8.logstash收集syslog日誌

vim syslog.conf

input {

  syslog {

    type => "system-syslog"

host => "192.168.56.11"

port => "514"

  }

}

output {

stdout {

 codec => "rubydebug"

}  

}

/opt/logstash/bin/logstash -f syslog.conf

 

這段input的含義是在我本機192.168.56.11上開啓一個514號端口,進行監聽

 

vim /etc/rsyslog.conf

最後一行添加

*.* @@192.168.56.11:514 表明我把我本機的全部的由rsyslog進程管理的系統日誌都傳給192.168.56.11的514號端口進行接收

systemctl rsyslog restart

 

 

 

加入到all.conf

vim logstash_nginx.conf

input {

  syslog {

    type => "system-syslog"

host => "192.168.56.11"

port => "514"

  }

  file {

    path => "/var/log/messages"

    type => "system"

    start_position => "beginning"

  }

  file {

    path => "/var/log/nginx/access_json.log"

    codec => "json"

 start_position => "beginning"

type => "nginx-log"  

}

  file {

    path => "/var/log/elasticsearch/kye.log"

    type => "es-error"

    start_position => "beginning"

    codec => multiline{

pattern => "^\["

negate => "true"

what => "previous"

}

  }

}

output {

if [type] == "system"{

elasticsearch {

 hosts => ["192.168.56.11:9200"]

 index => "system-%{+YYYY.MM.dd}"

}  

}

if [type] == "es-error"{

elasticsearch {

 hosts => ["192.168.56.11:9200"]

 index => "es-error-%{+YYYY.MM.dd}"

}  

}

if [type] == "nginx-log"{

elasticsearch {

 hosts => ["192.168.56.11:9200"]

 index => "nginx-log-%{+YYYY.MM.dd}"

}  

}

if [type] == "system-sysylog"{

elasticsearch {

 hosts => ["192.168.56.11:9200"]

 index => "system-syslog-%{+YYYY.MM.dd}"

}  

}

}

 

/opt/logstash/bin/logstash -f all.conf

手工寫了幾個hehe到系統日誌

kibana裏面能夠看到幾個hehe