使用货运单收集来自不同服务器或数据源的日志.托运人是服务器中安装的Logstash实例,它访问服务器日志并发送到特定的输出位置.
它主要将输出发送到Elasticsearch进行存储. Logstash从以下来源获取输入 :
STDIN
Syslog
文件
TCP/UDP
Microsoft Windows事件日志
Websocket
Zeromq
自定义扩展
使用Apache Tomcat 7服务器收集日志
在这个例子中,我们使用文件输入插件收集安装在Windows中的Apache Tomcat 7 Server的日志,然后将它们发送到另一个日志.
logstash .conf
这里,Logstash配置为访问本地安装的Apache Tomcat 7的访问日志.正则表达式模式用于文件插件的路径设置,以从日志文件中获取数据.它在其名称中包含"access",并添加了apache类型,这有助于在集中目标源中区分apache事件与其他事件.最后,输出事件将显示在output.log中.
input { file { path => "C:/Program Files/Apache Software Foundation/Tomcat 7.0/logs/*access*" type => "apache" }} output { file { path => "C:/tpwork/logstash/bin/log/output.log" }}运行Logstash
我们可以使用以下命令运行Logstash.
C:\logstash\bin> logstash –f Logstash.conf
Apache Tomcat Log
访问Apache Tomcat服务器及其Web应用程序( http://localhost:8080 )生成日志.日志中的更新数据由Logstash实时读取并存储在output.log中,如配置文件中所指定.
Apache Tomcat根据日期生成新的访问日志文件并记录日志在那里访问事件.在我们的例子中,它是Apache Tomcat的 logs 目录中的localhost_access_log.2016-12-24.txt.
0:0:0:0:0:0:0:1 - - [ 25/Dec/2016:18:37:00 +0800]"GET/HTTP/1.1"200 11418 0:0:0:0:0:0:0:1 - munish [ 25/Dec/2016:18:37:02 +0800]"GET/manager/html HTTP/1.1"200 17472 0:0:0:0:0:0:0:1 - - [ 25/Dec/2016:18:37:08 +0800]"GET/docs/HTTP/1.1"200 19373 0:0:0:0:0:0:0:1 - - [ 25/Dec/2016:18:37:10 +0800]"GET/docs/introduction.html HTTP/1.1 "200 15399
output.log
您可以在输出事件中看到,添加了一个类型字段,事件出现在消息字段中.
{ "path":"C:/Program Files/Apache Software Foundation/Tomcat 7.0/logs/ localhost_access_log.2016-12-25.txt", "@timestamp":"2016-12-25T10:37:00.363Z","@version":"1","host":"Dell-PC", "message":"0:0:0:0:0:0:0:1 - - [25/Dec/2016:18:37:00 +0800] GET / HTTP/1.1 200 11418\r","type":"apache","tags":[]}{ "path":"C:/Program Files/Apache Software Foundation/Tomcat 7.0/logs/ localhost_access_log.2016-12-25.txt","@timestamp":"2016-12-25T10:37:10.407Z", "@version":"1","host":"Dell-PC", "message":"0:0:0:0:0:0:0:1 - munish [25/Dec/2016:18:37:02 +0800] GET / manager/html HTTP/1.1 200 17472\r","type":"apache","tags":[]}{ "path":"C:/Program Files/Apache Software Foundation/Tomcat 7.0/logs/ localhost_access_log.2016-12-25.txt","@timestamp":"2016-12-25T10:37:10.407Z", "@version":"1","host":"Dell-PC", "message":"0:0:0:0:0:0:0:1 - - [25/Dec/2016:18:37:08 +0800] GET /docs/ HTTP/1.1 200 19373\r","type":"apache","tags":[]}{ "path":"C:/Program Files/Apache Software Foundation/Tomcat 7.0/logs/ localhost_access_log.2016-12-25.txt","@timestamp":"2016-12-25T10:37:20.436Z", "@version":"1","host":"Dell-PC", "message":"0:0:0:0:0:0:0:1 - - [25/Dec/2016:18:37:10 +0800] GET /docs/ introduction.html HTTP/1.1 200 15399\r","type":"apache","tags":[]}使用STDIN插件收集日志
在本节中,我们将讨论使用 STDIN插件收集日志的另一个示例.
logstash.conf
这是一个非常简单的例子,其中Logstash正在读取用户在标准输入中输入的事件.在我们的例子中,它是命令提示符,它将事件存储在output.log文件中.
input { stdin{}}output { file { path => "C:/tpwork/logstash/bin/log/output.log" }}运行Logstash
我们可以使用以下命令运行Logstash.
C:\logstash\bin> logstash –f Logstash.conf
在命令提示符中写下以下文本 :
用户输入以下内容两行. Logstash通过分隔符设置分隔事件,默认情况下其值为'\ n'.用户可以通过更改文件插件中分隔符的值来进行更改.
Tutorialspoint.com welcomes youSimply easy learning
output.log
以下代码块显示输出日志数据.
{ "@timestamp":"2016-12-25T11:41:16.518Z","@version":"1","host":"Dell-PC", "message":"tutrialspoint.com welcomes you\r","tags":[]}{ "@timestamp":"2016-12-25T11:41:53.396Z","@version":"1","host":"Dell-PC", "message":"simply easy learning\r","tags":[]}