您好,登錄后才能下訂單哦!
Shipper->Broker->Indexer->ES 1.input input { stdin {} } output { stdout { codec=> rubydebug } } file { codec => multiline { pattern => "^\s" what => "previous" } path => ["xx","xx"] exclude => "1.log" add_field => [ "log_ip", "xx" ] tags => "tag1" #設置新事件的標志 delimiter => "\n" #設置多長時間掃描目錄,發現新文件 discover_interval => 15 #設置多長時間檢測文件是否修改 stat_interval => 1 #監聽文件的起始位置,默認是end start_position => beginning #監聽文件讀取信息記錄的位置 sincedb_path => "E:/software/logstash-1.5.4/logstash-1.5.4/test.txt" #設置多長時間會寫入讀取的位置信息 sincedb_write_interval => 15 } 2.filter filter { multiline { # 指定合并規則——所有不是以數字開頭的行需要被合并 pattern => "^[^\d]" # 合并到哪里——上一行 what => "previous" } filter { multiline { type => "type" #類型,不多說 pattern => "pattern, a regexp" #參數,也可以認為是字符,有點像grep ,如果符合什么字符就交給下面的 what 去處理 negate => boolean what => "previous" or "next" #這個是符合上面 pattern 的要求后具體怎么處理,處理方法有兩種,合并到上面一條日志或者下面的日志 } } filter { grep { match => [ "@message", "PHP Fatal error" ] drop => false add_tag => [fatal_error] } grep { tags => [fatal_error] match => [ "@message", ".*(xbox\.com|xbox\.mib\.com\.cn|supports\.game\.mib\.com\.cn)" ] drop => false add_tag => [xboxerror] } } #過濾掉內容包含5.3.3與down以外日志 filter { if [message] !~ "5.3.3|down" { ruby { code => "event.cancel" } } } #使用自帶的過濾規則顯示更多的字段 filter { grok { match => {"message" => "%{COMBINEDAPACHELOG}"} } } #合并不是以[開頭的日志 filter { multiline { pattern => "^[^[]" negate => true what => "previous" } } filter { if [path] =~ "error" { mutate { replace => { "type" => "apache_error" } } grok { match => { "message" => "%{COMBINEDAPACHELOG}" } } } date { match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ] } } filter { if [path] =~ "access" { mutate { replace => { type => "apache_access" } } grok { match => { "message" => "%{COMBINEDAPACHELOG}" } } date { match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ] } } else if [path] =~ "error" { mutate { replace => { type => "apache_error" } } } else { mutate { replace => { type => "random_logs" } } } } 3.output 發郵件 output { email { match => [ "@message", "aaaaa" ] to => "storyskya@gmail.com" from => "monitor@mib.com.cn" options => [ "smtpIporHost", "smtp.mibnet.com", "port", "25", "userName", "monitor@mib.com.cn", "starttls", "true", "password", "opmonitor", "authenticationType", "login" ] subject => "123" body => '123' via => smtp } } output { if [type] == "syslog" { elasticsearch { hosts => "172.16.0.102:9200" index => "syslog-%{+YYYY.MM.dd}" } } if [type] == "nginx" { elasticsearch { hosts => "172.16.0.102:9200" index => "nglog-%{+YYYY.MM.dd}" } } #匹配內容包含paramiko與simplejson的日志通郵件發送 if [message] =~ /paramiko|simplejson/ { email { to => "12222222@wo.cn" from => "good_zabbix@163.com" contenttype => "text/plain; charset=UTF-8" address => "smtp.163.com" username => "test@163.com" password => "12344" subject => "服務器%{host}日志異常" body => "%{@timestamp} %{type}: %{message}" } } } output { stdout { codec => rubydebug } redis { host => '192.168.1.104' data_type => 'list' key => 'logstash:redis' } } output { elasticsearch { host => localhost } stdout { codec => rubydebug } } 替換 mutate { type => "phplog" gsub => [ "@message","'", "\"" ] } 調試 # /usr/local/logstash-1.5.2/bin/logstash -e 'input { stdin { } } output { stdout {} }' curl ' logstash -e 'input{stdin{}}output{stdout{codec=>rubydebug}}'
# logstash agent -f logstash-simple.conf --verbose //開啟debug模式
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。