获取系统日志,输出至终端控制台
./logstash -f ../config/logstash-1.conf
input {
file {
path => ["/var/log/messages"]
type => "system"
start_position => "beginning"
}
}
output {
stdout {
codec => rubydebug
}
}
输出信息中添加自定义字段,以便标识
input {
stdin {
add_field => {"key" => "iivey" }
tags => ["add1"]
type => "test1"
}
}
output {
stdout {
codec => rubydebug
}
}
获取指定主机的rSyslog 日志
配置logstash 配置文件并启动:
input {
syslog {
port => "5514"
}
}
output {
stdout {
codec => rubydebug
}
}
修改指定主机的rSyslog 输出地址并重启rSyslog服务
vi /etc/rsyslog.conf
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
*.* @@10.10.23.43:5514
通过TCP端口获取网络日志
input {
tcp {
port => "5514"
}
}
filter {
grok {
match => {"message" => "%{SYSLOGLINE}"}
}
}
output {
stdout {
codec => rubydebug
}
}
