1.
There are many kinds of input input, such as stdin, file, log4j and so on. Here we only focus on analyzing file, next time we will analyze log4j.
input{ file { codec => multiline { pattern => "^\[" negate => true what => "previous" charset => "UTF-8" } path => ["/usr/local/apache-tomcat-gtw/logs/catalina.*"] start_position => "beginning" discover_interval => 2 sincedb_path => "/usr/share/logstash/conf/logstash_gateway/config/tomcat_sincedb.txt" sincedb_write_interval => 2 } }
codec uses multi-line mode to split the log
path log path
start_position means start from the beginning
discover_interval to scan the folder for log file changes every two seconds
sincecedb_path record the number of lines read from the log sincecedb_write_interval
record location information every two seconds
2.
filterPrevious In the filter, split is mainly used to parse the log. This article mainly uses json template for matching.
filter { mutate{ gsub => [ "message", "\[", "" ] gsub => [ "message", "]", "" ] remove_field => [ "@version" ] } grok { patterns_dir => "/usr/share/logstash/conf/logstash_gateway/logstash-patterns" match => { "message" => "%{DATETIME:datetime} %{APP:app} %{LOGLEVEL:level} %{JAVACLASS:class} %{METHOD:method}" } } if [level] == 'DEBUG' { mutate { replace => ["level_code",1000] convert => { "level_code" => "integer" } } } if [level] == 'INFO' { mutate { replace => ["level_code",2000] convert => { "level_code" => "integer" } } } if [level] == 'WARN' { mutate { replace => ["level_code",3000] convert => { "level_code" => "integer" } } } if [level] == 'ERROR' { mutate { replace => ["level_code",4000] convert => { "level_code" => "integer" } } } }
gsub replaces the [] in the message, because [ is used for multi-line matching, which has no effect in the log.
remove_field removes unwanted fields @Version fields are automatically added by
logstash, no need for grok to use regular expressions to match logs
patterns_dir regular expression file path
%{DATETIME:datetime} Indicates that the first field is a time type and is converted to a datetime field .
%{APP:app} Indicates that the second field is the APP type (custom regular), which is converted into an app field. The following analogy
is followed by defining level_code according to the log level so that report statistics
can be
output to ES and console respectively.
output { elasticsearch { hosts => ["192.168.3.140"] index => "gateway" template => '/usr/share/logstash/conf/logstash_gateway/template/logstash-gateway.json' template_name => 'logstash-gateway' template_overwrite => true flush_size => 20000 idle_flush_time => 10 } stdout{ codec => rubydebug codec => plain{charset=>"UTF-8"} } }
hosts search engine address
index index name
template template file
template_name the template name in the template file
template_overwrite is set to true, flush_size can be updated when the template is changed, and the
index is added every 20000
idle_flush_time exceeds 10s, if it has not reached 20000, also refresh the index