elk版本是7.7 系统版本是centos7,教程见:https://blog.csdn.net/yuezhilangniao/article/details/112691680
两个conf 一个是tomcat的日志
input{
file {
path => ["/home/tomcat8/tomcat_8005/logs/catalina.out"]
start_position => "beginning"
}
file {
path => ["/home/tomcat8/tomcat_8006/logs/catalina.out"]
start_position => "beginning"
}
}
filter{
#[2020-12-31 15:10:00.660][INFO][cn.com.hyundai.mms.component.ons.producer.ONSProducerHandler]消息内容:TopicMessage{Properties:{KEYS=MessageKey}messageTag='insToSaaS', receiptHandle='null'}
grok {
match => {
"message" => " \[%{DATA:timestamp}\]\[%{WORD:verb}\]\[%{URIPROTO:request}\]
" }
}
}
output{
elasticsearch {
hosts => ["http://10.69.15.56:9200"]
user => "elastic"
password => "123456"
index => "hml_8089_0506_catalina_out-%{+YYYY.MM.dd}"
}
}
一个是httpd的日志
input {
file {
path => ["/var/log/httpd/access_log"]
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => "%{COMMONAPACHELOG:apachelog}" }
add_field => [ "response", "%{NUMBER:response}" ]
}
}
output {
elasticsearch {
hosts => ["http://10.69.15.56:9200"]
user => "elastic"
password => "123456"
index => "sjghttpd_access-%{+YYYY.MM.dd}"
}
}
grok内置httpd正则来自文章:https://blog.csdn.net/aca_jingru/article/details/44647519