logstash安装

1.部署

cd /usr/local/src
wget https://artifacts.elastic.co/downloads/logstash/logstash-5.2.2.rpm
sha1sum logstash-5.2.2.rpm

#这个rpm安装须要读取/usr/bin/java,因此须要将咱们经常使用jdk目录的java软链接过去
ln -s /usr/local/jdk1.8.0_151/bin/java /usr/bin/
rpm --install logstash-5.2.2.rpm

2.写一个简易的配置文件收集一下messages和secure日志

#这个配置文件能够放在/etc/logstash/conf.d/ 下，本身根据状况定义*.conf
input {
    file {
                path => [ "/var/log/messages","/var/log/secure" ]
                start_position => "beginning"
    } 
}

filter {
    if [path] == "/var/log/messages" {
        mutate {
            replace => { type => "messages_type" }
        }
    }
    if [path] == "/var/log/secure" {
        mutate {
            replace => { type => "secure_type" }
        }
    }
}   

output {
    stdout {
        codec=>rubydebug
    }
    if [type] == "messages_type" {
        elasticsearch {
            hosts =>"11.0.0.51:9200"
            index => "messages-%{+YYYY.MM.dd}"
        }
    }
    if [type] == "secure_type"  {
        elasticsearch {
            hosts =>"11.0.0.51:9200"
            index => "secure-%{+YYYY.MM.dd}"
                    }
    }
}