首页 » Linux » logstash自动配置索引

logstash自动配置索引

 

以下是logstash下的一个子配置文件:filebeat.conf,

有一些if和esle if语句及最后的自动配置索引。

内容如下:

input {
   beats {
        port => 5044 
        host => "0.0.0.0"
        }
}

filter {
        if [fields][log_source] == "testnode-web-nginx_access_jpx1.admin.com_log" {
                geoip {
                        source => "remote_addr"
                        target => "geoip"
                        database => "/etc/logstash/GeoLite2-City.mmdb"
                        add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
                        add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
                }
                mutate {
                        convert => [ "[geoip][coordinates]", "float"]
                }
        }


        if [fields][log_source] == "abcnode_web-nginx_access_abcd-node.admin.com.log" {
                geoip {
                        source => "remote_addr"
                        target => "geoip"
                        database => "/etc/logstash/GeoLite2-City.mmdb"
                        add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
                        add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
                }
                mutate {
                        convert => [ "[geoip][coordinates]", "float"]
                }
  }



}


output {
   if [type] == "logtest-node1-message" { 
       elasticsearch {
         hosts => ["192.168.1.1:9200"]
         index => "logtest-node1-message-%{+YYYY.MM}"
        }
   }
  else if [type] == "logtest-node1-access_logtest.admin-test.com" {
       elasticsearch {
         hosts => ["192.168.1.1:9200"]
         index => "logtest-node1-access_logtest.admin-test.com-%{+YYYY.MM}"
        }
   }
  else if [type] == "logtest-node1-access_logtest.clc_json.com" {
       elasticsearch {
         hosts => ["192.168.1.1:9200"]
         index => "logtest-node1-access_logtest.clc_json.com-%{+YYYY.MM}"
        }
   }


  else if [fields][log_source] == "testnode-web1-mysql_slow_log" {
       elasticsearch {
         hosts => ["192.168.1.1:9200"]
         index => "testnode-web1-mysql_slow_log-%{+YYYY.MM}"
        }
  }

  else if [fields][log_source] == "testnode-web1-php_error_log" {
       elasticsearch {
         hosts => ["192.168.1.1:9200"]
         index => "testnode-web1-php_error_log-%{+YYYY.MM}"
        }
  }

  else if [fields][log_source] == "testnode-web-nginx_access_jpx1.admin.com_log" {
       elasticsearch {
         hosts => ["192.168.1.1:9200"]
         index => "logstash-testnode-web-nginx_access_jpx1.admin.com_log-%{+YYYY.MM}"
        }
  }




 else if [fields][log_source] == "testnode-web2-mysql_slow_log" {
       elasticsearch {
         hosts => ["192.168.1.1:9200"]
         index => "testnode-web2-mysql_slow_log-%{+YYYY.MM}"
        }
  }

 else if [fields][log_source] == "testnode-web2-php_error_log" {
       elasticsearch {
         hosts => ["192.168.1.1:9200"]
         index => "testnode-web2-php_error_log-%{+YYYY.MM}"
        }
  }


  else if [fields][log_source] == "ip-nodetest-svnlog" {
       elasticsearch {
         hosts => ["192.168.1.1:9200"]
         index => "ip-nodetest-svnlog-%{+YYYY.MM.dd}"
        }
  }

 else if [fields][log_source] == "ip-nodetest_yn-svnlog" {
       elasticsearch {
         hosts => ["192.168.1.1:9200"]
         index => "ip-nodetest_yn-svnlog-%{+YYYY.MM}"
        }
  }


 else if [fields][log_source] == "abcd-node_web-nginx_access_abcd-node.admin.com.log" {
       elasticsearch {
         hosts => ["192.168.1.1:9200"]
         index => "logstash-abcd-node_web-nginx_access_abcd-node.admin.com.log-%{+YYYY.MM}"
        }
  }

 else  { 
      elasticsearch {
      hosts => ["192.168.1.1:9200"]
      index => "%{[fields][log_source]}-%{+YYYY.MM}" #这个就是变量,会根据filebeat传过来的fields+log_source直接创建索引,不需要一个一个在这边写,但filebeat那边要写。
     }
   }

}

 

filebeat配置实例:

filebeat.inputs:
- type: log
  paths:
    - /logs/nginx/abc.t.cn_access.log
  json.keys_under_root: true
  json.overwrite_keys: true
  fields: #这个加上下面的log_source logstash会引用,然后自动创建索引
    log_source: abc_nginx_access_log
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 3
setup.kibana:
output.logstash:
  hosts: ["192.168.1.1:5044"]
processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~

 

 

原文链接:logstash自动配置索引,转载请注明来源!

0