[Get nèng - Logstash] Beginners (b) - Use Logstash parse Apache Web logs (using Filebeat data collection)

Language 2020-02-10 15:01:30 views: null

Article Directory

This series of blog is Logstash learning applications, some examples from official documents.
Reference:
official documents
use the log parsing Logstash

I. Introduction

Example from the official website, in this section, you create a Logstash conduit which use Filebeat Apache Web logs to get as input, parses the logs to create specific named fields from the log, and writes the parsed data Elasticsearch clusters.

II. To achieve

2.1 download and install

Download: portal
decompression can (need to install JDK8)

Configuration inputs Filebeat 2.2

1. Prepare the log file
Download: Here
unpacked to E: \ \ elk \ beat \ directory technology (can be any directory)

2. Install Filebeat
default Logstash installation includes Beats input plug-ins. Beats input plug-in enables Logstash can receive from Elastic Beats frame events

  • Download the installation is very simple, you can download the zip package and extract, Download: Portal

  • Modify filebeat.yml After unpacking, replace the contents with the following lines. Ensure that the paths point to logstash-tutorial.log you downloaded earlier example Apache log files.

filebeat.prospectors:
- type: log
  paths:
    - E:\technology\elk\beat\logstash-tutorial.log\*
output.logstash:
  hosts: ["localhost:5044"]

Filebeat will attempt to connect to port 5044
absolute path to the file Filebeat processing

  • Filebeat running, then start Filebeat after logstash start, otherwise Filebeat will be prompted to connect less than 5044
./filebeat -e -c filebeat.yml -d "publish"

2.3 Configuration logstash

1. Write logstash profile
in logstash-6.0.0 \ bin create the configuration file (can be any directory, you need to specify the directory at startup)
filebeat_std.conf

input {
    beats {
        port => "5044"
    }
}
output {
    stdout { codec => rubydebug }
}

2. Start logstash
CD Logstash to the root directory, the command execution start (windows into the terminal by cmd)

cd logstash-6.0.0
bin/logstash -f filebeat_std.conf
  • -e indicates that the specified pipeline configuration directly at startup
  • -f expressed using a configuration file to start
  • -config.test_and_exit option parsing the configuration file and report any errors
  • -config.reload.automatic option allows to automatically reload the configuration so you do not have to stop every time you modify the configuration file and restart Logstash

3. Test
starts successfully filebeat displays the following:
Here Insert Picture Description

logstash terminal displays:
Here Insert Picture Description

2.3 Grok filter plug-in analytical Web log editor

We can find each row of data is stored in the message field, if we want to further split, parsing log messages you want to create a specific named fields from the log, you need to use Grok filter plug-ins.
1. Write logstash profile
revise filebeat_std.conf, add filter
filebeat_std.conf

input {
    beats {
        port => "5044"
    }
}
filter {
    grok {
        match => { "message" => "%{COMBINEDAPACHELOG}"}
    }
}
output {
    stdout { codec => rubydebug }
}

2. Start logstash
shown below:
Here Insert Picture Description

2.4 Geoip filter insert Enhanced Data Editor

In addition to parsing log data for better search, the filter plug-in can also obtain supplemental information from existing data in
bold style

input {
    beats {
        port => "5044"
    }
}
filter {
    grok {
        match => { "message" => "%{COMBINEDAPACHELOG}"}
    }
	geoip {
        source => "clientip"
    }
}
output {
    stdout { codec => rubydebug }
}

Restart logstash and filebeat, shown below:
(need to re-edit the next log file, otherwise it will not re-read after filebeat head read)Here Insert Picture Description

Es output to 2.5

Modify filebeat_std.conf

input {
    beats {
        port => "5044"
    }
}
filter {
    grok {
        match => { "message" => "%{COMBINEDAPACHELOG}"}
    }
	geoip {
        source => "clientip"
    }
}
output {
    elasticsearch {
        hosts => [ "localhost:9200" ]
    }
}

Source Address

CLOUD-LOGSTASH-IT : LOGSTASH tutorial source code. CSDN logstash Bowen in this series.

Recommended items

CLOUD-IT : IT service management platform, integrated basic services, middleware services, alarm monitoring services.
CLOUD-ACTIVITI6-IT : the Activiti tutorial source code. CSDN Activiti Bowen in this series.
CLOUD-elasticsearch-IT : elasticsearch tutorial source code. CSDN elasticsearch Bowen in this series.
CLOUD-KAFKA-IT : the Spring integration kafka tutorial source code. Bowen in this CSDN kafka series.
-CLOUD-KAFKA-IT CLIENT : Client tutorial source Kafka used to live. Bowen in this CSDN kafka series.

Open source project, continuously updated, the Star ~ like please

Sima cylinder drop tank a blog expert
Published 160 original articles · won praise 46 · Views 200,000 +
Private letter concerns

Guess you like

Origin blog.csdn.net/yy756127197/article/details/104247036
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com