1. The basic syntax of Logstash
The reason why Logstash is powerful and popular is also inseparable from its rich filter plug-ins. Filters provide not only filtering functions, but also complex logic processing on the raw data entering the filter, and even adding unique events into subsequent processes.
The Logstash configuration file consists of the following three parts, among which the input and output parts are mandatory configurations, and the filter part is an optional configuration, and filter is a filter plug-in, which can implement various log filtering functions in this part.
input {
#输入插件
}
filter {
#过滤匹配插件
}
output {
#输出插件
}2. Logstash input plug-in (Input)
1. Read the file (File)
logstash uses a ruby gem library called filewatch to monitor file changes, and records the reading progress (time stamp) of the monitored log file through a database file called .sincedb. The default path of the sincedb data file is <path Under .data>/plugins/inputs/file, the file name is similar to .sincedb_452905a167cf4509fd08acb964fdb20c, and <path.data> indicates the logstash plugin storage directory, which is LOGSTASH_HOME/data by default.
Take a look at the following event configuration file:
input {
file {
path => ["/var/log/messages"]
type => "system"
start_position => "beginning"
}
}
output {
stdout{
codec=>rub