logstash安裝

1.部署

cd /usr/local/src
wget https://artifacts.elastic.co/downloads/logstash/logstash-5.2.2.rpm
sha1sum logstash-5.2.2.rpm

#這個rpm安裝需要讀取/usr/bin/java,所以需要將我們常用jdk目錄的java軟連接過去
ln -s /usr/local/jdk1.8.0_151/bin/java /usr/bin/
rpm --install logstash-5.2.2.rpm

2.寫一個簡易的配置文件收集一下messages和secure日誌

#這個配置文件可以放在/etc/logstash/conf.d/ 下，自己根據情況定義*.conf
input {
    file {
                path => [ "/var/log/messages","/var/log/secure" ]
                start_position => "beginning"
    } 
}

filter {
    if [path] == "/var/log/messages" {
        mutate {
            replace => { type => "messages_type" }
        }
    }
    if [path] == "/var/log/secure" {
        mutate {
            replace => { type => "secure_type" }
        }
    }
}   

output {
    stdout {
        codec=>rubydebug
    }
    if [type] == "messages_type" {
        elasticsearch {
            hosts =>"11.0.0.51:9200"
            index => "messages-%{+YYYY.MM.dd}"
        }
    }
    if [type] == "secure_type"  {
        elasticsearch {
            hosts =>"11.0.0.51:9200"
            index => "secure-%{+YYYY.MM.dd}"
                    }
    }
}