ELK日志分析集群搭建管理(rsyslog(3)

        init => "@kname = ['host-name','front','http_x_up_calling_line_id','request','http_user_agent','status','remote_addr_1','id','http_referer','request_time','body_bytes_sent','http_deviceid','http_x_forwarded_for','domain','cookie']"

        code => "event.append(Hash[@kname.zip(event['message'].split('`'))]) "

        remove_field => ["@version","_score","id","tags","key","message","http_deviceid","http_x_up_calling_line_id","","cookie"]

        }

     

    if [front] {

        grok {

        match => ["front","%{HTTPDATE:logdate}"]

        }

        date {

        match => ["logdate", "dd/MMM/yyyy:HH:mm:ss Z"]

        target => "@timestamp"

        remove_field => ["front","logdate"]

        }

    }

    if [request] {

        ruby {

            init => "@kname = ['method','uri','verb']"

            code => "event.append(Hash[@kname.zip(event['request'].split(' '))])"

            remove_field => [ "request","method","verb"]

                }

        }

    if [remote_addr_1] {

        grok {

             match => [ "remote_addr_1", "%{IPV4:remote_addr}" ]

             remove_field => ["remote_addr_1"]

                }

       }

    mutate {

        convert => [

            "body_bytes_sent" , "integer",

                  "status" , "integer",           

            "request_time" , "float" ]

    }

}

output {

        elasticsearch {

                hosts => ["10.39.40.94:9200","10.39.40.95:9200","10.39.40.96:9200","10.39.40.97:9200"]

                workers => 1

                index => "logstash-cms-nginx-%{+YYYY.MM.dd.hh}"

                }

       #stdout { codec => dots 

                #workers => 5

               #}                           #测试性能时使用

       #stdout { codec => rubydebug }       #调试时使用

}

启动命令:./bin/logstash  -w 4 -b 1000 -f /etc/logstash/conf.d/kafka_logstash_cms_nginx.conf &

-w 后面的worker数是根据cpu的核心数大概算一下,我这里一台服务器开三个logstash,每个起4个worker

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/6601157f7fc6dad2553a55911c1db82f.html