📅 最后修改于: 2020-11-01 04:23:43 🧑 作者: Mango
输出是Logstash管道的最后一个阶段,该阶段将筛选器数据从输入日志发送到指定的目的地。 Logstash提供了多个输出插件,可将过滤后的日志事件存储到各种不同的存储和搜索引擎。
Logstash可以将过滤后的日志存储在File,Elasticsearch Engine,stdout,AWS CloudWatch等中。Logstash中也可以使用TCP,UDP,Websocket等网络协议将日志事件传输到远程存储系统。
在ELK堆栈中,用户使用Elasticsearch引擎存储日志事件。在下面的示例中,我们将为本地Elasticsearch引擎生成日志事件。
我们可以使用以下命令安装Elasticsearch输出插件。
>logstash-plugin install Logstash-output-elasticsearch
该配置文件包含一个Elasticsearch插件,该插件将输出事件存储在本地安装的Elasticsearch中。
input {
file {
path => "C:/tpwork/logstash/bin/log/input.log"
}
}
filter {
grok {
match => [ "message", "%{LOGLEVEL:loglevel} -
%{NOTSPACE:taskid} - %{NOTSPACE:logger} -
%{WORD:label}( - %{INT:duration:int})?" ]
}
if [logger] == "TRANSACTION_START" {
aggregate {
task_id => "%{taskid}"
code => "map['sql_duration'] = 0"
map_action => "create"
}
}
if [logger] == "SQL" {
aggregate {
task_id => "%{taskid}"
code => "map['sql_duration'] ||= 0 ;
map['sql_duration'] += event.get('duration')"
}
}
if [logger] == "TRANSACTION_END" {
aggregate {
task_id => "%{taskid}"
code => "event.set('sql_duration', map['sql_duration'])"
end_of_task => true
timeout => 120
}
}
mutate {
add_field => {"user" => "tutorialspoint.com"}
}
}
output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
}
}
以下代码块显示了输入日志数据。
INFO - 48566 - TRANSACTION_START - start
INFO - 48566 - SQL - transaction1 - 320
INFO - 48566 - SQL - transaction1 - 200
INFO - 48566 - TRANSACTION_END - end
要在本地主机上启动Elasticsearch,您应该使用以下命令。
C:\elasticsearch\bin> elasticsearch
Elasticsearch准备就绪后,您可以通过在浏览器中键入以下URL进行检查。
http:// localhost:9200 /
以下代码块显示了Elasticsearch在本地主机上的响应。
{
"name" : "Doctor Dorcas",
"cluster_name" : "elasticsearch",
"version" : {
"number" : "2.1.1",
"build_hash" : "40e2c53a6b6c2972b3d13846e450e66f4375bd71",
"build_timestamp" : "2015-12-15T13:05:55Z",
"build_snapshot" : false,
"lucene_version" : "5.3.1"
},
"tagline" : "You Know, for Search"
}
注意-有关Elasticsearch的更多信息,您可以单击以下链接。
https://www.tutorialspoint.com/elasticsearch/index.html
现在,使用上述Logstash.conf运行Logstash
>Logstash –f Logstash.conf
将上述文本粘贴到输出日志中之后,该文本将由Logstash存储在Elasticsearch中。您可以通过在浏览器中键入以下URL来检查存储的数据。
http:// localhost:9200 / logstash-2017.01.01 / _search?pretty
它是以JSON格式存储在索引Logstash-2017.01.01中的数据。
{
"took" : 20,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 10,
"max_score" : 1.0,
"hits" : [ {
"_index" : "logstash-2017.01.01",
"_type" : "logs",
"_id" : "AVlZ9vF8hshdrGm02KOs",
"_score" : 1.0,
"_source":{
"duration":200,"path":"C:/tpwork/logstash/bin/log/input.log",
"@timestamp":"2017-01-01T12:17:49.140Z","loglevel":"INFO",
"logger":"SQL","@version":"1","host":"wcnlab-PC",
"label":"transaction1",
"message":" INFO - 48566 - SQL - transaction1 - 200\r",
"user":"tutorialspoint.com","taskid":"48566","tags":[]
}
},
{
"_index" : "logstash-2017.01.01",
"_type" : "logs",
"_id" : "AVlZ9vF8hshdrGm02KOt",
"_score" : 1.0,
"_source":{
"sql_duration":520,"path":"C:/tpwork/logstash/bin/log/input.log",
"@timestamp":"2017-01-01T12:17:49.145Z","loglevel":"INFO",
"logger":"TRANSACTION_END","@version":"1","host":"wcnlab-PC",
"label":"end",
"message":" INFO - 48566 - TRANSACTION_END - end\r",
"user":"tutorialspoint.com","taskid":"48566","tags":[]
}
}
}
}