您现在的位置是:主页>文章>Logstash处理Log4net日志 网站首页

Logstash处理Log4net日志

Log4net配置如下



  
    

logstash配置如下


input {
  udp {
    port => 5960
    codec => plain {
      charset => "GBK"
    }
    type => "log4net"
  }
}

filter {
  mutate {
    add_field => [ "hostip", "%{host}" ]
  }
  dns {
    reverse => [ "host" ]
    action => replace
  }
  if [type] == "log4net" {
    grok {
      break_on_match => true
      remove_field => message
      match => {
        message => "(?m)%{TIMESTAMP_ISO8601:sourceTimestamp} \[%{NUMBER:threadid}\] %{LOGLEVEL:loglevel} +- %{IPORHOST:tempHost} - %{DATA:application} - %{DATA:component} - %{GREEDYDATA:tempMessage}((\r\n)|(\n))(?(((%{JAVACLASS})|(System.))Exception)): (?(%{GREEDYDATA}))((\r\n)|(\n))(?(( )+at %{GREEDYDATA}))"
      }
      match => {
        message => "(?m)%{TIMESTAMP_ISO8601:sourceTimestamp} \[%{NUMBER:threadid}\] %{LOGLEVEL:loglevel} +- %{IPORHOST:tempHost} - %{DATA:application} - %{DATA:component} - %{GREEDYDATA:tempMessage}((\r\n)|(\n))(?(((%{JAVACLASS})|(System.))Exception)): (?(%{GREEDYDATA}))"
      }
      match => {
        message => "(?m)%{TIMESTAMP_ISO8601:sourceTimestamp} \[%{NUMBER:threadid}\] %{LOGLEVEL:loglevel} +- %{IPORHOST:tempHost} - %{DATA:application} - %{DATA:component} - %{GREEDYDATA:tempMessage}"
      }
    }
    if !("_grokparsefailure" in [tags]) {
      mutate {
        replace => [ "message" , "%{tempMessage}" ]
        replace => [ "host" , "%{tempHost}" ]
      }
    }
    mutate {
      remove_field => [ "tempMessage" ]
      remove_field => [ "tempHost" ]
    }
  }
}

output {
  elasticsearch {
    host => "localhost"
    protocol => "http"
  }
}





logstash最常见的运行方式即命令行运行./bin/logstash -f logstash.conf

不方便管理,服务器重启需要重新启动

Logstash服务器启动方式配置如下:

下文/usr/local/elk/logstash-6.2.4是logstash的安装目录,需要替换成对于的路径

1.在安装目录下修改startip.optins文件

vim /opt/logstash/config/startup.options
# Set a home directory LS_HOME=/usr/local/elk/logstash-6.2.4  # logstash settings directory, the path which contains logstash.yml LS_SETTINGS_DIR="${LS_HOME}/config"  # Arguments to pass to logstash # 把需要运行的logstash的配置文件如logstash.conf都放在/usr/local/elk/logstash-6.2.4/runlogstash目录下面 LS_OPTS="--path.settings ${LS_SETTINGS_DIR} -f /usr/local/elk/logstash-6.2.4/runlogstash"

runlogstash目录下面放入需要启动的logstash.conf配置信息

2:创建服务

以root身份执行logstash命令创建服务

/usr/local/elk/logstash-6.2.4/bin/system-install

完成后在会在这里创建一个配置文件/etc/systemd/system/logstash.service

启动服务

启动Logstash服务

  • 设置服务自启动:systemctl enable logstash

  • 启动服务:systemctl start logstash

  • 停止服务:systemctl stop logstash

  • 重启服务:systemctl restart logstash

  • 查看服务状态:systemctl status logstash

查看日志

默认情况下日志会保存在以下两个位置

  • /var/log/messages

  • /opt/logstash/logs



下一篇:ELK 监控搭建;

Top