.1.1.1","hostname":"vm3.cluster.com"}
输出测试数据
{"port" => 39442,"@version" => "1","@timestamp" => 2019-09-19T09:07:03.800Z,"hostname" => "vm3.cluster.com","host" => "vm4.cluster.com","ip" => "10.1.1.1","message" => "{\"ip\":\"10.1.1.1\",\"hostname\":\"vm3.cluster.com\"}"
}
kv
-
自动解析为key=value。
-
也可以任意字符串分割数据。
-
field_split 一串字符,指定分隔符分析键值对
URL查询字符串拆分参数示例
# cat /etc/logstash/conf.d/kvtest.conf
input {stdin {}
}
filter {kv {field_split => "&?"}
}
output {stdout {
}
}
文件中的列以&或?进行分隔
执行
[root@vm3 bin]# ./logstash --path.settings /etc/logstash -r -f /etc/logstash/conf.d/kvtest.conf
输入数据
address=www.abc.com?pid=123&user=abc
输出数据
{"user" => "abc","@timestamp" => 2019-07-02T12:05:23.143Z,"host" => "vm3.cluster.com","@version" => "1","message" => "address=www.abc.com?pid=123&abc=user","address" => "www.abc.com","pid" => "123"
}
使用正则也可以匹配
[root@vm3 bin]# cat /etc/logstash/conf.d/kvtest.conf
input {stdin {}
}
filter {kv {field_split_pattern => ":+"}
}
output {stdout {
}
}
grok(关注)
-
grok是将非结构化数据解析为结构化
-
这个工具非常适于系统日志,mysql日志,其他Web服务器日志以及通常人类无法编写任何日志的格式。
-
默认情况下,Logstash附带约120个模式。也可以添加自己的模式(patterns_dir)
-
模式后面对应正则表达式
-
查看模式地址:https://github.com/logstash-plugins/logstash-patterns-core/tree/master/patterns
-
包含字段如下
| Setting | Input type | Required | Default | Description |
|---|---|---|---|---|
| break_on_match | boolean | No | true | |
| keep_empty_captures | No | false | 如果true将空保留为事件字段 | |
| match | hash | No | {} | 一个hash匹配字段=>值 |
| named_captures_only | boolean | No | true | 如果true,只存储 |
| overwrite | array | No | [] | 覆盖已存在的字段的值 |
| pattern_definitions | No | {} | ||
| patterns_dir | array | No | [] | 自定义模式 |
| patterns_files_glob | string | No | * | Glob模式,用于匹配patterns_dir指定目录中的模式文件 |
| tag_on_failure | array | No | _grokparsefailure | tags没有匹配成功时,将值附加到字段 |
| tag_on_timeout | string | No | _groktimeout | 如果Grok正则表达式超时,则应用标记 |
| timeout_millis | number | 30000 | 正则表达式超时时间 |
grok模式语法
格式:%{SYNTAX:SEMANTIC}
-
SYNTAX 模式名称
-
SEMANTIC 匹配文本的标识符
例如:%{NUMBER:duration} %{IP:client}
# vim /etc/logstash/conf.d/groktest.conf
input {stdin {}
}
filter {grok {match => {"message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}"}}
}
output {stdout {
}
}
虚构http请求日志抽出有用的字段
55.3.244.1 GET /index.html 15824 0.043
输出结果
{"client" => "55.3.244.1","duration" => "0.043","message" => "55.3.244.1 GET /index.html 15824 0.043","method" => "GET","bytes" => "15824","@version" => "1","@timestamp" => 2019-07-03T12:24:47.596Z,"host" => "vm3.cluster.com","request" => "/index.html"
}
自定义模式
如果默认模式中没有匹配的,可以自己写正则表达式。
# vim /opt/patterns
ID [0-9]{3,5}
配置文件中应包含如下内容
filter {grok {patterns_dir =>"/opt/patterns"match => {"message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} %{ID:id}" }}
}
完整文件内容
[root@vm3 ~]# cat /etc/logstash/conf.d/groktest.conf
input {stdin {}
}
filter {grok {patterns_dir =>"/opt/patterns"match => {"message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} %{ID:id}"}}
}
output {stdout {}
}
#执行
[root@vm3 bin]# ./logstash --path.settings /etc/logstash -r -f /etc/logstash/conf.d/groktest.conf
输入测试数据
55.3.244.1 GET /index.html 15824 0.043 6666
输出测试数据
{"client" => "55.3.244.1","host" => "vm3.cluster.com","request" => "/index.html","@timestamp" => 2019-07-02T12:34:11.906Z,"bytes" => "15824","method" => "GET","message" => "55.3.244.1 GET /index.html 15824 0.043 15BF7F3ABB","@version" => "1","id" => "666","duration" => "0.043"
}
geoip(关注)
-
开源IP地址库
-
GeoLite2 Free Geolocation Data | MaxMind Developer Portal
下载IP地址库 [root@vm3 ~]# wget https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz [root@vm3 ~]# tar xf GeoLite2-City.tar.gz [root@vm3 ~]# cp GeoLite2-City_20190625/GeoLite2-City.mmdb /opt
# cat /etc/logstash/conf.d/geoiptest.conf
input {stdin {}
}
filter {grok {match => {"message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}"}}geoip {source => "client"database => "/opt/GeoLite2-City.mmdb"}
}
output {stdout {
}
}
执行
[root@vm3 bin]# ./logstash --path.settings /etc/logstash -r -f /etc/logstash/conf.d/geoiptest.conf
输入测试数据
202.106.0.20 GET /index.html 123 0.331
输出结果
{"method" => "GET","client" => "202.106.0.20","bytes" => "123","request" => "/index.html","geoip" => {"country_code2" => "CN","country_name" => "China","region_code" => "BJ","longitude" => 116.3883,"latitude" => 39.9289,"timezone" => "Asia/Shanghai","location" => {"lon" => 116.3883,"lat" => 39.9289},"country_code3" => "CN","ip" => "202.106.0.20","continent_code" => "AS","region_name" => "Beijing"},"duration" => "0.331","host" => "vm3.cluster.com","message" => "202.106.0.20 GET /index.html 123 0.331","@timestamp" => 2019-07-02T12:15:29.384Z,"@version" => "1"
}
[root@vm3 bin]# cat /etc/logstash/conf.d/geoiptest2.conf
input {stdin {}
}
filter {grok {match => {"message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}"
}}geoip {source => "client"database => "/opt/GeoLite2-City.mmdb"target => "geoip"fields => ["city_name", "country_code2", "country_name","region_name"]}
}
output {stdout {codec => rubydebug}
}
执行
[root@vm3 bin]# ./logstash --path.settings /etc/logstash -r -f /etc/logstash/conf.d/geoiptest2.conf
输入测试数据
110.226.4.6 GET /home.html 518 0.247
输出结果
{"host" => "vm3.cluster.com","duration" => "0.247","request" => "/home.html","@version" => "1","client" => "110.226.4.6","message" => "110.226.4.6 GET /home.html 518 0.247","method" => "GET","bytes" => "518","@timestamp" => 2019-07-02T12:22:22.458Z,"geoip" => {"country_name" => "India","country_code2" => "IN"}
}
输出插件(output)
Output:输出,输出目标可以是Stdout、ES、Redis、File、TCP等。
ES
| Setting | Input type | Required | Default | Description |
|---|---|---|---|---|
| hosts | URL | No | ||
| index | string | No | logstash-%{+YYYY.MM.dd} | 将事件写入索引。默认按日期划分。 |
| user | string | No | ES集群用户 | |
| password | password | No | ES集群密码 |
input {file {path => ["/var/log/messages"]type => "system"tags => ["syslog","test"]start_position => "beginning"}file {path => ["/var/log/audit/audit.log"]type => "system"tags => ["auth","test"]start_position => "beginning"}
}
filter {
}
output {if [type] == "system" {if [tags][0] == "syslog" {elasticsearch {hosts => ["http://es1:9200","http://es2:9200","http://es3:9200"]index => "logstash-system-syslog-%{+YYYY.MM.dd}"}stdout { codec=> rubydebug }}else if [tags][0] == "auth" {elasticsearch {hosts => ["http://es1:9200","http://es2:9200","http://es3:9200"]index => "logstash-system-auth-%{+YYYY.MM.dd}"}stdout { codec=> rubydebug }}}
}
![输入一组数据,以-1结束输入[c]](https://img-blog.csdnimg.cn/direct/f5d8d179cbc940d7b4d08db682813c0e.png)
