Logstash 介绍
Logstash 是免费且开放的服务器端数据处理管道,能够从多个来源采集数据,转换数据,然后将数据发送到您最喜欢的“存储库”中
Logstash 可以水平伸缩,而且logstash是整个ELK中拥有最多插件的一个组件
Losgtash 基于 Ruby 语言开发
Logstash 主要功能:
输入 Input:用于日志收集,常见插件: Stdin、File、Kafka、Redis、Filebeat、Http
过滤 Filter:日志过滤和转换,常用插件: grok、date、geoip、mutate、useragent
输出 Output:将过滤转换过的日志输出, 常见插件: File,Stdout,Elasticsearch,MySQL,Redis,Kafka
Logstash 官网:https://www.elastic.co/cn/logstash/
Logstash 官方下载链接:
https://www.elastic.co/cn/downloads/logstash
https://www.elastic.co/cn/downloads/past-releases#logstash
Logstash 官方说明:
https://www.elastic.co/guide/en/logstash/7.6/index.html
Logstash 安装
Ubuntu 环境准备
apt -y install openjdk-11-jdk
apt -y install openjdk-8-jdk
CentOS 环境准备
关闭防火墙和 SELinux
systemctl disable --now firewalld
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
注意: Logstash 版本要和 Elasticsearch 相同的版本,否则可能会出错
镜像网站下载链接:https://mirrors.tuna.tsinghua.edu.cn/elasticstack/7.x
[root@ubuntu2004 ~]#apt -y install openjdk-11-jdk
[root@ubuntu2004 ~]#wget https://mirrors.tuna.tsinghua.edu.cn/elasticstack/7.x/apt/pool/main/l/logstash/logstash-7.15.0-amd64.deb
--2022-12-15 17:39:58-- https://mirrors.tuna.tsinghua.edu.cn/elasticstack/7.x/apt/pool/main/l/logstash/logstash-7.15.0-amd64.deb
正在解析主机 mirrors.tuna.tsinghua.edu.cn (mirrors.tuna.tsinghua.edu.cn)... 101.6.15.130, 2402:f000:1:400::2
正在连接 mirrors.tuna.tsinghua.edu.cn (mirrors.tuna.tsinghua.edu.cn)|101.6.15.130|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度: 370322504 (353M) [application/octet-stream]
正在保存至: “logstash-7.15.0-amd64.deb”
logstash-7.15.0-amd64.deb 100%[===================================================================>] 353.17M 800KB/s 用时 7m 7s
2022-12-15 17:47:06 (846 KB/s) - 已保存 “logstash-7.15.0-amd64.deb” [370322504/370322504])
[root@ubuntu2004 ~]#dpkg -i logstash-7.15.0-amd64.deb
正在选中未选择的软件包 logstash。
(正在读取数据库 ... 系统当前共安装有 161712 个文件和目录。)
准备解压 logstash-7.15.0-amd64.deb ...
正在解压 logstash (1:7.15.0-1) ...
正在设置 logstash (1:7.15.0-1) ...
Using bundled JDK: /usr/share/logstash/jdk
Using provided startup.options file: /etc/logstash/startup.options
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/pleaserun-0.0.32/lib/pleaserun/platform/base.rb:112: warning: constant ::Fixnum is deprecated
Successfully created system startup script for Logstash
修改 Logstash 配置
[root@ubuntu2004 ~]#egrep -v "^#|^$" /etc/logstash/logstash.yml
path.data: /var/lib/logstash
path.logs: /var/log/logstash
node.name: logstash-node01
pipeline.workers: 2
pipeline.batch.size: 1000 #批量写入的消息个数,可以根据ES的性能做性能优化
pipeline.batch.delay: 5 #批量写入的延时,可以根据ES的性能做性能优化
#内存优化
[root@ubuntu2004 ~]#egrep -v "^#|^$" /etc/logstash/jvm.options
-Xms1g
-Xmx1g
8-13:-XX:+UseConcMarkSweepGC
8-13:-XX:CMSInitiatingOccupancyFraction=75
8-13:-XX:+UseCMSInitiatingOccupancyOnly
-Djava.awt.headless=true
-Dfile.encoding=UTF-8
-Djruby.compile.invokedynamic=true
-Djruby.jit.threshold=0
-Djruby.regexp.interruptible=true
-XX:+HeapDumpOnOutOfMemoryError
-Djava.security.egd=file:/dev/urandom
-Dlog4j2.isThreadContextMapInheritable=true
#Logstash默认以logstash用户运行,如果logstash需要收集本机的日志,可能会有权限问题,可以修改为root
vim /etc/systemd/system/logstash.service
[Service]
User=root
Group=root
systemctl daemon-reload;systemctl restart logstash
Logstash 使用
Logstash 命令
官方文档
https://www.elastic.co/guide/en/logstash/current/first-event.html
#各种插件
https://www.elastic.co/guide/en/logstash/7.6/input-plugins.html
https://www.elastic.co/guide/en/logstash/7.6/filter-plugins.html
https://www.elastic.co/guide/en/logstash/7.6/output-plugins.html
范例: 查看帮助
[root@ubuntu2004 ~]#/usr/share/logstash/bin/logstash --help
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Usage:
bin/logstash [OPTIONS]
Options:
-n, --node.name NAME Specify the name of this logstash instance, if no value is given
it will default to the current hostname.
(default: "ubuntu2004")
--enable-local-plugin-development Allow Gemfile to be manipulated directly
to facilitate simpler local plugin
development.
This is an advanced setting, intended
only for use by Logstash developers,
and should not be used in production.
(default: false)
-f, --path.config CONFIG_PATH Load the logstash config from a specific file
or directory. If a directory is given, all
files in that directory will be concatenated
in lexicographical order and then parsed as a
single config file. You can also specify
wildcards (globs) and any matched files will
be loaded in the order described above.
-e, --config.string CONFIG_STRING Use the given string as the configuration
data. Same syntax as the config file. If no
input is specified, then the following is
used as the default input:
"input { stdin { type => stdin } }"
and if no output is specified, then the
following is used as the default output:
"output { stdout { codec => rubydebug } }"
If you wish to use both defaults, please use
the empty string for the '-e' flag.
(default: nil)
--field-reference-parser MODE (DEPRECATED) This option is no longer
configurable.
Use the given MODE when parsing field
references.
The field reference parser is used to expand
field references in your pipeline configs,
and has become more strict to better handle
ambiguous- and illegal-syntax inputs.
The only available MODE is:
- STRICT
: parse in a strict manner; when
given ambiguous- or illegal-syntax input,
raises a runtime exception that should
be handled by the calling plugin.
(default: "STRICT")
--modules MODULES Load Logstash modules.
Modules can be defined using multiple instances
'--modules module1 --modules module2',
or comma-separated syntax
'--modules=module1,module2'
Cannot be used in conjunction with '-e' or '-f'
Use of '--modules' will override modules declared
in the 'logstash.yml' file.
-M, --modules.variable MODULES_VARIABLE Load variables for module template.
Multiple instances of '-M' or
'--modules.variable' are supported.
Ignored if '--modules' flag is not used.
Should be in the format of
'-M "MODULE_NAME.var.PLUGIN_TYPE.PLUGIN_NAME.VARIABLE_NAME=VALUE"'
as in
'-M "example.var.filter.mutate.fieldname=fieldvalue"'
--setup Load index template into Elasticsearch, and saved searches,
index-pattern, visualizations, and dashboards into Kibana when
running modules.
(default: false)
--cloud.id CLOUD_ID Sets the elasticsearch and kibana host settings for
module connections in Elastic Cloud.
Your Elastic Cloud User interface or the Cloud support
team should provide this.
Add an optional label prefix '<label>:' to help you
identify multiple cloud.ids.
e.g. 'staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRub3RhcmVhbCRpZGVudGlmaWVy'
--cloud.auth CLOUD_AUTH Sets the elasticsearch and kibana username and password
for module connections in Elastic Cloud
e.g. 'username:<password>'
--pipeline.id ID Sets the ID of the pipeline.
(default: "main")
-w, --pipeline.workers COUNT Sets the number of pipeline workers to run.
(default: 2)
--pipeline.ordered ORDERED Preserve events order. Possible values are auto
(default), true
and false
.
This setting
will only work when also using a single worker for the pipeline.
Note that when enabled, it may impact the performance of the filters
and ouput processing.
The auto
option will automatically enable ordering if the
pipeline.workers
setting is set to 1
.
Use true
to enable ordering on the pipeline and prevent logstash
from starting if there are multiple workers.
Use false
to disable any extra processing necessary for preserving
ordering.
(default: "auto")
--java-execution Use Java execution engine.
(default: true)
--plugin-classloaders (Beta) Load Java plugins in independent classloaders to isolate their dependencies.
(default: false)
-b, --pipeline.batch.size SIZE Size of batches the pipeline is to work in.
(default: 125)
-u, --pipeline.batch.delay DELAY_IN_MS When creating pipeline batches, how long to wait while polling
for the next event.
(default: 50)
--pipeline.unsafe_shutdown Force logstash to exit during shutdown even
if there are still inflight events in memory.
By default, logstash will refuse to quit until all
received events have been pushed to the outputs.
(default: false)
--pipeline.ecs_compatibility STRING Sets the pipeline's default value for ecs_compatibility
,
a setting that is available to plugins that implement
an ECS Compatibility mode for use with the Elastic Common
Schema.
Possible values are:
- disabled (default)
- v1
- v2
This option allows the early opt-in (or preemptive opt-out)
of ECS Compatibility modes in plugins, which is scheduled to
be on-by-default in a future major release of Logstash.
Values other than disabled
are currently considered BETA,
and may produce unintended consequences when upgrading Logstash.
(default: "disabled")
--path.data PATH This should point to a writable directory. Logstash
will use this directory whenever it needs to store
data. Plugins will also have access to this path.
(default: "/usr/share/logstash/data")
-p, --path.plugins PATH A path of where to find plugins. This flag
can be given multiple times to include
multiple paths. Plugins are expected to be
in a specific directory hierarchy:
'PATH/logstash/TYPE/NAME.rb' where TYPE is
'inputs' 'filters', 'outputs' or 'codecs'
and NAME is the name of the plugin.
(default: [])
-l, --path.logs PATH Write logstash internal logs to the given
file. Without this flag, logstash will emit
logs to standard output.
(default: "/usr/share/logstash/logs")
--log.level LEVEL Set the log level for logstash. Possible values are:
- fatal
- error
- warn
- info
- debug
- trace
(default: "info")
--config.debug Print the compiled config ruby code out as a debug log (you must also have --log.level=debug enabled).
WARNING: This will include any 'password' options passed to plugin configs as plaintext, and may result
in plaintext passwords appearing in your logs!
(default: false)
-i, --interactive SHELL Drop to shell instead of running as normal.
Valid shells are "irb" and "pry"
-V, --version Emit the version of logstash and its friends,
then exit.
-t, --config.test_and_exit Check configuration for valid syntax and then exit.
(default: false)
-r, --config.reload.automatic Monitor configuration changes and reload
whenever it is changed.
NOTE: use SIGHUP to manually reload the config
(default: false)
--config.reload.interval RELOAD_INTERVAL How frequently to poll the configuration location
for changes, in seconds.
(default: #<Java::OrgLogstashUtil::TimeValue:0x3382adc2>)
--http.enabled ENABLED Can be used to disable the Web API, which is
enabled by default.
(default: true)
--http.host HTTP_HOST Web API binding host (default: "127.0.0.1")
--http.port HTTP_PORT Web API http port (default: 9600..9700)
--log.format FORMAT Specify if Logstash should write its own logs in JSON form (one
event per line) or in plain text (using Ruby's Object#inspect)
(default: "plain")
--path.settings SETTINGS_DIR Directory containing logstash.yml file. This can also be
set through the LS_SETTINGS_DIR environment variable.
(default: "/usr/share/logstash/config")
--verbose Set the log level to info.
DEPRECATED: use --log.level=info instead.
--debug Set the log level to debug.
DEPRECATED: use --log.level=debug instead.
--quiet Set the log level to info.
DEPRECATED: use --log.level=info instead.
-h, --help print help
#常用选项
-e 指定配置内容
-f 指定配置文件
-t 语法检查
-r 修改配置文件,自动加载生效
#服务方式启动,由于默认没有配置文件,所以无法启动
[root@logstash ~]#systemctl start logstash
各种插件帮助
https://www.elastic.co/guide/en/logstash/current/index.html
范例: 列出所有插件
[root@ubuntu2004 ~]#/usr/share/logstash/bin/logstash-plugin list
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
logstash-codec-avro
logstash-codec-cef
logstash-codec-collectd
logstash-codec-dots
logstash-codec-edn
logstash-codec-edn_lines
logstash-codec-es_bulk
logstash-codec-fluent
logstash-codec-graphite
logstash-codec-json
logstash-codec-json_lines
logstash-codec-line
logstash-codec-msgpack
logstash-codec-multiline
logstash-codec-netflow
logstash-codec-plain
logstash-codec-rubydebug
logstash-filter-aggregate
logstash-filter-anonymize
logstash-filter-cidr
logstash-filter-clone
logstash-filter-csv
logstash-filter-date
logstash-filter-de_dot
logstash-filter-dissect
logstash-filter-dns
logstash-filter-drop
logstash-filter-elasticsearch
logstash-filter-fingerprint
logstash-filter-geoip
logstash-filter-grok
logstash-filter-http
logstash-filter-json
logstash-filter-kv
logstash-filter-memcached
logstash-filter-metrics
logstash-filter-mutate
logstash-filter-prune
logstash-filter-ruby
logstash-filter-sleep
logstash-filter-split
logstash-filter-syslog_pri
logstash-filter-throttle
logstash-filter-translate
logstash-filter-truncate
logstash-filter-urldecode
logstash-filter-useragent
logstash-filter-uuid
logstash-filter-xml
logstash-input-azure_event_hubs
logstash-input-beats
└── logstash-input-elastic_agent (alias)
logstash-input-couchdb_changes
logstash-input-dead_letter_queue
logstash-input-elasticsearch
logstash-input-exec
logstash-input-file
logstash-input-ganglia
logstash-input-gelf
logstash-input-generator
logstash-input-graphite
logstash-input-heartbeat
logstash-input-http
logstash-input-http_poller
logstash-input-imap
logstash-input-jms
logstash-input-pipe
logstash-input-redis
logstash-input-s3
logstash-input-snmp
logstash-input-snmptrap
logstash-input-sqs
logstash-input-stdin
logstash-input-syslog
logstash-input-tcp
logstash-input-twitter
logstash-input-udp
logstash-input-unix
logstash-integration-elastic_enterprise_search
├── logstash-output-elastic_app_search
└── logstash-output-elastic_workplace_search
logstash-integration-jdbc
├── logstash-input-jdbc
├── logstash-filter-jdbc_streaming
└── logstash-filter-jdbc_static
logstash-integration-kafka
├── logstash-input-kafka
└── logstash-output-kafka
logstash-integration-rabbitmq
├── logstash-input-rabbitmq
└── logstash-output-rabbitmq
logstash-output-cloudwatch
logstash-output-csv
logstash-output-elasticsearch
logstash-output-email
logstash-output-file
logstash-output-graphite
logstash-output-http
logstash-output-lumberjack
logstash-output-nagios
logstash-output-null
logstash-output-pipe
logstash-output-redis
logstash-output-s3
logstash-output-sns
logstash-output-sqs
logstash-output-stdout
logstash-output-tcp
logstash-output-udp
logstash-output-webhdfs
logstash-patterns-core
Github logstash插件链接
https://github.com/logstash-plugins
Logstash 输入 Input 插件
官方链接
https://www.elastic.co/guide/en/logstash/7.6/input-plugins.html
标准输入
范例: 交互式实现
#标准输入和输出,codec => rubydebug指输出格式,是默认值,可以省略
/usr/share/logstash/bin/logstash -e 'input { stdin{} } output { stdout{ codec => rubydebug }}'
[root@ubuntu2004 ~]#/usr/share/logstash/bin/logstash -e 'input { stdin{} } output { stdout{ codec => rubydebug }}'
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2022-12-15 18:09:07.112 [main] runner - Starting Logstash {"logstash.version"=>"7.15.0", "jruby.version"=>"jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.11+9 on 11.0.11+9 +indy +jit [linux-x86_64]"}
[INFO ] 2022-12-15 18:09:07.191 [main] writabledirectory - Creating directory {:setting=>"path.queue", :path=>"/usr/share/logstash/data/queue"}
[INFO ] 2022-12-15 18:09:07.224 [main] writabledirectory - Creating directory {:setting=>"path.dead_letter_queue", :path=>"/usr/share/logstash/data/dead_letter_queue"}
[WARN ] 2022-12-15 18:09:08.071 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2022-12-15 18:09:08.149 [LogStash::Runner] agent - No persistent UUID file found. Generating new UUID {:uuid=>"5cc3720e-856d-452a-aebe-2d10613cc42f", :path=>"/usr/share/logstash/data/uuid"}
[INFO ] 2022-12-15 18:09:11.181 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2022-12-15 18:09:12.105 [Converge PipelineAction::Create<main>] Reflections - Reflections took 148 ms to scan 1 urls, producing 120 keys and 417 values
[WARN ] 2022-12-15 18:09:13.281 [Converge PipelineAction::Create<main>] line - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-15 18:09:13.364 [Converge PipelineAction::Create<main>] stdin - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-15 18:09:14.088 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["config string"], :thread=>"#<Thread:0x58a64c22 run>"}
[INFO ] 2022-12-15 18:09:15.696 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>1.6}
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.jrubystdinchannel.StdinChannelLibrary$Reader (file:/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/jruby-stdin-channel-0.2.0-java/lib/jruby_stdin_channel/jruby_stdin_channel.jar) to field java.io.FilterInputStream.in
WARNING: Please consider reporting this to the maintainers of com.jrubystdinchannel.StdinChannelLibrary$Reader
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[INFO ] 2022-12-15 18:09:15.851 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
The stdin plugin is now waiting for input:
[INFO ] 2022-12-15 18:09:15.951 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
hello world #标准输入此字符串
{
"message" => "hello world", #消息的具体内容
"@version" => "1", #事件版本号,一个事件就是一个ruby对象
"@timestamp" => 2022-12-15T10:09:34.667Z, #当前事件的发生时间
"host" => "ubuntu2004" #标记事件发生在哪里
}
#后续还可继续输入其它信息,按ctrl+c退出
#指定输入信息为Json格式
logstash -e 'input { stdin{ codec => json } } output { stdout{ codec => rubydebug }}'
[root@ubuntu2004 ~]#/usr/share/logstash/bin/logstash -e 'input { stdin{ codec => json } } output { stdout{ codec => rubydebug }}'
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2022-12-15 18:12:30.672 [main] runner - Starting Logstash {"logstash.version"=>"7.15.0", "jruby.version"=>"jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.11+9 on 11.0.11+9 +indy +jit [linux-x86_64]"}
[WARN ] 2022-12-15 18:12:31.733 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2022-12-15 18:12:34.819 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2022-12-15 18:12:35.627 [Converge PipelineAction::Create<main>] Reflections - Reflections took 174 ms to scan 1 urls, producing 120 keys and 417 values
[WARN ] 2022-12-15 18:12:37.031 [Converge PipelineAction::Create<main>] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-15 18:12:37.142 [Converge PipelineAction::Create<main>] stdin - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-15 18:12:37.841 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["config string"], :thread=>"#<Thread:0x77ac69f4 run>"}
[INFO ] 2022-12-15 18:12:39.448 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>1.6}
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.jrubystdinchannel.StdinChannelLibrary$Reader (file:/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/jruby-stdin-channel-0.2.0-java/lib/jruby_stdin_channel/jruby_stdin_channel.jar) to field java.io.FilterInputStream.in
WARNING: Please consider reporting this to the maintainers of com.jrubystdinchannel.StdinChannelLibrary$Reader
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[INFO ] 2022-12-15 18:12:39.573 [[main]-pipeline-manager] stdin - Automatically switching from json to json_lines codec {:plugin=>"stdin"}
[WARN ] 2022-12-15 18:12:39.628 [[main]-pipeline-manager] jsonlines - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-15 18:12:39.639 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
The stdin plugin is now waiting for input:
[INFO ] 2022-12-15 18:12:39.769 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
{ "name":"shuhong","age": "18"}
{
"@timestamp" => 2022-12-15T10:57:02.692Z,
"age" => "18",
"@version" => "1",
"host" => "ubuntu2004",
"name" => "shuhong"
}
范例: 以配置文件实现
[root@ubuntu2004 ~]#vim /etc/logstash/conf.d/stdin_to_stdout.conf
nput {
stdin {
type => "stdin_type" #自定义事件类型,可用于后续判断
tags => "stdin_tag" #自定义事件tag,可用于后续判断
codec => "json" #指定Json 格式
}
}
output {
stdout {
codec => "rubydebug" #输出格式,此为默认值,可省略
}
}
#语法检查
[root@ubuntu2004 ~]#/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/stdin_to_stdout.conf -t
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2022-12-15 19:02:01.095 [main] runner - Starting Logstash {"logstash.version"=>"7.15.0", "jruby.version"=>"jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.11+9 on 11.0.11+9 +indy +jit [linux-x86_64]"}
[WARN ] 2022-12-15 19:02:02.184 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2022-12-15 19:02:03.621 [LogStash::Runner] Reflections - Reflections took 238 ms to scan 1 urls, producing 120 keys and 417 values
[WARN ] 2022-12-15 19:02:04.838 [LogStash::Runner] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-15 19:02:04.945 [LogStash::Runner] stdin - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
Configuration OK
[INFO ] 2022-12-15 19:02:05.273 [LogStash::Runner] runner - Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash
#执行[root@ubuntu2004 ~]#/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/stdin_to_stdout.conf
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2022-12-15 19:03:27.954 [main] runner - Starting Logstash {"logstash.version"=>"7.15.0", "jruby.version"=>"jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.11+9 on 11.0.11+9 +indy +jit [linux-x86_64]"}
[WARN ] 2022-12-15 19:03:28.985 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2022-12-15 19:03:32.162 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2022-12-15 19:03:33.350 [Converge PipelineAction::Create<main>] Reflections - Reflections took 223 ms to scan 1 urls, producing 120 keys and 417 values
[WARN ] 2022-12-15 19:03:34.668 [Converge PipelineAction::Create<main>] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-15 19:03:34.764 [Converge PipelineAction::Create<main>] stdin - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-15 19:03:35.821 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/stdin_to_stdout.conf"], :thread=>"#<Thread:0x58d74f74 run>"}
[INFO ] 2022-12-15 19:03:37.386 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>1.55}
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.jrubystdinchannel.StdinChannelLibrary$Reader (file:/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/jruby-stdin-channel-0.2.0-java/lib/jruby_stdin_channel/jruby_stdin_channel.jar) to field java.io.FilterInputStream.in
WARNING: Please consider reporting this to the maintainers of com.jrubystdinchannel.StdinChannelLibrary$Reader
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[INFO ] 2022-12-15 19:03:37.489 [[main]-pipeline-manager] stdin - Automatically switching from json to json_lines codec {:plugin=>"stdin"}
[WARN ] 2022-12-15 19:03:37.558 [[main]-pipeline-manager] jsonlines - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-15 19:03:37.577 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
The stdin plugin is now waiting for input:
[INFO ] 2022-12-15 19:03:37.760 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
hello,shuhong
[WARN ] 2022-12-15 19:03:43.213 [[main]<stdin] jsonlines - JSON parse error, original data now in message field {:message=>"Unrecognized token 'hello': was expecting ('true', 'false' or 'null')\n at [Source: (String)\"hello,shuhong\"; line: 1, column: 6]", :exception=>LogStash::Json::ParserError, :data=>"hello,shuhong"}
{
"@timestamp" => 2022-12-15T11:03:43.248Z,
"message" => "hello,shuhong",
"type" => "stdin_type",
"tags" => [
[0] "_jsonparsefailure",
[1] "stdin_tag"
],
"@version" => "1",
"host" => "ubuntu2004"
}
{ "name":"shuhong","age": "18"}
{
"age" => "18",
"@timestamp" => 2022-12-15T11:04:07.878Z,
"type" => "stdin_type",
"@version" => "1",
"tags" => [
[0] "stdin_tag"
],
"host" => "ubuntu2004",
"name" => "shuhong"
}
从文件输入
Logstash 会记录每个文件的读取位置,下次自动从此位置继续向后读取
每个文件的读取位置记录在 /var/lib/logsstash/plugins/inputs/files/.sincedb_xxxx对应的文件中
此文件包括文件的 inode号, 大小等信息
范例:
[root@ubuntu2004 ~]#vim /etc/logstash/conf.d/file_to_stdout.conf
input {
file {
path => "/tmp/shu.*"
type => "shulog" #添加自定义的type字段,可以用于条件判断
exclude => "*.txt" #排除不想采集数据的文件,基于通配符glob匹配语法
start_position => "beginning" #第一次丛头开始读取文件,可以取值为:beginning和end
stat_interval => "3" #定时检查文件是否更新,默认1s
codec => json #如果文件是Json格式,需要指定此项才能解析,如果不是Json格式,却添加此行也不会影响结果
}
file {
path => "/var/log/syslog"
type => "syslog"
start_position => "beginning"
stat_interval => "3"
}
}
output {
stdout {
codec => rubydebug
}
}
[root@ubuntu2004 ~]#echo line1 >> /tmp/shu.log
[root@ubuntu2004 ~]#/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/file_to_stdout.conf -t
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2022-12-15 19:08:39.513 [main] runner - Starting Logstash {"logstash.version"=>"7.15.0", "jruby.version"=>"jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.11+9 on 11.0.11+9 +indy +jit [linux-x86_64]"}
[WARN ] 2022-12-15 19:08:40.369 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2022-12-15 19:08:41.805 [LogStash::Runner] Reflections - Reflections took 106 ms to scan 1 urls, producing 120 keys and 417 values
[WARN ] 2022-12-15 19:08:43.067 [LogStash::Runner] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-15 19:08:43.212 [LogStash::Runner] file - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-15 19:08:43.301 [LogStash::Runner] plain - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-15 19:08:43.338 [LogStash::Runner] file - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
Configuration OK
[INFO ] 2022-12-15 19:08:43.619 [LogStash::Runner] runner - Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash
[root@ubuntu2004 ~]#/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/file_to_stdout.conf
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2022-12-15 19:11:09.459 [main] runner - Starting Logstash {"logstash.version"=>"7.15.0", "jruby.version"=>"jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.11+9 on 11.0.11+9 +indy +jit [linux-x86_64]"}
[WARN ] 2022-12-15 19:11:10.439 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2022-12-15 19:11:13.674 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2022-12-15 19:11:14.990 [Converge PipelineAction::Create<main>] Reflections - Reflections took 179 ms to scan 1 urls, producing 120 keys and 417 values
[WARN ] 2022-12-15 19:11:16.458 [Converge PipelineAction::Create<main>] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-15 19:11:16.635 [Converge PipelineAction::Create<main>] file - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-15 19:11:16.837 [Converge PipelineAction::Create<main>] plain - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-15 19:11:16.879 [Converge PipelineAction::Create<main>] file - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-15 19:11:17.440 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/file_to_stdout.conf"], :thread=>"#<Thread:0x14e0381e run>"}
[INFO ] 2022-12-15 19:11:19.120 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>1.67}
[INFO ] 2022-12-15 19:11:19.251 [[main]-pipeline-manager] file - No sincedb_path set, generating one based on the "path" setting {:sincedb_path=>"/usr/share/logstash/data/plugins/inputs/file/.sincedb_812e2de7445d78534a4b575c69114d72", :path=>["/tmp/shu.*"]}
[INFO ] 2022-12-15 19:11:19.324 [[main]-pipeline-manager] file - No sincedb_path set, generating one based on the "path" setting {:sincedb_path=>"/usr/share/logstash/data/plugins/inputs/file/.sincedb_f5fdf6ea0ea92860c6a6b2b354bfcbbc", :path=>["/var/log/syslog"]}
[INFO ] 2022-12-15 19:11:19.349 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2022-12-15 19:11:19.536 [[main]<file] observingtail - START, creating Discoverer, Watch with file and sincedb collections
[INFO ] 2022-12-15 19:11:19.547 [[main]<file] observingtail - START, creating Discoverer, Watch with file and sincedb collections
[INFO ] 2022-12-15 19:11:19.632 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[ERROR] 2022-12-15 19:11:20.409 [[main]<file] json - JSON parse error, original data now in message field {:message=>"Unrecognized token 'line1': was expecting ('true', 'false' or 'null')\n at [Source: (String)\"line1\"; line: 1, column: 11]", :exception=>LogStash::Json::ParserError, :data=>"line1"}
{
"tags" => [
[0] "_jsonparsefailure"
],
"path" => "/tmp/shu.log",
"message" => "line1",
"@version" => "1",
"host" => "ubuntu2004",
"@timestamp" => 2022-12-15T11:11:20.419Z,
"type" => "shulog"
}
{
"path" => "/var/log/syslog",
"message" => "Dec 15 15:45:47 ubuntu2004 rsyslogd: [origin software=\"rsyslogd\" swVersion=\"8.2001.0\" x-pid=\"806\" x-info=\"https://www.rsyslog.com\"] rsyslogd was HUPed",
"@version" => "1",
"host" => "ubuntu2004",
"@timestamp" => 2022-12-15T11:11:20.505Z,
"type" => "syslog"
}
.....
ogstash利用 sincedb 文件记录了logstash收集的记录文件的信息,比如位置,以方便下次接着从此位置继续收集日志
cat /var/lib/logstash/plugins/inputs/file/.sincedb_1ced15cfacdbb0380466be84d620085a
134219868 0 2064 29465 #记录了收集文件的inode和大小等信息
ll -li /elk/logs/ELK-Cluster.log
134219868 -rw-r--r-- 1 elasticsearch elasticsearch 29465 Apr 21 14:33 /elk/logs/ELK-Cluster.log
从 Http 请求获取数
[root@ubuntu2004 ~]#vim /etc/logstash/conf.d/http_to_stdout.conf
input {
http {
port =>6666
codec => json
}
}
output {
stdout {
codec => rubydebug
}
}
[root@ES-Node2 ~]#curl http://10.0.0.207:6666
ok
[root@ES-Node2 ~]#curl -XPOST -d'test log message' http://10.0.0.207:6666
ok
[root@ubuntu2004 ~]#/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/http_to_stdout.conf -r
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2022-12-15 19:15:41.202 [main] runner - Starting Logstash {"logstash.version"=>"7.15.0", "jruby.version"=>"jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.11+9 on 11.0.11+9 +indy +jit [linux-x86_64]"}
[WARN ] 2022-12-15 19:15:42.226 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2022-12-15 19:15:45.286 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2022-12-15 19:15:46.235 [Converge PipelineAction::Create<main>] Reflections - Reflections took 175 ms to scan 1 urls, producing 120 keys and 417 values
[WARN ] 2022-12-15 19:15:47.648 [Converge PipelineAction::Create<main>] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-15 19:15:47.802 [Converge PipelineAction::Create<main>] http - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-15 19:15:48.709 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/http_to_stdout.conf"], :thread=>"#<Thread:0x4fc6d834 run>"}
[INFO ] 2022-12-15 19:15:50.362 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>1.65}
[WARN ] 2022-12-15 19:15:50.446 [[main]-pipeline-manager] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-15 19:15:50.698 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2022-12-15 19:15:50.766 [[main]<http] http - Starting http input listener {:address=>"0.0.0.0:6666", :ssl=>"false"}
[INFO ] 2022-12-15 19:15:51.022 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[WARN ] 2022-12-15 19:16:10.932 [http-input-processor[T#2]] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-15 19:16:10.954 [http-input-processor[T#2]] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-15 19:16:46.718 [http-input-processor[T#1]] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-15 19:16:46.725 [http-input-processor[T#1]] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[ERROR] 2022-12-15 19:16:46.835 [http-input-handler-executor[T#2]] json - JSON parse error, original data now in message field {:message=>"Unrecognized token 'test': was expecting 'null', 'true', 'false' or NaN\n at [Source: (String)\"test log message\"; line: 1, column: 5]", :exception=>LogStash::Json::ParserError, :data=>"test log message"}
{
"host" => "10.0.0.209",
"tags" => [
[0] "_jsonparsefailure"
],
"message" => "test log message",
"headers" => {
"content_type" => "application/x-www-form-urlencoded",
"request_path" => "/",
"http_version" => "HTTP/1.1",
"request_method" => "POST",
"http_accept" => "*/*",
"http_host" => "10.0.0.207:6666",
"http_user_agent" => "curl/7.68.0",
"content_length" => "16"
},
"@version" => "1",
"@timestamp" => 2022-12-15T11:16:46.868Z
}
从 Filebeat 读取数据
[root@ES-Node2 ~]#vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access_json.log
json.keys_under_root: true #默认False会将json数据存储至message,改为true则会独立message外存储
json.overwrite_keys: true #设为true,覆盖默认的message字段,使用自定义json格式中的key
tags: ["nginx-access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["nginx-error"]
output.logstash:
[root@ubuntu2004 ~]#vim /etc/logstash/conf.d/filebeat_to_stdout.conf
input {
beats {
port => 5044
}
}
output {
stdout {
codec => rubydebug
}
}
[root@ubuntu2004 ~]#/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/filebeat_to_stdout.conf
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2022-12-15 19:20:52.319 [main] runner - Starting Logstash {"logstash.version"=>"7.15.0", "jruby.version"=>"jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.11+9 on 11.0.11+9 +indy +jit [linux-x86_64]"}
[WARN ] 2022-12-15 19:20:53.337 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2022-12-15 19:20:56.482 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2022-12-15 19:20:57.673 [Converge PipelineAction::Create<main>] Reflections - Reflections took 251 ms to scan 1 urls, producing 120 keys and 417 values
[WARN ] 2022-12-15 19:20:58.971 [Converge PipelineAction::Create<main>] plain - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-15 19:20:59.116 [Converge PipelineAction::Create<main>] beats - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-15 19:20:59.973 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/filebeat_to_stdout.conf"], :thread=>"#<Thread:0x6cf459b9 run>"}
[INFO ] 2022-12-15 19:21:01.624 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>1.64}
[INFO ] 2022-12-15 19:21:01.691 [[main]-pipeline-manager] beats - Starting input listener {:address=>"0.0.0.0:5044"}
[INFO ] 2022-12-15 19:21:01.744 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2022-12-15 19:21:01.915 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[INFO ] 2022-12-15 19:21:02.165 [[main]<beats] Server - Starting server on port: 5044
[WARN ] 2022-12-15 19:21:45.107 [defaultEventExecutorGroup-4-1] plain - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
{
"http_user_agent" => "curl/7.68.0",
"domain" => "10.0.0.209",
"agent" => {
"name" => "ES-Node2.com",
"hostname" => "ES-Node2.com",
"version" => "7.15.0",
"id" => "f87dddf0-89bf-46c9-be70-0f8e1784eb2a",
"ephemeral_id" => "af027170-43be-4bb3-9c72-fff47cb94983",
"type" => "filebeat"
},
"host" => {
"name" => "ES-Node2.com"
},
"status" => "200",
"input" => {
"type" => "log"
},
"size" => 10918,
"clientip" => "10.0.0.209",
"tags" => [
[0] "nginx-access",
[1] "beats_input_raw_event"
],
"upstreamtime" => "-",
"uri" => "/index.html",
"log" => {
"file" => {
"path" => "/var/log/nginx/access_json.log"
},
"offset" => 9343
},
"http_host" => "10.0.0.209",
"referer" => "-",
"@timestamp" => 2022-12-15T11:21:41.000Z,
"responsetime" => 0,
"upstreamhost" => "-",
"xff" => "-",
"ecs" => {
"version" => "1.11.0"
},
"tcp_xff" => "-",
"@version" => "1"
}
{
"domain" => "10.0.0.209",
"agent" => {
"name" => "ES-Node2.com",
"hostname" => "ES-Node2.com",
"version" => "7.15.0",
"ephemeral_id" => "af027170-43be-4bb3-9c72-fff47cb94983",
"id" => "f87dddf0-89bf-46c9-be70-0f8e1784eb2a",
"type" => "filebeat"
},
"http_user_agent" => "curl/7.68.0",
"host" => {
"name" => "ES-Node2.com"
},
"status" => "200",
"input" => {
"type" => "log"
},
"size" => 10918,
"clientip" => "10.0.0.209",
"tags" => [
[0] "nginx-access",
[1] "beats_input_raw_event"
],
"upstreamtime" => "-",
"log" => {
"file" => {
"path" => "/var/log/nginx/access_json.log"
},
"offset" => 9032
},
"uri" => "/index.html",
"http_host" => "10.0.0.209",
"referer" => "-",
"@timestamp" => 2022-12-15T11:21:40.000Z,
"responsetime" => 0,
"upstreamhost" => "-",
"xff" => "-",
"ecs" => {
"version" => "1.11.0"
},
"tcp_xff" => "-",
"@version" => "1"
}
{
"http_user_agent" => "curl/7.68.0",
"domain" => "10.0.0.209",
"agent" => {
"name" => "ES-Node2.com",
"hostname" => "ES-Node2.com",
"version" => "7.15.0",
"id" => "f87dddf0-89bf-46c9-be70-0f8e1784eb2a",
"ephemeral_id" => "af027170-43be-4bb3-9c72-fff47cb94983",
"type" => "filebeat"
},
"status" => "200",
"host" => {
"name" => "ES-Node2.com"
},
"input" => {
"type" => "log"
},
"size" => 10918,
"clientip" => "10.0.0.209",
"tags" => [
[0] "nginx-access",
[1] "beats_input_raw_event"
],
"upstreamtime" => "-",
"log" => {
"file" => {
"path" => "/var/log/nginx/access_json.log"
},
"offset" => 9654
},
"uri" => "/index.html",
"http_host" => "10.0.0.209",
"referer" => "-",
"@timestamp" => 2022-12-15T11:21:41.000Z,
"responsetime" => 0,
"upstreamhost" => "-",
"xff" => "-",
"ecs" => {
"version" => "1.11.0"
},
"tcp_xff" => "-",
"@version" => "1"
}
从 Redis 中读取数据
支持由多个 Logstash 从 Redis 读取日志,提高性能
Logstash 从 Redis 收集完数据后,将删除对应的列表Key
官方链接:https://www.elastic.co/guide/en/logstash/7.6/plugins-inputs-redis.html
范例:
[root@ES-Node2 ~]#vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access_json.log
json.keys_under_root: true #默认False会将json数据存储至message,改为true则会独立message外存储
json.overwrite_keys: true #设为true,覆盖默认的message字段,使用自定义json格式中的key
tags: ["nginx-access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["nginx-error"]
output.redis:
hosts: ["10.0.0.209:6379"]
key: "filebeat"
#password: "123456"
#db: 0
[root@ubuntu2004 ~]#vim /etc/logstash/conf.d/redis_to_stdout.conf
input {
redis {
host => '10.0.0.209'
port => "6379"
#password => "123456"
db => "0"
data_type => 'list'
key => "filebeat"
}
}
output {
stdout {
codec => rubydebug
}
}
[root@ubuntu2004 ~]#/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/redis_to_stdout.conf
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2022-12-15 19:26:30.762 [main] runner - Starting Logstash {"logstash.version"=>"7.15.0", "jruby.version"=>"jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.11+9 on 11.0.11+9 +indy +jit [linux-x86_64]"}
[WARN ] 2022-12-15 19:26:31.698 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2022-12-15 19:26:35.085 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2022-12-15 19:26:36.367 [Converge PipelineAction::Create<main>] Reflections - Reflections took 181 ms to scan 1 urls, producing 120 keys and 417 values
[WARN ] 2022-12-15 19:26:37.752 [Converge PipelineAction::Create<main>] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-15 19:26:38.491 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/redis_to_stdout.conf"], :thread=>"#<Thread:0x6121e0d9 run>"}
[INFO ] 2022-12-15 19:26:40.049 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>1.55}
[INFO ] 2022-12-15 19:26:40.093 [[main]-pipeline-manager] redis - Registering Redis {:identity=>"redis://@10.0.0.209:6379/0 list:filebeat"}
[INFO ] 2022-12-15 19:26:40.108 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2022-12-15 19:26:40.362 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
{
"@version" => "1",
"agent" => {
"hostname" => "ES-Node2.com",
"name" => "ES-Node2.com",
"version" => "7.15.0",
"ephemeral_id" => "b31fd668-dfa4-422f-a810-45274d76e528",
"id" => "f87dddf0-89bf-46c9-be70-0f8e1784eb2a",
"type" => "filebeat"
},
"tags" => [
[0] "nginx-access"
],
"responsetime" => 0,
"size" => 10918,
"http_user_agent" => "curl/7.68.0",
"upstreamhost" => "-",
"status" => "200",
"domain" => "10.0.0.209",
"host" => {
"name" => "ES-Node2.com"
},
"upstreamtime" => "-",
"ecs" => {
"version" => "1.11.0"
},
"input" => {
"type" => "log"
},
"@timestamp" => 2022-12-15T09:28:37.000Z,
"http_host" => "10.0.0.209",
"referer" => "-",
"uri" => "/index.html",
"clientip" => "10.0.0.209",
"log" => {
"offset" => 8410,
"file" => {
"path" => "/var/log/nginx/access_json.log"
}
},
"tcp_xff" => "-",
"xff" => "-"
}
{
"@version" => "1",
"tags" => [
[0] "nginx-access"
],
"agent" => {
"hostname" => "ES-Node2.com",
"name" => "ES-Node2.com",
"version" => "7.15.0",
"id" => "f87dddf0-89bf-46c9-be70-0f8e1784eb2a",
"ephemeral_id" => "b31fd668-dfa4-422f-a810-45274d76e528",
"type" => "filebeat"
},
"responsetime" => 0,
"size" => 10918,
"http_user_agent" => "curl/7.68.0",
"upstreamhost" => "-",
"status" => "200",
"domain" => "10.0.0.209",
"host" => {
"name" => "ES-Node2.com"
},
"upstreamtime" => "-",
"ecs" => {
"version" => "1.11.0"
},
"input" => {
"type" => "log"
},
"@timestamp" => 2022-12-15T09:28:35.000Z,
"http_host" => "10.0.0.209",
"referer" => "-",
"uri" => "/index.html",
"clientip" => "10.0.0.209",
"log" => {
"offset" => 8099,
"file" => {
"path" => "/var/log/nginx/access_json.log"
}
},
"tcp_xff" => "-",
"xff" => "-"
}
{
"@version" => "1",
"tags" => [
[0] "nginx-access"
],
"agent" => {
"hostname" => "ES-Node2.com",
"name" => "ES-Node2.com",
"version" => "7.15.0",
"ephemeral_id" => "b31fd668-dfa4-422f-a810-45274d76e528",
"id" => "f87dddf0-89bf-46c9-be70-0f8e1784eb2a",
"type" => "filebeat"
},
"responsetime" => 0,
"size" => 10918,
"http_user_agent" => "curl/7.68.0",
"upstreamhost" => "-",
"domain" => "10.0.0.209",
"status" => "200",
"host" => {
"name" => "ES-Node2.com"
},
"upstreamtime" => "-",
"ecs" => {
"version" => "1.11.0"
},
"input" => {
"type" => "log"
},
"@timestamp" => 2022-12-15T09:28:48.000Z,
"http_host" => "10.0.0.209",
"referer" => "-",
"uri" => "/index.html",
"clientip" => "10.0.0.210",
"log" => {
"offset" => 8721,
"file" => {
"path" => "/var/log/nginx/access_json.log"
}
},
"tcp_xff" => "-",
"xff" => "-"
}
从 Kafka 中读取数据
官方链接:https://www.elastic.co/guide/en/logstash/7.6/plugins-inputs-kafka.html
cat /etc/logstash/conf.d/kakfa_to_stdout.conf
input {
kafka {
bootstrap_servers => "10.0.0.201:9092,10.0.0.202:9092,10.0.0.203:9092"
group_id => "logstash"
topics => ["nginx-accesslog","nginx-errorlog"]
codec => "json"
consumer_threads => 8
}
}
output {
stdout {
codec => rubydebug
}
}
Logstash 过滤 Filter 插件
数据从源传输到存储库的过程中,Logstash 过滤器能够解析各个事件,识别已命名的字段以构建结构,并将它们转换成通用格式,以便进行更强大的分析和实现商业价值。
Logstash 能够动态地转换和解析数据,不受格式或复杂度的影响
常见的 Filter 插件:
利用 Grok 从非结构化数据中派生出结构
从 IP 地址破译出地理坐标
利用 useragent 从请求中分析操作系统、设备类型
简化整体处理,不受数据源、格式或架构的影响
官方链接:https://www.elastic.co/guide/en/logstash/7.6/filter-plugins.html
Grok 插件
Grok 是一个过滤器插件,可帮助您描述日志格式的结构。有超过200种 grok模式抽象概念,如IPv6地址,UNIX路径和月份名称。为了将行与格式匹配
生产环境常需要将如下非结构化的数据解析成 json 结构化数据格式
2016-09-19T18:19:00 [8.8.8.8:prd] DEBUG this is an example log message
使用 Grok 插件可以基于正则表达式技术用内置的正则表达式的别名来表示和匹配上面的日志
%{TIMESTAMP_ISO8601:timestamp} \[%{IPV4:ip};%{WORD:environment}\] % {LOGLEVEL:log_level} %{GREEDYDATA:message}
最终转换为以下格式
{
"timestamp": "2016-09-19T18:19:00",
"ip": "8.8.8.8",
"environment": "prd",
"log_level": "DEBUG",
"message": "this is an example log message"
}
参考网站
https://www.elastic.co/cn/blog/do-you-grok-grok
http://grokdebug.herokuapp.com/
http://grokdebug.herokuapp.com/discover?#
范例: 利用grokedebug 网站将nginx日志自动生成grok的内置格式代码
159.65.4.253 - - [28/Aug/2022:09:32:05 +0800] "POST /xmlrpc.php HTTP/1.1" 200 412 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
%{COMBINEDAPACHELOG}
或者使作Kibana 实现上面功能
范例:使用 grok pattern 将 Nginx 日志格式化为 json 格式
cat /etc/logstash/conf.d/http_grok_stdout.conf
input {
http {
port =>6666
}
}
filter {
#将nginx日志格式化为json格式
grok {
match => {
"message" => "%{COMBINEDAPACHELOG}" #将message字段转化为指定的Json格式
}
}
}
output {
stdout {
codec => rubydebug
}
}
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/http_grok_stdout.conf -r
Geoip 插件
geoip 根据 ip 地址提供的对应地域信息,比如:经纬度,国家,城市名等,以方便进行地理数据分析
范例:
[root@ubuntu2004 ~]#vim /etc/logstash/conf.d/http_geoip_stdout.conf
input {
input {
http {
port =>6666
}
}
filter {
#将nginx日志格式化为json格式
grok {
match => {
"message" => "%{COMBINEDAPACHELOG}"
}
}
#以上面提取clientip字段为源,获取地域信息
geoip {
source => "clientip" #指定源IP的所在字段
}
}
output {
stdout {
codec => rubydebug
}
}
[root@ubuntu2004 ~]#/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/http_geoip_stdout.conf -r
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2022-12-16 10:14:36.537 [main] runner - Starting Logstash {"logstash.version"=>"7.15.0", "jruby.version"=>"jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.11+9 on 11.0.11+9 +indy +jit [linux-x86_64]"}
[WARN ] 2022-12-16 10:14:37.521 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2022-12-16 10:14:40.223 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2022-12-16 10:14:41.840 [Converge PipelineAction::Create<main>] Reflections - Reflections took 237 ms to scan 1 urls, producing 120 keys and 417 values
[WARN ] 2022-12-16 10:14:43.558 [Converge PipelineAction::Create<main>] plain - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:14:43.752 [Converge PipelineAction::Create<main>] http - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:14:43.966 [Converge PipelineAction::Create<main>] geoip - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:14:44.410 [[main]-pipeline-manager] grok - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:14:47.438 [[main]-pipeline-manager] LazyDelegatingGauge - A gauge metric of an unknown type (org.jruby.RubySymbol) has been created for key: status. This may result in invalid serialization. It is recommended to log an issue to the responsible developer/development team.
[WARN ] 2022-12-16 10:14:47.442 [[main]-pipeline-manager] LazyDelegatingGauge - A gauge metric of an unknown type (org.jruby.RubySymbol) has been created for key: status. This may result in invalid serialization. It is recommended to log an issue to the responsible developer/development team.
[WARN ] 2022-12-16 10:14:47.495 [[main]-pipeline-manager] LazyDelegatingGauge - A gauge metric of an unknown type (org.jruby.RubySymbol) has been created for key: status. This may result in invalid serialization. It is recommended to log an issue to the responsible developer/development team.
[INFO ] 2022-12-16 10:14:51.285 [[main]-pipeline-manager] downloadmanager - new database version detected? true
[INFO ] 2022-12-16 10:15:44.532 [[main]-pipeline-manager] databasemanager - By not manually configuring a database path with database =>
, you accepted and agreed MaxMind EULA. For more details please visit https://www.maxmind.com/en/geolite2/eula
[INFO ] 2022-12-16 10:15:44.539 [[main]-pipeline-manager] geoip - Using geoip database {:path=>"/usr/share/logstash/data/plugins/filters/geoip/1671156887/GeoLite2-City.mmdb"}
[INFO ] 2022-12-16 10:15:44.809 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/http_geoip_stdout.conf"], :thread=>"#<Thread:0x72cea342 run>"}
[INFO ] 2022-12-16 10:15:46.560 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>1.74}
[WARN ] 2022-12-16 10:15:46.719 [[main]-pipeline-manager] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-16 10:15:47.040 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2022-12-16 10:15:47.134 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[INFO ] 2022-12-16 10:15:47.153 [[main]<http] http - Starting http input listener {:address=>"0.0.0.0:6666", :ssl=>"false"}
[WARN ] 2022-12-16 10:16:11.383 [http-input-processor[T#2]] plain - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:16:11.409 [http-input-processor[T#2]] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
{
"timestamp" => "27/Aug/2022:19:26:49 +0800",
"agent" => "\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0\"",
"geoip" => {
"longitude" => 116.3861,
"city_name" => "Beijing",
"ip" => "115.171.63.144",
"location" => {
"lat" => 39.9143,
"lon" => 116.3861
},
"country_code2" => "CN",
"region_code" => "BJ",
"region_name" => "Beijing",
"country_code3" => "CN",
"country_name" => "China",
"timezone" => "Asia/Shanghai",
"latitude" => 39.9143,
"continent_code" => "AS"
},
"host" => "10.0.0.210",
"ident" => "-",
"response" => "301",
"@version" => "1",
"clientip" => "115.171.63.144",
"@timestamp" => 2022-12-16T02:16:11.558Z,
"message" => "115.171.63.144 - - [27/Aug/2022:19:26:49 +0800] \"GET /favicon.ico HTTP/1.1\" 301 5 \"http://119.91.212.247/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0\"",
"headers" => {
"http_user_agent" => "curl/7.68.0",
"http_version" => "HTTP/1.1",
"request_path" => "/",
"request_method" => "POST",
"content_length" => "189",
"http_host" => "10.0.0.207:6666",
"content_type" => "application/x-www-form-urlencoded",
"http_accept" => "*/*"
},
"auth" => "-",
"bytes" => "5",
"httpversion" => "1.1",
"referrer" => "\"http://119.91.212.247/\"",
"verb" => "GET",
"request" => "/favicon.ico"
}
#使用curl命令通过http方式输入,输出上面信息
[root@ES-Node3 ~]#curl -XPOST -d '115.171.63.144 - - [27/Aug/2022:19:26:49 +0800] "GET /favicon.ico HTTP/1.1" 301 5 "http://119.91.212.247/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0"' http://10.0.0.207:6666
ok
Date 插件
date插件可以将日志中的日期字符串解析为日志类型。然后替换@timestamp 字段(此字段默认为当前写放logstash的时间而非日志本身的时间)或指定的其他字段
match 类型为数组,用于指定日期匹配的格式,可以以此指定多种日期格式
target 类型为字符串,用于指定赋值的字段名,默认是 @timestamp
timezone 类型为字符串,用于指定时区域
官方说明
https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html
时区格式参考
http://joda-time.sourceforge.net/timezones.html
[root@ubuntu2004 ~]#vim /etc/logstash/conf.d/http_grok_date_stdout.conf
input {
http {
port =>6666
}
}
filter {
#将nginx日志格式化为json格式
grok {
match => {
"message" => "%{COMBINEDAPACHELOG}"
}
}
#解析date日期格式为: 14/Jul/2020:15:07:27 +0800,
date {
match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
target => "access_time" #将时间写入新生成的access_time字段
#target => "@timestamp" #将时间覆盖原有的@timestamp字段
timezone => "Asia/Shanghai"
}
}
output {
stdout {
codec => rubydebug
}
}
[root@ubuntu2004 ~]#/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/http_grok_date_stdout.conf -r
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2022-12-16 10:23:17.776 [main] runner - Starting Logstash {"logstash.version"=>"7.15.0", "jruby.version"=>"jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.11+9 on 11.0.11+9 +indy +jit [linux-x86_64]"}
[WARN ] 2022-12-16 10:23:18.782 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2022-12-16 10:23:22.036 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2022-12-16 10:23:23.666 [Converge PipelineAction::Create<main>] Reflections - Reflections took 178 ms to scan 1 urls, producing 120 keys and 417 values
[WARN ] 2022-12-16 10:23:25.192 [Converge PipelineAction::Create<main>] plain - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:23:25.286 [Converge PipelineAction::Create<main>] http - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:23:26.141 [[main]-pipeline-manager] grok - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-16 10:23:26.857 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/http_grok_date_stdout.conf"], :thread=>"#<Thread:0x5d15a961 run>"}
[INFO ] 2022-12-16 10:23:28.647 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>1.79}
[WARN ] 2022-12-16 10:23:28.830 [[main]-pipeline-manager] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-16 10:23:29.127 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2022-12-16 10:23:29.152 [[main]<http] http - Starting http input listener {:address=>"0.0.0.0:6666", :ssl=>"false"}
[INFO ] 2022-12-16 10:23:29.264 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[WARN ] 2022-12-16 10:23:36.853 [http-input-processor[T#2]] plain - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:23:36.872 [http-input-processor[T#2]] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
{
"auth" => "-",
"@version" => "1",
"host" => "10.0.0.210",
"response" => "200",
"agent" => "\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0\"",
"@timestamp" => 2022-12-16T02:23:37.061Z,
"verb" => "GET",
"bytes" => "1755",
"message" => "220.196.160.101 - - [27/Aug/2022:20:47:15 +0800] \"GET /wp-includes/js/dist/hooks.min.js?ver=c6d64f2cb8f5c6bb49caca37f8828ce3 HTTP/1.1\" 200 1755 \"https://www.shuzihan.com/wp-login.php?redirect_to=http%3A%2F%2F119.91.212.247%2Fwp-admin%2Foptions-permalink.php&reauth=1\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0\"",
"request" => "/wp-includes/js/dist/hooks.min.js?ver=c6d64f2cb8f5c6bb49caca37f8828ce3",
"timestamp" => "27/Aug/2022:20:47:15 +0800",
"httpversion" => "1.1",
"headers" => {
"http_user_agent" => "curl/7.68.0",
"content_type" => "application/x-www-form-urlencoded",
"request_path" => "/",
"http_version" => "HTTP/1.1",
"request_method" => "POST",
"content_length" => "349",
"http_host" => "10.0.0.207:6666",
"http_accept" => "*/*"
},
"clientip" => "220.196.160.101",
"ident" => "-",
"referrer" => "\"https://www.shuzihan.com/wp-login.php?redirect_to=http%3A%2F%2F119.91.212.247%2Fwp-admin%2Foptions-permalink.php&reauth=1\"",
"access_time" => 2022-08-27T12:47:15.000Z
}
[root@ES-Node3 ~]#curl -XPOST -d '220.196.160.101 - - [27/Aug/2022:20:47:15 +0800] "GET /wp-includes/js/dist/hooks.min.js?ver=c6d64f2cb8f5c6bb49caca37f8828ce3 HTTP/1.1" 200 1755 "https://www.shuzihan.com/wp-login.php?redirect_to=http%3A%2F%2F119.91.212.247%2Fwp-admin%2Foptions-permalink.php&reauth=1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0"' http://10.0.0.207:6666
ok
Useragent 插件
[root@ubuntu2004 ~]#vim /etc/logstash/conf.d/http_grok_useragent_stdout.conf
input {
http {
port =>6666
}
}
filter {
#将nginx日志格式化为json格式
grok {
match => {
"message" => "%{COMBINEDAPACHELOG}"
}
}
#解析date日期如: 10/Dec/2020:10:40:10 +0800
date {
match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
target => "@timestamp"
#target => "access_time"
timezone => "Asia/Shanghai"
}
#提取agent字段,进行解析
useragent {
source => "agent" #指定从哪个字段获取数据
target => "useragent" #转换后的新字段
}
}
output {
stdout {
codec => rubydebug
}
}
[root@ubuntu2004 ~]#/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/http_grok_useragent_stdout.conf -r
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2022-12-16 10:26:42.929 [main] runner - Starting Logstash {"logstash.version"=>"7.15.0", "jruby.version"=>"jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.11+9 on 11.0.11+9 +indy +jit [linux-x86_64]"}
[WARN ] 2022-12-16 10:26:43.982 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2022-12-16 10:26:47.256 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2022-12-16 10:26:48.743 [Converge PipelineAction::Create<main>] Reflections - Reflections took 179 ms to scan 1 urls, producing 120 keys and 417 values
[WARN ] 2022-12-16 10:26:50.128 [Converge PipelineAction::Create<main>] plain - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:26:50.291 [Converge PipelineAction::Create<main>] http - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:26:50.696 [Converge PipelineAction::Create<main>] useragent - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:26:51.128 [[main]-pipeline-manager] grok - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-16 10:26:52.090 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/http_grok_useragent_stdout.conf"], :thread=>"#<Thread:0x6863bdd run>"}
[INFO ] 2022-12-16 10:26:54.002 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>1.9}
[WARN ] 2022-12-16 10:26:54.236 [[main]-pipeline-manager] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-16 10:26:54.481 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2022-12-16 10:26:54.549 [[main]<http] http - Starting http input listener {:address=>"0.0.0.0:6666", :ssl=>"false"}
[INFO ] 2022-12-16 10:26:54.730 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[WARN ] 2022-12-16 10:27:39.125 [http-input-processor[T#2]] plain - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:27:39.143 [http-input-processor[T#2]] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
{
"headers" => {
"http_host" => "10.0.0.207:6666",
"request_path" => "/",
"content_length" => "349",
"content_type" => "application/x-www-form-urlencoded",
"request_method" => "POST",
"http_accept" => "*/*",
"http_user_agent" => "curl/7.68.0",
"http_version" => "HTTP/1.1"
},
"host" => "10.0.0.210",
"verb" => "GET",
"bytes" => "1755",
"referrer" => "\"https://www.shuzihan.com/wp-login.php?redirect_to=http%3A%2F%2F119.91.212.247%2Fwp-admin%2Foptions-permalink.php&reauth=1\"",
"@version" => "1",
"timestamp" => "27/Aug/2022:20:47:15 +0800",
"request" => "/wp-includes/js/dist/hooks.min.js?ver=c6d64f2cb8f5c6bb49caca37f8828ce3",
"clientip" => "220.196.160.101",
"ident" => "-",
"@timestamp" => 2022-08-27T12:47:15.000Z,
"agent" => "\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0\"",
"auth" => "-",
"message" => "220.196.160.101 - - [27/Aug/2022:20:47:15 +0800] \"GET /wp-includes/js/dist/hooks.min.js?ver=c6d64f2cb8f5c6bb49caca37f8828ce3 HTTP/1.1\" 200 1755 \"https://www.shuzihan.com/wp-login.php?redirect_to=http%3A%2F%2F119.91.212.247%2Fwp-admin%2Foptions-permalink.php&reauth=1\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0\"",
"response" => "200",
"httpversion" => "1.1",
"useragent" => {
"os_name" => "Windows",
"os_major" => "10",
"name" => "Firefox",
"device" => "Other",
"minor" => "0",
"os_version" => "10",
"version" => "104.0",
"major" => "104",
"os" => "Windows",
"os_full" => "Windows 10"
}
}
[WARN ] 2022-12-16 10:28:19.371 [http-input-processor[T#1]] plain - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:28:19.397 [http-input-processor[T#1]] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
{
"headers" => {
"http_host" => "10.0.0.207:6666",
"request_path" => "/",
"content_length" => "206",
"content_type" => "application/x-www-form-urlencoded",
"request_method" => "POST",
"http_accept" => "*/*",
"http_user_agent" => "curl/7.68.0",
"http_version" => "HTTP/1.1"
},
"host" => "10.0.0.210",
"verb" => "POST",
"bytes" => "412",
"referrer" => "\"-\"",
"@version" => "1",
"timestamp" => "07/Sep/2022:00:38:47 +0800",
"request" => "/xmlrpc.php",
"clientip" => "2220.204.174.94",
"ident" => "-",
"@timestamp" => 2022-09-06T16:38:47.000Z,
"agent" => "\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\"",
"auth" => "-",
"message" => "2220.204.174.94 - - [07/Sep/2022:00:38:47 +0800] \"POST /xmlrpc.php HTTP/1.1\" 200 412 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\"",
"response" => "200",
"httpversion" => "1.1",
"useragent" => {
"os_major" => "10",
"name" => "Chrome",
"minor" => "0",
"os_version" => "10",
"major" => "78",
"os_name" => "Windows",
"patch" => "3904",
"device" => "Other",
"os_full" => "Windows 10",
"os" => "Windows",
"version" => "78.0.3904.108"
}
}
[root@ES-Node3 ~]#curl -XPOST -d '220.196.160.101 - - [27/Aug/2022:20:47:15 +0800] "GET /wp-includes/js/dist/hooks.min.js?ver=c6d64f2cb8f5c6bb49caca37f8828ce3 HTTP/1.1" 200 1755 "https://www.shuzihan.com/wp-login.php?redirect_to=http%3A%2F%2F119.91.212.247%2Fwp-admin%2Foptions-permalink.php&reauth=1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0"' http://10.0.0.207:6666
ok
[root@ES-Node3 ~]#]#curl -XPOST -d '20.204.174.94 - - [07/Sep/2022:00:38:47 +0800] "POST /xmlrpc.php HTTP/1.1" 200 412 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"' http://10.0.0.207:6666
ok
Mutate 插件
Mutate 插件主要是对字段进行、类型转换、删除、替换、更新等操作,可以使用以下函数
remove_field 删除字段
split 字符串切割,相当于awk取列
add_field 添加字段
convert 类型转换
gsub 字符串替换
官方链接:https://www.elastic.co/guide/en/logstash/7.6/plugins-filters-mutate.html
remove_field 删除字段
[root@ubuntu2004 ~]#vim /etc/logstash/conf.d/http_grok_mutate_remove_field_stdout.conf
input {
http {
port =>6666
}
}
filter {
#将nginx日志格式化为json格式
grok {
match => {
"message" => "%{COMBINEDAPACHELOG}"
}
}
#解析date日期如: 10/Dec/2020:10:40:10 +0800
date {
match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
target => "@timestamp"
#target => "access_time"
timezone => "Asia/Shanghai"
}
#mutate 删除操作
mutate {
remove_field => ["headers","message", "agent"]
}
}
output {
stdout {
codec => rubydebug
}
}
[root@ubuntu2004 ~]#/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/http_grok_mutate_remove_field_stdout.conf -r
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2022-12-16 10:33:06.528 [main] runner - Starting Logstash {"logstash.version"=>"7.15.0", "jruby.version"=>"jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.11+9 on 11.0.11+9 +indy +jit [linux-x86_64]"}
[WARN ] 2022-12-16 10:33:07.452 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2022-12-16 10:33:10.645 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2022-12-16 10:33:12.278 [Converge PipelineAction::Create<main>] Reflections - Reflections took 208 ms to scan 1 urls, producing 120 keys and 417 values
[WARN ] 2022-12-16 10:33:13.758 [Converge PipelineAction::Create<main>] plain - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:33:13.943 [Converge PipelineAction::Create<main>] http - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:33:14.796 [[main]-pipeline-manager] grok - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-16 10:33:15.416 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/http_grok_mutate_remove_field_stdout.conf"], :thread=>"#<Thread:0x2d88844e run>"}
[INFO ] 2022-12-16 10:33:17.255 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>1.83}
[WARN ] 2022-12-16 10:33:17.490 [[main]-pipeline-manager] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-16 10:33:17.774 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2022-12-16 10:33:17.858 [[main]<http] http - Starting http input listener {:address=>"0.0.0.0:6666", :ssl=>"false"}
[INFO ] 2022-12-16 10:33:18.081 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[WARN ] 2022-12-16 10:33:18.990 [http-input-processor[T#2]] plain - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:33:19.012 [http-input-processor[T#2]] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
{
"auth" => "-",
"bytes" => "412",
"referrer" => "\"-\"",
"verb" => "POST",
"@timestamp" => 2022-09-06T16:38:47.000Z,
"request" => "/xmlrpc.php",
"httpversion" => "1.1",
"response" => "200",
"clientip" => "2220.204.174.94",
"timestamp" => "07/Sep/2022:00:38:47 +0800",
"ident" => "-",
"@version" => "1",
"host" => "10.0.0.210"
}
[root@ES-Node3 ~]#curl -XPOST -d '2220.204.174.94 - - [07/Sep/2022:00:38:47 +0800] "POST /xmlrpc.php HTTP/1.1" 200 412 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"' http://10.0.0.207:6666
ok
Split 切割
mutate 中的 split 字符切割, 指定字段做为分隔符,生成新的字段名
示例: 1000|提交订单|2020-01-08 09:10:21
范例: split 切割字符串取列
[root@ubuntu2004 ~]#vim /etc/logstash/conf.d/http_grok_mutate_split_stdout.conf
input {
http {
port =>6666
}
}
filter {
#mutate 切割操作
mutate {
#字段分隔符
split => { "message" => "|" } #将message字段按 | 分割成多个列表元素
}
}
output {
stdout {
codec => rubydebug
}
}
[root@ubuntu2004 ~]#/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/http_grok_mutate_split_stdout.conf -r
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2022-12-16 10:38:18.667 [main] runner - Starting Logstash {"logstash.version"=>"7.15.0", "jruby.version"=>"jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.11+9 on 11.0.11+9 +indy +jit [linux-x86_64]"}
[WARN ] 2022-12-16 10:38:19.724 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2022-12-16 10:38:22.728 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2022-12-16 10:38:23.949 [Converge PipelineAction::Create<main>] Reflections - Reflections took 152 ms to scan 1 urls, producing 120 keys and 417 values
[WARN ] 2022-12-16 10:38:25.209 [Converge PipelineAction::Create<main>] plain - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:38:25.374 [Converge PipelineAction::Create<main>] http - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-16 10:38:26.354 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/http_grok_mutate_split_stdout.conf"], :thread=>"#<Thread:0x1dc494ad run>"}
[INFO ] 2022-12-16 10:38:27.844 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>1.48}
[WARN ] 2022-12-16 10:38:28.041 [[main]-pipeline-manager] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-16 10:38:28.330 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2022-12-16 10:38:28.407 [[main]<http] http - Starting http input listener {:address=>"0.0.0.0:6666", :ssl=>"false"}
[INFO ] 2022-12-16 10:38:28.644 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[WARN ] 2022-12-16 10:38:29.766 [http-input-processor[T#2]] plain - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:38:29.794 [http-input-processor[T#2]] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
{
"@version" => "1",
"headers" => {
"http_accept" => "*/*",
"request_path" => "/",
"request_method" => "POST",
"http_host" => "10.0.0.207:6666",
"http_user_agent" => "curl/7.68.0",
"http_version" => "HTTP/1.1",
"content_type" => "application/x-www-form-urlencoded",
"content_length" => "37"
},
"message" => [
[0] "1000",
[1] "提交订单",
[2] "2020-01-08 09:10:21"
],
"@timestamp" => 2022-12-16T02:38:29.876Z,
"host" => "10.0.0.210"
}
[root@ES-Node3 ~]#curl -XPOST -d '1000|提交订单|2020-01-08 09:10:21' http://10.0.0.207:6666
ok
add_field 添加字段
[root@ubuntu2004 ~]#vim /etc/logstash/conf.d/http_grok_mutate_add_field_stdout.conf
input {
http {
port =>6666
}
}
filter {
#mutate 切割操作
mutate {
#字段分隔符
split => { "message" => "|" }
#添加字段,将message的列表的第0个元素添加字段名user_id
add_field => {
"user_id" => "%{[message][0]}"
"action" => "%{[message][1]}"
"time" => "%{[message][2]}"
}
#add_field => {"[@metadata][target_index]" => "app-%{+YYY.MM.dd}"}#添加字段做索引名
#删除无用字段
remove_field => ["headers","message"]
}
}
output {
stdout {
codec => rubydebug
}
}
[root@ubuntu2004 ~]#/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/http_grok_mutate_add_field_stdout.conf -r
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2022-12-16 10:41:12.821 [main] runner - Starting Logstash {"logstash.version"=>"7.15.0", "jruby.version"=>"jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.11+9 on 11.0.11+9 +indy +jit [linux-x86_64]"}
[WARN ] 2022-12-16 10:41:13.957 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2022-12-16 10:41:17.046 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2022-12-16 10:41:18.648 [Converge PipelineAction::Create<main>] Reflections - Reflections took 165 ms to scan 1 urls, producing 120 keys and 417 values
[WARN ] 2022-12-16 10:41:20.086 [Converge PipelineAction::Create<main>] plain - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:41:20.298 [Converge PipelineAction::Create<main>] http - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-16 10:41:21.002 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/http_grok_mutate_add_field_stdout.conf"], :thread=>"#<Thread:0x6f4db68c run>"}
[INFO ] 2022-12-16 10:41:22.504 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>1.5}
[WARN ] 2022-12-16 10:41:22.682 [[main]-pipeline-manager] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-16 10:41:22.943 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2022-12-16 10:41:23.061 [[main]<http] http - Starting http input listener {:address=>"0.0.0.0:6666", :ssl=>"false"}
[INFO ] 2022-12-16 10:41:23.178 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[WARN ] 2022-12-16 10:41:23.971 [http-input-processor[T#2]] plain - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:41:23.989 [http-input-processor[T#2]] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
{
"action" => "提交订单",
"@timestamp" => 2022-12-16T02:41:24.184Z,
"@version" => "1",
"host" => "10.0.0.210",
"time" => "2020-01-08 09:10:21",
"user_id" => "1000"
}
[root@ES-Node3 ~]#curl -XPOST -d '1000|提交订单|2020-01-08 09:10:21' http://10.0.0.207:6666
ok
convert 转换
mutate 中的 convert 可以实现数据类型的转换。 支持转换integer、float、string等类型
[root@ubuntu2004 ~]#vim /etc/logstash/conf.d/http_grok_mutate_convert_stdout.conf
input {
http {
port =>6666
}
}
filter {
#mutate 切割操作
mutate {
#字段分隔符
split => { "message" => "|" }
#添加字段
add_field => {
"user_id" => "%{[message][0]}"
"action" => "%{[message][1]}"
"time" => "%{[message][2]}"
}
#删除无用字段
remove_field => ["headers","message"]
#对新添加字段进行格式转换
convert => {
"user_id" => "integer"
"action" => "string"
"time" => "string"
}
#convert => ["excute_time","float] #此格式也可以支持
#convert => ["time","string" ]
}
}
output {
stdout {
codec => rubydebug
}
}
[root@ubuntu2004 ~]#/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/http_grok_mutate_convert_stdout.conf -r
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2022-12-16 10:45:24.708 [main] runner - Starting Logstash {"logstash.version"=>"7.15.0", "jruby.version"=>"jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.11+9 on 11.0.11+9 +indy +jit [linux-x86_64]"}
[WARN ] 2022-12-16 10:45:25.651 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2022-12-16 10:45:28.952 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2022-12-16 10:45:30.548 [Converge PipelineAction::Create<main>] Reflections - Reflections took 222 ms to scan 1 urls, producing 120 keys and 417 values
[WARN ] 2022-12-16 10:45:32.136 [Converge PipelineAction::Create<main>] plain - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:45:32.270 [Converge PipelineAction::Create<main>] http - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-16 10:45:33.093 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/http_grok_mutate_convert_stdout.conf"], :thread=>"#<Thread:0x2f53298f run>"}
[INFO ] 2022-12-16 10:45:34.974 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>1.88}
[WARN ] 2022-12-16 10:45:35.133 [[main]-pipeline-manager] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2022-12-16 10:45:35.322 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2022-12-16 10:45:35.371 [[main]<http] http - Starting http input listener {:address=>"0.0.0.0:6666", :ssl=>"false"}
[INFO ] 2022-12-16 10:45:35.447 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[WARN ] 2022-12-16 10:45:41.468 [http-input-processor[T#2]] plain - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2022-12-16 10:45:41.499 [http-input-processor[T#2]] json - Relying on default value of pipeline.ecs_compatibility
, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
{
"@version" => "1",
"user_id" => "1000",
"action" => "提交订单",
"host" => "10.0.0.210",
"time" => "2020-01-08 09:10:21",
"@timestamp" => 2022-12-16T02:45:41.682Z
}
[root@ES-Node3 ~]#curl -XPOST -d '1000|提交订单|2020-01-08 09:10:21' http://10.0.0.207:6666
ok
gsub 替换
filter {
mutate {
gsub=>["message","\n", " "] #将message字段中的换行替换为空格
}
}
条件判断
#vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
tags: ["access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
output.logstash:
hosts: ["10.0.0.104:5044","10.0.0.105:5044",]
#loadbalance: true #负载均衡
#worker: 2 #number of hosts * workers #开启多进程
#vim /etc/logstash/conf.d/filebeat_logstash_es.conf
input {
beats {
port => 5044
}
}
filter {
if "access" in [tags][0] {
mutate {
add_field => { "target_index" => "access-%{+YYYY.MM.dd}"}
}
}
else if "error" in [tags][0] {
mutate {
add_field => { "target_index" => "error-%{+YYYY.MM.dd}"}
}
}
else if "system" in [tags][0] {
mutate {
add_field => { "target_index" => "system-%{+YYYY.MM.dd}"}
}
}
}
output {
elasticsearch {
hosts =>["10.0.0.101:9200","10.0.0.102:9200","10.0.0.103:9200"] #一般写data地址
index => "%{[target_index]}" #使用字段target_index值做为索引名
template_overwrite => true #覆盖索引模板
}
}
Logstash 输出 Output 插件
官方链接:https://www.elastic.co/guide/en/logstash/7.6/output-plugins.html
Stdout 插件
stdout 插件将数据输出到屏幕终端,主要用于调试
output {
stdout {
codec => rubydebug
}
}
File 插件
输出到文件,可以将将分散在多个文件的数据统一存放到一个文件
示例: 将所有 web 机器的日志收集到一个文件中,从而方便统一管理
output {
stdout {
codec => rubydebug
}
file {
path => "/var/log/test.log"
}
}
Elasticsearch 插件
官方说明:https://www.elastic.co/guide/en/logstash/7.6/plugins-outputs-elasticsearch.html
索引的时间格式说明:https://www.joda.org/joda-time/apidocs/org/joda/time/format/DateTimeFormat.html
当日志量较小时,可以按月或周生成索引,当日志量比较大时,会按天生成索引,以方便后续按天删除
output {
elasticsearch {
hosts =>["10.0.0.101:9200","10.0.0.102:9200","10.0.0.103:9200"]#一般写ES中data节点地址
index => "app-%{+YYYY.MM.dd}" #指定索引名称,建议加时间,按天建立索引
#index => "%{[@metadata][target_index]}"#使用字段[@metadata][target_index]值做为索引名
template_overwrite => true #覆盖索引模板,此项可选,默认值为false
}
}
注意: 索引名必须为小写
Redis 插件
Logstash 支持将日志转发至 Redis
官方链接:https://www.elastic.co/guide/en/logstash/7.6/plugins-outputs-redis.html
output {
if [type] == 'nginx-accesslog' {
redis {
host => 'Redis_IP'
port => "6379"
password => "123456"
db => "0"
data_type => 'list'
key => "nginx-accesslog"
}
}
}
Kafka 插件
Logstash 支持将日志转发至 Kafka
官方链接:https://www.elastic.co/guide/en/logstash/7.6/plugins-outputs-kafka.html
output {
#stdout {}
if [type] == 'nginx-accesslog' {
kafka {
bootstrap_servers => '10.0.0.201:9092,10.0.0.202:9092,10.0.0.203:9092'
topic_id => 'nginx-accesslog'
codec => 'json' #如果是Json格式,需要标识的字段
}
}
if [type] == 'nginx-errorlog' {
kafka {
bootstrap_servers => 'Kafka_IP1:9092,Kafka_IP2:9092,Kafka_IP3:9092'
topic_id => 'nginx-errorlog'
codec => 'json' #为了保留logstash添加的字段,比如:type字段,也需要指定json格式,否则会丢失logstash添加的字段
}
}
}