重慶分公司
重慶分公司
Shipper->Broker->Indexer->ES
1.input
input { stdin {} }
output {
stdout { codec=> rubydebug }
}
file {
codec => multiline {
pattern => "^\s"
what => "previous"
}
path => ["xx","xx"]
exclude => "1.log"
add_field => [ "log_ip", "xx" ]
tags => "tag1"
#設(shè)置新事件的標(biāo)志
delimiter => "\n"
#設(shè)置多長時(shí)間掃描目錄,發(fā)現(xiàn)新文件
discover_interval => 15
#設(shè)置多長時(shí)間檢測文件是否修改
stat_interval => 1
#監(jiān)聽文件的起始位置,默認(rèn)是end
start_position => beginning
#監(jiān)聽文件讀取信息記錄的位置
sincedb_path => "E:/software/logstash-1.5.4/logstash-1.5.4/test.txt"
#設(shè)置多長時(shí)間會寫入讀取的位置信息
sincedb_write_interval => 15
}
2.filter
filter {
multiline {
# 指定合并規(guī)則——所有不是以數(shù)字開頭的行需要被合并
pattern => "^[^\d]"
# 合并到哪里——上一行
what => "previous"
}
filter {
multiline {
type => "type" #類型,不多說
pattern => "pattern, a regexp" #參數(shù),也可以認(rèn)為是字符,有點(diǎn)像grep ,如果符合什么字符就交給下面的 what 去處理
negate => boolean
what => "previous" or "next" #這個(gè)是符合上面 pattern 的要求后具體怎么處理,處理方法有兩種,合并到上面一條日志或者下面的日志
}
}
filter {
grep {
match => [ "@message", "PHP Fatal error" ]
drop => false
add_tag => [fatal_error]
}
grep {
tags => [fatal_error]
match => [ "@message", ".*(xbox\.com|xbox\.mib\.com\.cn|supports\.game\.mib\.com\.cn)" ]
drop => false
add_tag => [xboxerror]
}
}
#過濾掉內(nèi)容包含5.3.3與down以外日志
filter {
if [message] !~ "5.3.3|down" {
ruby {
code => "event.cancel"
}
}
}
#使用自帶的過濾規(guī)則顯示更多的字段
filter {
grok {
match => {"message" => "%{COMBINEDAPACHELOG}"}
}
}
#合并不是以[開頭的日志
filter {
multiline {
pattern => "^[^[]"
negate => true
what => "previous"
}
}
filter {
if [path] =~ "error" {
mutate { replace => { "type" => "apache_error" } }
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
filter {
if [path] =~ "access" {
mutate { replace => { type => "apache_access" } }
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
} else if [path] =~ "error" {
mutate { replace => { type => "apache_error" } }
} else {
mutate { replace => { type => "random_logs" } }
}
}
3.output
發(fā)郵件
output {
email {
match => [ "@message", "aaaaa" ]
to => "storyskya@gmail.com"
from => "monitor@mib.com.cn"
options => [ "smtpIporHost", "smtp.mibnet.com",
"port", "25",
"userName", "monitor@mib.com.cn",
"starttls", "true",
"password", "opmonitor",
"authenticationType", "login"
]
subject => "123"
body => '123'
via => smtp
}
}
output {
if [type] == "syslog" {
elasticsearch {
hosts => "172.16.0.102:9200"
index => "syslog-%{+YYYY.MM.dd}"
}
}
if [type] == "nginx" {
elasticsearch {
hosts => "172.16.0.102:9200"
index => "nglog-%{+YYYY.MM.dd}"
}
}
#匹配內(nèi)容包含paramiko與simplejson的日志通郵件發(fā)送
if [message] =~ /paramiko|simplejson/ {
email {
to => "12222222@wo.cn"
from => "good_zabbix@163.com"
contenttype => "text/plain; charset=UTF-8"
address => "smtp.163.com"
username => "test@163.com"
password => "12344"
subject => " "%{@timestamp} %{type}: %{message}"
}
}
}
output {
stdout { codec => rubydebug }
redis {
host => '192.168.1.104'
data_type => 'list'
key => 'logstash:redis'
}
}
output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }
}
替換
mutate {
type => "phplog"
gsub => [ "@message","'", "\"" ]
}
調(diào)試
# /usr/local/logstash-1.5.2/bin/logstash -e 'input { stdin { } } output { stdout {} }'
curl '
logstash -e 'input{stdin{}}output{stdout{codec=>rubydebug}}'# logstash agent -f logstash-simple.conf --verbose //開啟debug模式
