Logstash input輸入 beats插件 和 syslog插件
Logstash input多個輸入插件同時使用
Logstash -7.2.0
filter使用的插件:grok、kv、urldecode、date、mutate、geoip
1、先看總體配置logstash.conf
(執行時請去除所有中文註釋)
input {
#beats輸入插件
beats {
#綁定主機
host => "0.0.0.0"
#綁定端口
port => 5044
#額外添加字段,這裏是爲了區分來自哪一個插件
add_field => {"[fields][class]" => "beats"}
}
syslog {
#綁定端口
port => 514
#額外添加字段,這裏是爲了區分來自哪一個插件
add_field => {"[fields][class]" => "json"}
}
}
filter {
#處理來自beats插件的日誌,beats這裏收集的是tomcat的日誌
# 樣例:192.168.68.88 - - [16/Mar/2020:11:22:08 +0800] "GET /esws/testService/test?name=天道酬勤&size=50 HTTP/1.1" 200 15315
if [fields][class] == "beats"{
#grop過濾插件,在編寫grop時,可以使用kibana,kibana上有編寫工具,無需自己搭建(官方grok速度太慢)
grok {
#解析Apache日誌,自動分割
match => { "message" => "%{COMMONAPACHELOG}" }
}
#鍵值過濾器
kv {
#對request字段操作
source => "request"
按照& ? 分割
field_split => "&?"
value_split => "="
#選取自己需要的分割後的字段
include_keys => ["op","reportlet","formlet"]
}
#解碼
urldecode {
#解碼全部字段
all_fields => true
}
#日期處理插件
date {
#日期匹配,匹配格式可以有多個
match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
#匹配的日期存儲到字段中
target => "@timestamp"
}
# 數據修改
mutate{
#移除指定字段
remove_field => ["agent","beat","offset","tags","prospector","log","ident","[host][name]","[host][hostname]","[host][architecture]","[host][os]","[host][id]","auth","[input][type]"]
#複製字段
copy => { "@timestamp" => "timestamp" }
#copy => { "[fields][fields_type]" => "fields_type" }
copy => { "formlet" => "reportlet" }
}
mutate{
#替換
gsub => ["reportlet", "%2F", "/"]
}
if ! [fields_type] {
mutate{
copy => { "[fields][fields_type]" => "fields_type" }
}
}
date{
match => [ "timestamp", "yyyy-MM-dd-HH:mm:ss" ]
locale => "cn"
}
#ip解析,分析IP的位置
geoip{
source => "clientip"
}
}
#處理來自syslog插件的日誌
if [fields][class] == "json"{
json {
source => "message"
}
if [host] == "192.168.68.100" {
mutate{
add_field => {"fields_type" => "firewall"}
}
}
}
if ! [fields_type] {
mutate{
add_field => {"fields_type" => "error-221"}
}
}
}
output {
elasticsearch {
action => "index"
#填寫ES集羣
hosts => ["http://node-01:9200","http://node-02:9200","http://node-03:9200"]
#ES如果有登陸驗證,要配置用戶名和密碼
# user => "admin"
# password => "123456"
#按字段值,存入不同的索引中
index => "%{fields_type}-%{+YYYY-MM}"
}
}
2、官方文檔:
beats:https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html
syslog:https://www.elastic.co/guide/en/logstash/current/plugins-inputs-syslog.html
3 對人工智能感興趣點下面鏈接
現在人工智能非常火爆,很多朋友都想學,但是一般的教程都是爲博碩生準備的,太難看懂了。最近發現了一個非常適合小白入門的教程,不僅通俗易懂而且還很風趣幽默。所以忍不住分享一下給大家。點這裏可以跳轉到教程。