ELK es+logstash
ELK
运维人员需要对系统和业务日志进行精准把控,便于分析系统和业务状态。日志分布在不同的服务器
上,传统的使用传统的方法依次登录每台服务器查看日志,既繁琐又效率低下。所以我们需要集中化的
日志管理工具将位于不同服务器上的日志收集到一起, 然后进行分析,展示。
前面我们学习过rsyslog,它就可以实现集中化的日志管理,可是rsyslog集中后的日志实现统计与检索又
成了一个问题。使用wc, grep, awk等相关命令可以实现统计与检索,但如果要求更高的场景,这些命令
也会力不从心。所以我们需要一套专业的日志收集分析展示系统。
认识ELK
ELK是一套开源的日志分析系统,由elasticsearch+logstash+Kibana组成。
官网说明:https://www.elastic.co/cn/products
首先: 先一句话简单了解E,L,K这三个软件
elasticsearch: 分布式搜索引擎
logstash: 日志收集与过滤,输出给elasticsearch
Kibana: 图形化展示
elk下载地址:https://www.elastic.co/cn/downloads
elasticsearch
elasticsearch简介
elasticsearch部署
Elasticsearch(简称ES)是一个开源的分布式搜索引擎,Elasticsearch还是一个分布式文档数据库。所以它
提供了大量数据的存储功能,快速的搜索与分析功能。
提到搜索,大家肯定就想到了百度,谷歌,必应等。当然也有如下的搜索场景。
第1步: 在elasticsearch服务器上(我这里为es1),确认jdk(使用系统自带的openjdk就OK)
[root@es1 ~]# java -version
openjdk version "1.8.0_181"
OpenJDK Runtime Environment (build 1.8.0_181-b13)
OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode)第2步: es的安装,配置
[root@es1 ~]# ls
anaconda-ks.cfg elasticsearch-6.5.2.rpm initial-setup-ks.cfg 公共 模板 视频 图片 文档 下载 音乐 桌面
[root@es1 ~]# rpm -ivh elasticsearch-6.5.2.rpm
警告:elasticsearch-6.5.2.rpm: 头V4 RSA/SHA512 Signature, 密钥 ID d88e42b4: NOKEY
准备中... ################################# [100%]
Creating elasticsearch group... OK
Creating elasticsearch user... OK
正在升级/安装...1:elasticsearch-0:6.5.2-1 ################################# [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemdsudo systemctl daemon-reloadsudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executingsudo systemctl start elasticsearch.service
Created elasticsearch keystore in /etc/elasticsearch第3步: 单机es的配置与服务启动
[root@es1 ~]# vim /etc/elasticsearch/elasticsearch.yml
cluster.name: elk-cluster //可以自定义一个集群名称,不配置的话默认会取名为elasticsearch
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0 //打开注释,并修改为监听所有
http.port: 9200 //打开注释,监听端口9200
[root@es1 ~]# systemctl daemon-reload
[root@es1 ~]# systemctl enable elasticsearch.service
Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.
[root@es1 ~]# systemctl start elasticsearch.service
启动有点慢和卡,稍等1分钟左右,查看到以下端口则表示启动OK
[root@es1 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:111 *:*
LISTEN 0 128 *:6000 *:*
LISTEN 0 5 192.168.122.1:53 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 127.0.0.1:631 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 127.0.0.1:6010 *:*
LISTEN 0 128 :::111 :::*
LISTEN 0 128 :::9200 :::*
LISTEN 0 128 :::6000 :::*
LISTEN 0 128 :::9300 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 128 ::1:631 :::*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 128 ::1:6010 :::*
9200则是数据传输端口
9300端口是集群通信端口(我们暂时还没有配置集群,现在是单点elasticsearch)
第4步: 查看状态
使用curl命令或浏览器访问http://192.168.110.10:9200/_cluster/health?pretty地址(IP为ES服务器IP)
[root@es1 ~]# curl http://192.168.110.10:9200/_cluster/health?pretty
{"cluster_name" : "elk-cluster","status" : "green","timed_out" : false,"number_of_nodes" : 1,"number_of_data_nodes" : 1,"active_primary_shards" : 0,"active_shards" : 0,"relocating_shards" : 0,"initializing_shards" : 0,"unassigned_shards" : 0,"delayed_unassigned_shards" : 0,"number_of_pending_tasks" : 0,"number_of_in_flight_fetch" : 0,"task_max_waiting_in_queue_millis" : 0,"active_shards_percent_as_number" : 100.0
}
elasticsearch集群部署
集群部署主要注意以下几个方面
- 集群配置参数:
discovery.zen.ping.unicast.hosts,Elasticsearch默认使用Zen Discovery来做节点发现机
制,推荐使用unicast来做通信方式,在该配置项中列举出Master节点。
discovery.zen.minimum_master_nodes,该参数表示集群中Master节点可工作Master的最
小票数,默认值是1。为了提高集群的可用性,避免脑裂现象。官方推荐设置为(N/2)+1,其中
N是具有Master资格的节点的数量。
discovery.zen.ping_timeout,表示节点在发现过程中的等待时间,默认值是30秒,可以根据
自身网络环境进行调整,一定程度上提供可用性。 - 集群节点:
节点类型主要包括Master节点和data节点(client节点和ingest节点不讨论)。通过设置两个配
置项node.master和node.data为true或false来决定将一个节点分配为什么类型的节点。
尽量将Master节点和Data节点分开,通常Data节点负载较重,需要考虑单独部署。 - 内存:
Elasticsearch默认设置的内存是1GB,对于任何一个业务部署来说,这个都太小了。通过指定
ES_HEAP_SIZE环境变量,可以修改其堆内存大小,服务进程在启动时候会读取这个变量,并
相应的设置堆的大小。建议设置系统内存的一半给Elasticsearch,但是不要超过32GB。 - 硬盘空间:
Elasticsearch默认将数据存储在/var/lib/elasticsearch路径下,随着数据的增长,一定会出现
硬盘空间不够用的情形,大环境建议把分布式存储挂载到/var/lib/elasticsearch目录下以方便
扩容。
配置参考文档: https://www.elastic.co/guide/en/elasticsearch/reference/index.html
首先在ES集群所有节点都安装ES(步骤省略)
可以使用两台或两台以上ES做集群, 以下就是两台ES做集群的配置
[root@es1 ~]# vim /etc/elasticsearch/elasticsearch.yml
cluster.name: elk-cluster
node.name: 192.168.110.10 本机IP或主机名
node.master: false 指定不为master节点
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.zen.ping.unicast.hosts: ["192.168.110.10", "192.168.110.20"] 集群所有节点IP
[root@es2 ~]# ls
anaconda-ks.cfg elasticsearch-6.5.2.rpm initial-setup-ks.cfg 公共 模板 视频 图片 文档 下载 音乐 桌面
[root@es2 ~]# rpm -ivh elasticsearch-6.5.2.rpm
警告:elasticsearch-6.5.2.rpm: 头V4 RSA/SHA512 Signature, 密钥 ID d88e42b4: NOKEY
准备中... ################################# [100%]
Creating elasticsearch group... OK
Creating elasticsearch user... OK
正在升级/安装...1:elasticsearch-0:6.5.2-1 ################################# [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemdsudo systemctl daemon-reloadsudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executingsudo systemctl start elasticsearch.service
Created elasticsearch keystore in /etc/elasticsearch
[root@es2 ~]# vim /etc/elasticsearch/elasticsearch.yml
cluster.name: elk-cluster
node.name: 192.168.110.20 本机IP或主机名
node.master: true 指定为master节点
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.zen.ping.unicast.hosts: ["192.168.110.10", "192.168.110.20"] 集群所有节点IP
启动或重启服务
[root@es1 ~]# systemctl restart elasticsearch.service
[root@es2 ~]# systemctl daemon-reload
[root@es2 ~]# systemctl start elasticsearch.service
[root@es2 ~]# systemctl enable elasticsearch.service
Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.
查看状态
elasticsearch基础概念
主要的基础概念有:Node, Index,Type,Document,Field,shard和replicas.
Node(节点):运行单个ES实例的服务器
Cluster(集群):一个或多个节点构成集群
Index(索引):索引是多个文档的集合
Type(类型):一个Index可以定义一种或多种类型,将Document逻辑分组
Document(文档):Index里每条记录称为Document,若干文档构建一个Index
Field(字段):ES存储的最小单元
Shards(分片):ES将Index分为若干份,每一份就是一个分片
Replicas(副本):Index的一份或多份副本
为了便于理解,我们和mysql这种关系型数据库做一个对比:
ES是分布式搜索引擎,每个索引有一个或多个分片(shard),索引的数据被分配到各个分片上。你可以看
作是一份数据分成了多份给不同的节点。
当ES集群增加或删除节点时,shard会在多个节点中均衡分配。默认是5个primary shard(主分片)和1个
replica shard(副本,用于容错)。
elaticsearch基础API操作
前面我们通过http://192.168.110.10:9200/_cluster/health?pretty查看ES集群状态,其实就是它的一种API操
作。
什么是API?
API(Application Programming Interface)应用程序编程接口,就是无需访问程序源码或理解内部工
作机制就能实现一些相关功能的接口。
RestFul API 格式
elasticseearch的API很多, 我们运维人员主要用到以下几个要介绍的较简单的API。
更多API参考: https://www.elastic.co/guide/en/elasticsearch/reference/6.2/index.html
查看节点信息
通过curl或浏览器访问http://192.168.110.10:9200/_cat/nodes?v(ip为ES节点IP,如果有ES集群,则为ES任意节
点IP)
[root@es1 ~]# curl http://192.168.110.10:9200/_cat/nodes?v
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
192.168.110.20 26 68 0 0.00 0.03 0.08 mdi * 192.168.110.20
192.168.110.10 28 68 2 0.62 0.37 0.22 di - 192.168.110.10
查看索引信息
通过curl或浏览器访问http://192.168.110.10:9200/_cat/indices?v
[root@es1 ~]# curl http://192.168.110.10:9200/_cat/indices?v
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
默认现在没有任何索引
新增索引
[root@es1 ~]# curl -X PUT http://192.168.110.10:9200/nginx_access_log
{"acknowledged":true,"shards_acknowledged":true,"index":"nginx_access_log"}[root@es1 ~]#
[root@es1 ~]# curl http://192.168.110.10:9200/_cat/indices?v
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open nginx_access_log QjhOE10JSM2a8sT9j_V-4g 5 1 0 0 1.1kb 460b
green:所有的主分片和副本分片都已分配。你的集群是100%可用的。
yellow:所有的主分片已经分片了,但至少还有一个副本是缺失的。不会有数据丢失,所以搜索结果依
然是完整的。不过,你的高可用性在某种程度上被弱化。如果 更多的 分片消失,你就会丢数据了。把
yellow 想象成一个需要及时调查的警告。
red:至少一个主分片(以及它的全部副本)都在缺失中。这意味着你在缺少数据:搜索只能返回部分数
据,而分配到这个分片上的写入请求会返回一个异常。
删除索引
[root@es1 ~]# curl -X DELETE http://192.168.110.10:9200/nginx_access_log
{"acknowledged":true}[root@es1 ~]#
[root@es1 ~]# curl http://192.168.110.10:9200/_cat/indices?v
health status index uuid pri rep docs.count docs.deleted store.size pri.store.sizeES查询语句(拓展了解)
ES提供一种可用于执行查询JSON式的语言,被称为Query DSL。
针对elasticsearch的操作,可以分为增、删、改、查四个动作。
查询匹配条件:
match_all
from,size
match
bool
range
查询应用案例:
导入数据源
使用官方提供的示例数据:
1, 下载并导入进elasticsearch
导入进elasticsearch
[root@es1 ~]# curl -H "Content-Type: application/json" -XPOST "192.168.110.10:9200/bank/_doc/_bulk?pretty&refresh" --data-binary "@accounts.json"
查询确认
[root@es1 ~]# curl http://192.168.110.10:9200/_cat/indices?v
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open bank B_Ytx0VlRCS5N_pIxDsyaA 5 1 1000 0 988.8kb 490.5kb2, 查询bank索引的数据(使用查询字符串进行查询)
[root@es1 ~]# curl -X GET "192.168.110.10:9200/bank/_search?q=*&sort=account_number:asc&pretty"
说明:
默认结果为10条
_search 属于一类API,用于执行查询操作
q=* ES批量索引中的所有文档
sort=account_number:asc 表示根据account_number按升序对结果排序
pretty调整显示格式
3, 查询bank索引的数据 (使用json格式进行查询)
[root@es1 ~]# curl -X GET "192.168.110.10:9200/bank/_search" -H 'Content-Type:application/json' -d'
{
"query": { "match_all": {} },
"sort": [
{ "account_number": "asc" }
]
}
'
注意: 最后为单引号
查询匹配动作及案例:
match_all
匹配所有文档。默认查询
示例:查询所有,默认只返回10个文档
[root@es1 ~]# curl -X GET "192.168.110.10:9200/bank/_search?pretty" -H 'Content-Type:application/json' -d'
{
"query": { "match_all": {} }
}
'
# query告诉我们查询什么
# match_all是我们查询的类型
# match_all查询仅仅在指定的索引的所有文件进行搜索
from,size
除了query参数外,还可以传递其他参数影响查询结果,比如前面提到的sort,接下来使用的
size
[root@es1 ~]# curl -X GET "192.168.110.10:9200/bank/_search?pretty" -H 'Content-Type:application/json' -d'
> {
> "query": { "match_all": {} },
> "size": 1
> }
> '
查询1条数据
指定位置与查询条数
[root@es1 ~]# curl -X GET "192.168.110.10:9200/bank/_search?pretty" -H 'Content-Type:application/json' -d'{
"query": { "match_all": {} },
"from": 0,
"size": 2
}
'
from 0表示从第1个开始
size 指定查询的个数
匹配查询字段
返回_source字段中的片段字段
[root@es1 ~]# curl -X GET "192.168.110.10:9200/bank/_search?pretty" -H 'Content-Type:application/json' -d'
> {
> "query": { "match_all": {} },
> "_source": ["account_number", "balance"]
> }
> '
match
基本搜索查询,针对特定字段或字段集合进行搜索
查询编号为20的账户
[root@es1 ~]# curl -X GET "192.168.110.10:9200/bank/_search?pretty" -H 'Content-Type:application/json' -d'
> {
> "query": { "match": { "account_number": 20 } }
> }
> '返回地址中包含mill的账户
[root@es1 ~]# curl -X GET "192.168.110.10:9200/bank/_search?pretty" -H 'Content-Type:application/json' -d'
> {
> "query": { "match": { "address": "mill" } }
> }
> '
返回地址有包含mill或lane的所有账户
[root@es1 ~]# curl -X GET "192.168.110.10:9200/bank/_search?pretty" -H 'Content-Type:application/json' -d'
> {
> "query": { "match": { "address": "mill lane" } } # 空格就是或的关系
> }
> 'bool
bool must 查询的字段必须同时存在
查询包含mill和lane的所有账户
[root@es1 ~]# curl -X GET "192.168.110.10:9200/bank/_search?pretty" -H 'Content-Type:application/json' -d'
> {
> "query": {
> "bool": {
> "must": [
> { "match": { "address": "mill" } },
> { "match": { "address": "lane" } }
> ]
> }
> }
> }
> '
bool should 查询的字段仅存在一即可
查询包含mill或lane的所有账户
[root@es1 ~]# curl -X GET "192.168.110.10:9200/bank/_search?pretty" -H 'Content-Type:application/json' -d'
{
"query": {
"bool": {
"should": [
{ "match": { "address": "mill" } },
{ "match": { "address": "lane" } }
]
}
}
}
'range
指定区间内的数字或者时间
操作符:gt大于,gte大于等于,lt小于,lte小于等于
查询余额大于或等于20000且小于等于30000的账户
[root@es1 ~]# curl -X GET "192.168.110.10:9200/bank/_search?pretty" -H 'Content-Type:application/json' -d'
> {
> "query": {
> "bool": {
> "must": { "match_all": {} },
> "filter": {
> "range": {
> "balance": {
> "gte": 20000,
> "lte": 30000
> }
> }
> }
> }
> }
> }
> '
elasticsearch-head
elasticsearch-head是集群管理、数据可视化、增删改查、查询语句可视化工具。从ES5版本后安装方式
和ES2以上的版本有很大的不同,在ES2中可以直接在bin目录下执行plugin install xxxx 来进行安装,但是
在ES5中这种安装方式变了,要想在ES5中安装Elasticsearch Head必须要安装NodeJs,然后通过NodeJS来
启动Head。
官网地址:https://github.com/mobz/elasticsearch-head
elasticsearch-head安装
第2步: 安装nodejs
[root@es2 ~]# ls
anaconda-ks.cfg initial-setup-ks.cfg 公共 视频 文档 音乐
elasticsearch-6.5.2.rpm node-v10.24.1-linux-x64.tar.xz 模板 图片 下载 桌面
[root@es2 ~]# tar -xf node-v10.24.1-linux-x64.tar.xz -C /usr/local/
[root@es2 ~]# cd /usr/local/
[root@es2 local]# ls
bin etc games include lib lib64 libexec node-v10.24.1-linux-x64 sbin share src
[root@es2 local]# mv node-v10.24.1-linux-x64/ nodejs
[root@es2 local]# ls
bin etc games include lib lib64 libexec nodejs sbin share src
[root@es2 local]# cd
[root@es2 ~]# ln -s /usr/local/nodejs/bin/npm /bin/npm
[root@es2 ~]# ln -s /usr/local/nodejs/bin/node /bin/node第3步: 安装es-head
安装方法1(需要网速好):
[root@es2 ~]# git clone https://github.com/mobz/elasticsearch-head.git
正克隆到 'elasticsearch-head'...
remote: Enumerating objects: 4377, done.
remote: Counting objects: 100% (40/40), done.
remote: Compressing objects: 100% (27/27), done.
remote: Total 4377 (delta 12), reused 34 (delta 12), pack-reused 4337 (from 1)
接收对象中: 100% (4377/4377), 2.54 MiB | 692.00 KiB/s, done.
处理 delta 中: 100% (2429/2429), done.
[root@es2 ~]# cd elasticsearch-head/
[root@es2 elasticsearch-head]# ls
crx elasticsearch-head.sublime-project index.html plugin-descriptor.properties _site
Dockerfile Gruntfile.js LICENCE proxy src
Dockerfile-alpine grunt_fileSets.js package.json README.textile test
先使用npm安装grunt
npm(node package manager):node包管理工具,类似yum
Grunt是基于Node.js的项目构建工具
[root@es2 elasticsearch-head]# npm install -g grunt-cli
安装时间较久,还会在网上下载phantomjs包
[root@es2 elasticsearch-head]# npm install
安装可能有很多错误,我这里出现了下面的错误(重点是注意红色的ERR!,黄色的WARN不用管)
解决方法:
[root@es2 elasticsearch-head]# npm install phantomjs-prebuilt@2.1.16 --ignorescript
此命令执行后不用再返回去执行npm install了,直接开始启动
[root@es2 elasticsearch-head]# nohup npm run start &
第4步:浏览器访问
浏览器访问http://es-head节点IP:9100 ,并在下面的地址里把localhost改为es-head节点IP(浏览器与
es-head不是同一节点就要做)
第5步: 修改ES集群配置文件,并重启服务
[root@es1 ~]# vim /etc/elasticsearch/elasticsearch.yml
[root@es1 ~]# systemctl restart elasticsearch.service
[root@es2 ~]# vim /etc/elasticsearch/elasticsearch.yml
[root@es2 ~]# systemctl restart elasticsearch.service
http.cors.enabled: true
http.cors.allow-origin: "*" 加上最后这两句
第6步: 再次连接就可以看到信息了
新建个索引试试
删除此索引
es-head查询验证
logstash
logstash部署
在logstash服务器上确认openjdk安装
[root@ws3 ~]# java -version
openjdk version "1.8.0_181"
OpenJDK Runtime Environment (build 1.8.0_181-b13)
OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode)在logstash服务器上安装logstash
[root@ws3 ~]# ls
anaconda-ks.cfg initial-setup-ks.cfg logstash-6.5.2.rpm 公共 模板 视频 图片 文档 下载 音乐 桌面
[root@ws3 ~]# rpm -ivh logstash-6.5.2.rpm
警告:logstash-6.5.2.rpm: 头V4 RSA/SHA512 Signature, 密钥 ID d88e42b4: NOKEY
准备中... ################################# [100%]
正在升级/安装...1:logstash-1:6.5.2-1 ################################# [100%]
Using provided startup.options file: /etc/logstash/startup.options
Successfully created system startup script for Logstash配置logstash主配置文件
[root@ws3 ~]# vim /etc/logstash/logstash.yml
path.data: /var/lib/logstash
path.config: /etc/logstash/conf.d/ 打开注释,并加上配置目录路径
http.host: "192.168.110.30" 打开注释,并改为本机IP(这是用于xpack监控用,但要收费,所以在这里不配
置也可以)
path.logs: /var/log/logstash
启动测试
[root@ws3 bin]# ./logstash -e 'input {stdin {}} output {stdout {}}'
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2025-10-22 19:20:46.298 [main] writabledirectory - Creating directory {:setting=>"path.queue", :path=>"/usr/share/logstash/data/queue"}
[INFO ] 2025-10-22 19:20:46.325 [main] writabledirectory - Creating directory {:setting=>"path.dead_letter_queue", :path=>"/usr/share/logstash/data/dead_letter_queue"}
[WARN ] 2025-10-22 19:20:47.396 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2025-10-22 19:20:47.432 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"6.5.2"}
[INFO ] 2025-10-22 19:20:47.508 [LogStash::Runner] agent - No persistent UUID file found. Generating new UUID {:uuid=>"cee448a6-ab1d-4547-8be7-20b1000e3a71", :path=>"/usr/share/logstash/data/uuid"}
[INFO ] 2025-10-22 19:20:55.929 [Converge PipelineAction::Create<main>] pipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[INFO ] 2025-10-22 19:20:56.243 [Converge PipelineAction::Create<main>] pipeline - Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x12e0e7b1 run>"}
The stdin plugin is now waiting for input:
[INFO ] 2025-10-22 19:20:56.366 [Ruby-0-Thread-1: /usr/share/logstash/lib/bootstrap/environment.rb:6] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[INFO ] 2025-10-22 19:20:57.018 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
abc
{"message" => "abc","@timestamp" => 2025-10-22T11:21:44.101Z,"host" => "ws3.example.com","@version" => "1"
}
cc
{"message" => "cc","@timestamp" => 2025-10-22T11:21:47.694Z,"host" => "ws3.example.com","@version" => "1"
}关闭启动
测试能启动成功后,ctrl+c取消,则关闭了
另一种验证方法:
[root@ws3 ~]# cat /etc/logstash/conf.d/test.conf
input {
stdin {
}
}
filter {
}
output {
stdout {
codec => rubydebug
}
}
[root@ws3 bin]# ./logstash --path.settings /etc/logstash -f /etc/logstash/conf.d/test.conf -t
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2025-10-22T19:51:17,610][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.queue", :path=>"/var/lib/logstash/queue"}
[2025-10-22T19:51:17,636][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.dead_letter_queue", :path=>"/var/lib/logstash/dead_letter_queue"}
[2025-10-22T19:51:18,648][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
Configuration OK
[2025-10-22T19:51:24,322][INFO ][logstash.runner ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash
--path.settings 指定logstash主配置文件目录
-f 指定片段配置文件
-t 测试配置文件是否正确
codec => rubydebug这句可写可不定,默认就是这种输出方式
[root@ws3 bin]# ./logstash --path.settings /etc/logstash -f /etc/logstash/conf.d/test.conf -t
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2025-10-22T19:51:17,610][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.queue", :path=>"/var/lib/logstash/queue"}
[2025-10-22T19:51:17,636][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.dead_letter_queue", :path=>"/var/lib/logstash/dead_letter_queue"}
[2025-10-22T19:51:18,648][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
Configuration OK
[2025-10-22T19:51:24,322][INFO ][logstash.runner ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash
[root@ws3 bin]# ./logstash --path.settings /etc/logstash -r -f /etc/logstash/conf.d/test.conf
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2025-10-22T19:52:57,467][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2025-10-22T19:52:57,519][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.5.2"}
[2025-10-22T19:52:57,617][INFO ][logstash.agent ] No persistent UUID file found. Generating new UUID {:uuid=>"1fb222a3-4450-4ab7-8841-80dd4e0f1c59", :path=>"/var/lib/logstash/uuid"}
[2025-10-22T19:53:05,528][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2025-10-22T19:53:05,825][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x6ec972b1 run>"}
The stdin plugin is now waiting for input:
[2025-10-22T19:53:05,927][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2025-10-22T19:53:06,465][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
abc
{"@timestamp" => 2025-10-22T11:56:46.782Z,"message" => "abc","@version" => "1","host" => "ws3.example.com"
}
hhh
{"@timestamp" => 2025-10-22T11:56:50.831Z,"message" => "hhh","@version" => "1","host" => "ws3.example.com"
}
-r参数很强大,会动态装载配置文件,也就是说启动后,可以不用重启修改配置文件
日志采集
采集messages日志
这里以/var/log/messages为例,只定义input输入和output输出,不考虑过滤
[root@ws3 bin]# cat /etc/logstash/conf.d/test.conf
input {
file {
path => "/var/log/messages"
start_position => "beginning"
}
}
output {
elasticsearch{
hosts => ["192.168.110.20:9200"]
index => "test-%{+YYYY.MM.dd}"
}
}
[root@ws3 bin]# ./logstash --path.settings /etc/logstash -r -f /etc/logstash/conf.d/test.conf &
[1] 10993
后台运行如果要杀掉,请使用pkill java或ps查看PID再kill -9清除
通过浏览器访问es-head验证
采集多日志源
input {
file {
path => "/var/log/messages"
start_position => "beginning"
type => "messages"
}
file {
path => "/var/log/yum.log"
start_position => "beginning"
type => "yum"
}
}
filter {
}
output {
if [type] == "messages" {
elasticsearch {
hosts => ["10.1.1.12:9200","10.1.1.11:9200"]
index => "messages-%{+YYYY-MM-dd}"
}
}
if [type] == "yum" {
elasticsearch {
hosts => ["10.1.1.12:9200","10.1.1.11:9200"]
index => "yum-%{+YYYY-MM-dd}"
}
}
}