Detailed explanation of Elasticsearch's basic friend Logstash
Logstash is a powerful data processing tool that can realize data transmission, format processing, formatted output, and has powerful plug-in functions, which are often used for log processing.
Input
Data can be extracted from files, storage, and databases. Input has two options. One is to hand it over to Filter for filtering and pruning. The other one is given directly to Output
Filter
Ability to dynamically transform and parse data. Data information can be filtered and pruned in a customized way
Output
Providing numerous output options, you can send data where you want it, with the flexibility to unlock numerous downstream use cases.
wget https://artifacts.elastic.co/downloads/logstash/logstash-6.0.1.rpm yum install -y ./logstash-6.0.1.rpm
vim /etc/logstash/logstash.yml path.data: /var/lib/logstash # 数据存放路径 path.config: /etc/logstash/conf.d/*.conf # 其他插件的配置文件,输入输出过滤等等 path.logs: /var/log/logstash # 日志存放路径
Logstash is a program developed based on Java and needs to run in the JVM. It can be set for the JVM by configuring jvm.options. For example, the maximum and minimum memory, garbage cleaning mechanism, etc. Here are just two of the most commonly used ones.
The memory allocation of JVM cannot be too large or too small. If it is too large, it will slow down the operating system. Too small to start.
vim /etc/logstash/jvm.options # logstash有关JVM的配置 -Xms256m # logstash最大最小使用内存 -Xmx1g
Install an httpd for testing and configure Logstash to collect Apache’s accless.log log file
yum install httpd echo "Hello world" > /var/www/html/index.html # 安装httpd,创建首页用于测试
vim /etc/logstash/conf.d/test.conf
input {
file { # 使用file作为数据输入
path => ['/var/log/httpd/access_log'] # 设定读入数据的路径
start_position => beginning # 从文件的开始处读取,end从文件末尾开始读取
}
}
output { # 设定输出的位置
stdout {
codec => rubydebug # 输出至屏幕
}
}
Logstash is a built-in command but it is not included in the environment variables, so you can only use the absolute path to use this command.
/usr/share/logstash/bin/logstash -t -f /etc/logstash/conf.d/test.conf # 测试执行配置文件,-t要在-f前面 Configuration OK # 表示测试OK
After running logstash in the current session, do not close this session. Temporarily call it Session 1, and then open a new window as Session 2
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
After starting, use the curl command in session 2 to test
curl 172.18.68.14
Then you can see the output information when you return to the previous session 1
{
"@version" => "1",
"host" => "logstash.shuaiguoxia.com",
"path" => "/var/log/httpd/access_log",
"@timestamp" => 2017-12-10T14:07:07.682Z,
"message" => "172.18.68.14 - - [10/Dec/2017:22:04:44 +0800] \"GET / HTTP/1.1\" 200 12 \"-\" \"curl/7.29.0\""
}
At this point, the simplest Logstash configuration has been completed. Here, the collected direct output is just collected without filtering or pruning.
上面的配置时Logsatsh从日志文件中抽取数据,然后输出至屏幕。那么在生产中往往是将抽取的数据过滤后输出到Elasticsearch中。下面讲解Elasticsearch结合Logstash
Logstash抽取httpd的access.log文件,然后经过过滤(结构化)之后输出给Elasticsearch Cluster,在使用Head插件就可以看到抽取到的数据。(Elasticsearch Cluster与Head插件搭建请查看前两篇文章)
配置Logstash
vim /etc/logstash/conf.d/test.conf
input {
file {
path => ['/var/log/httpd/access_log']
start_position => "beginning"
}
}
filter {
grok {
match => {
"message" => "%{COMBINEDAPACHELOG}"
}
remove_field => "message"
}
}
output {
elasticsearch {
hosts => ["http://172.18.68.11:9200","http://172.18.68.12:9200","http://172.18.68.13:9200"]
index => "logstash-%{+YYYY.MM.dd}"
action => "index"
document_type => "apache_logs"
}
}
启动Logstash
/usr/share/logstash/bin/logstash -t -f /etc/logstash/conf.d/test.conf # 测试配置文件
Configuration OK
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf # 启动Logstash
测试
每个执行10次172.18.68.14,位Logstash的地址
curl 127.0.0.1
curl 172.18.68.14
验证数据
使用浏览器访问172.18.68.11:9100(Elastisearch 安装Head地址,前面文章有讲)
选择今天的日期,就能看到一天内访问的所有数据。
监控Nginx日志
仅仅列了filter配置块,input与output参考上一个配置
filter {
grok {
match => {
"message" => "%{HTTPD_COMBINEDLOG} \"%{DATA:realclient}\""
}
remove_field => "message"
}
date {
match => ["timestamp","dd/MMM/YYYY:H:m:s Z"]
remove_field => "timestamp"
}
}
监控Tomcat
仅仅列了filter配置块,input与output参考上一个配置
filter {
grok {
match => {
"message" => "%{HTTPD_COMMONLOG}"
}
remove_field => "message"
}
date {
match => ["timestamp","dd/MMM/YYYY:H:m:s Z"]
remove_field => "timestamp"
}
}
现在已经搭建成在节点安装Logstash并发送到Elasticsearch中去,但是Logstash是基于Java开发需要运行在JVM中,所以是一个重量级采集工具,仅仅对于一个日志采集节点来说使用Logstash太过重量级,那么就可以使用一个轻量级日志收集工具Filebeat来收集日志信息,Filebeat同一交给Logstash进行过滤后再Elasticsearch。这些在接下来的文章在进行讲解,先放一张架构图吧。
The above is the detailed content of Detailed explanation of Elasticsearch's basic friend Logstash. For more information, please follow other related articles on the PHP Chinese website!
How to Use 'next' Command with Awk in Linux - Part 6May 15, 2025 am 10:43 AMIn this sixth installment of our Awk series, we will explore the next command, which is instrumental in enhancing the efficiency of your script executions by skipping redundant processing steps.What is the next Command?The next command in awk instruc
How to Efficiently Transfer Files in LinuxMay 15, 2025 am 10:42 AMTransferring files in Linux systems is a common task that every system administrator should master, especially when it comes to network transmission between local or remote systems. Linux provides two commonly used tools to accomplish this task: SCP (Secure Replication) and Rsync. Both provide a safe and convenient way to transfer files between local or remote machines. This article will explain in detail how to use SCP and Rsync commands to transfer files, including local and remote file transfers. Understand the scp (Secure Copy Protocol) in Linux scp command is a command line program used to securely copy files and directories between two hosts via SSH (Secure Shell), which means that when files are transferred over the Internet, the number of
10 Most Popular Linux Desktop Environments of All TimeMay 15, 2025 am 10:35 AMOne fascinating feature of Linux, in contrast to Windows and Mac OS X, is its support for a variety of desktop environments. This allows desktop users to select the most suitable and fitting desktop environment based on their computing requirements.A
How to Install LibreOffice 24.8 in Linux DesktopMay 15, 2025 am 10:15 AMLibreOffice stands out as a robust and open-source office suite, tailored for Linux, Windows, and Mac platforms. It boasts an array of advanced features for handling word documents, spreadsheets, presentations, drawings, calculations, and mathematica
How to Work with PDF Files Using ONLYOFFICE Docs in LinuxMay 15, 2025 am 09:58 AMLinux users who manage PDF files have a wide array of programs at their disposal. Specifically, there are numerous specialized PDF tools designed for various functions.For instance, you might opt to install a PDF viewer for reading files or a PDF edi
How to Filter Command Output Using Awk and STDINMay 15, 2025 am 09:53 AMIn the earlier segments of the Awk command series, our focus was primarily on reading input from files. However, what if you need to read input from STDIN?In Part 7 of the Awk series, we will explore several examples where you can use the output of o
Clifm - Lightning-Fast Terminal File Manager for LinuxMay 15, 2025 am 09:45 AMClifm stands out as a distinctive and incredibly swift command-line file manager, designed on the foundation of a shell-like interface. This means that users can engage with their file system using commands they are already familiar with.The choice o
How to Upgrade from Linux Mint 21.3 to Linux Mint 22May 15, 2025 am 09:44 AMIf you prefer not to perform a new installation of Linux Mint 22 Wilma, you have the option to upgrade from a previous version.In this guide, we will detail the process to upgrade from Linux Mint 21.3 (the most recent minor release of the 21.x series
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
Atom editor mac version download
The most popular open source editor
MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.
ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment
