关于logstash:logstash配置样例

logstash.conf, 放到 {logstash}/conf.d 目录下

# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.

input {
    # tcp {
    #  mode => "server"
    #  host => "0.0.0.0"
    #  port => 5044
    #  tcp_keep_alive => true
    #  codec => json_lines
    # }

    file {
        #监听文件的门路
        path => ["/opt/logs"]
        #设置新事件的标记
        delimiter => "\n"
        #设置多长时间扫描目录，发现新文件
        discover_interval => 15
        #设置多长时间检测文件是否批改
        stat_interval => 3
         #监听文件的起始地位，默认是 end
        start_position => beginning
        #设置多长时间会写入读取的地位信息
        sincedb_write_interval => 5
        codec => json_lines
    }

    http{
        host => "0.0.0.0"
        port => 8080
        additional_codecs => {"application/json"=>"json"}
        codec => "json_lines"
        threads => 4
        ssl => false
    }

    # kafka{#     bootstrap_servers => ["x.x.x.x:9092"]
    #     auto_offset_reset => "latest"
    #     consumer_threads => 5
    #     decorate_events => false
          # 须要监听的 topic
    #     topics => ["spy_admin_topic", "sd_topic"]
    #     codec => json_lines
    # }
}

filter {
#    date {
#    timezone => "Asia/Shanghai"
#    match => ["timestamp", "yyyy-MM-dd HH:mm:ss S"]
#    }

    # https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html#plugins-filters-date-match
    date {match => [ "@timestamp", "ISO8601"]
        locale => "cn"
        target => "@timestamp"
    }

    if "_" in [ad_id] {
      mutate {split => { "ad_id" => "_"}
        add_field => {"t_ad_id" => "%{[ad_id][1]}" }
      }

      mutate {rename => {"t_ad_id" => "ad_id"}
      }
    }

    mutate {
        convert => {
            "client_id" => "integer"
            "@version" => "integer"
            "app_name" => "string"
            "file" => "string"
            "host" => "string"
            "status_code" => "integer"

            "duration" => "integer"

            "size" => "integer"

            "cnt7" => "integer"
            "cnt6" => "integer"
            "cnt5" => "integer"
            "cnt4" => "integer"
            "cnt3" => "integer"
            "cnt2" => "integer"
            "cnt1" => "integer"

        }
        remove_field => ["@version", "_score", "_source", "_type", "timestamp", "level_value", "logger_name"]
    }
}

output {
  elasticsearch {hosts => ["http://localhost:9200"]
    index => "%{[app_name]}"
    user => "elastic"
    password => "1qaz@WSX3edc"
    pool_max => 500
    pool_max_per_route => 2000
    retry_initial_interval => 4
    retry_max_interval => 16
  }
  
  #if [level] == "ERROR" {
    #  mongodb {#    collection => "%{[app_name]}"
    #    database => "logstash"
    #    isodate => true
    #    uri => "mongodb://spy_user:L2LRi7BAAP163fii@107.150.33.170:33017/?authSource=admin"
    #    bulk => true
    #    codec => json
    #  }
  #}
}