1.从官网下载安装包,并通过Xftp5上传到机器集群上
下载logstash-6.2.3.tar.gz版本,并通过Xftp5上传到hadoop机器集群的第一个节点node1上的/opt/uploads/目录:
2、解压logstash-6.2.3.tar.gz,并把解压的安装包移动到/opt/app/目录上
tar zxvf logstash-6.2.3.tar.gz
mv logstash-6.2.3 /opt/app/ && cd /opt/app/
3、修改环境变量,编辑/etc/profile,并生效环境变量,输入如下命令:
sudo vi /etc/profile
添加如下内容:
export LOGSTASH_HOME=/opt/app/logstash-6.2.3
export PATH=:PATH:PATH:LOGSTASH_HOME/bin
使环境变量生效:source /etc/profile
4、配置文件类型
4.1 log-kafka配置文件
输入源为nginx的日志文件,输出源为kafka
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
input
{
file
{
path
=
>
"/var/logs/nginx/*.log"
discover_interval
=
>
5
start_position
=
>
"beginning"
}
}
output {
kafka {
topic_id
=
>
"accesslog"
codec
=
> plain {
format
=
>
"%{message}"
charset
=
>
"UTF-8"
}
bootstrap_servers
=
>
"hadoop1:9092,hadoop2:9092,hadoop3:9092"
}
}
|
4.2 file-kafka配置文件
输入源为txt文件,输出源为kafka
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
input
{
file
{
codec
=
> plain {
charset
=
>
"GB2312"
}
path
=
>
"D:/GameLog/BaseDir/*/*.txt"
discover_interval
=
>
30
start_position
=
>
"beginning"
}
}
output {
kafka {
topic_id
=
>
"gamelog"
codec
=
> plain {
format
=
>
"%{message}"
charset
=
>
"GB2312"
}
bootstrap_servers
=
>
"hadoop1:9092,hadoop2:9092,hadoop3:9092"
}
}
|
4.3 log-elasticsearch配置文件
输入源为nginx的日志文件,输出源为elasticsearch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
input
{
file
{
type
=
>
"flow"
path
=
>
"var/logs/nginx/*.log"
discover_interval
=
>
5
start_position
=
>
"beginning"
}
}
output {
if
[
type
]
=
=
"flow"
{
elasticsearch {
index
=
>
"flow-%{+YYYY.MM.dd}"
hosts
=
> [
"hadoop1:9200"
,
"hadoop2:9200"
,
"hadoop3:9200"
]
}
}
}
|
4.4 kafka-elasticsearch配置文件
输入源为kafka的accesslog和gamelog主题,并在中间分别针对accesslog和gamelog进行过滤,输出源为elasticsearch。当input里面有多个kafka输入源时,client_id => "es*"必须添加且需要不同,否则会报错javax.management.InstanceAlreadyExistsException: kafka.consumer:type=app-info,id=logstash-0。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
input
{
kafka {
type
=
>
"accesslog"
codec
=
>
"plain"
auto_offset_reset
=
>
"earliest"
client_id
=
>
"es1"
group_id
=
>
"es1"
topics
=
> [
"accesslog"
]
bootstrap_servers
=
>
"hadoop1:9092,hadoop2:9092,hadoop3:9092"
}
kafka {
type
=
>
"gamelog"
codec
=
>
"plain"
auto_offset_reset
=
>
"earliest"
client_id
=
>
"es2"
group_id
=
>
"es2"
topics
=
> [
"gamelog"
]
bootstrap_servers
=
>
"hadoop1:9092,hadoop2:9092,hadoop3:9092"
}
}
filter
{
if
[
type
]
=
=
"accesslog"
{
json {
source
=
>
"message"
remove_field
=
> [
"message"
]
target
=
>
"access"
}
}
if
[
type
]
=
=
"gamelog"
{
mutate {
split
=
> {
"message"
=
>
" "
}
add_field
=
> {
"event_type"
=
>
"%{message[3]}"
"current_map"
=
>
"%{message[4]}"
"current_x"
=
>
"%{message[5]}"
"current_y"
=
>
"%{message[6]}"
"user"
=
>
"%{message[7]}"
"item"
=
>
"%{message[8]}"
"item_id"
=
>
"%{message[9]}"
"current_time"
=
>
"%{message[12]}"
}
remove_field
=
> [
"message"
]
}
}
}
output {
if
[
type
]
=
=
"accesslog"
{
elasticsearch {
index
=
>
"accesslog"
codec
=
>
"json"
hosts
=
> [
"hadoop1:9200"
,
"hadoop2:9200"
,
"hadoop3:9200"
]
}
}
if
[
type
]
=
=
"gamelog"
{
elasticsearch {
index
=
>
"gamelog"
codec
=
> plain {
charset
=
>
"UTF-16BE"
}
hosts
=
> [
"hadoop1:9200"
,
"hadoop2:9200"
,
"hadoop3:9200"
]
}
}
}
|
注:UTF-16BE为解决中文乱码,而不是UTF-8
5、logstash启动
logstash -f /opt/app/logstash-6.2.3/conf/flow-kafka.conf
6、logstash遇到的问题
1) 在使用logstash采集日志时,如果我们采用file为input类型,采用不能反复对一份文件进行测试!第一次会成功,之后就会失败!
参考资料:
https://blog.csdn.net/lvyuan1234/article/details/78653324