以下是logstash下的一个子配置文件:filebeat.conf,
有一些if和esle if语句及最后的自动配置索引。
内容如下:
input {
beats {
port => 5044
host => "0.0.0.0"
}
}
filter {
if [fields][log_source] == "testnode-web-nginx_access_jpx1.admin.com_log" {
geoip {
source => "remote_addr"
target => "geoip"
database => "/etc/logstash/GeoLite2-City.mmdb"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
if [fields][log_source] == "abcnode_web-nginx_access_abcd-node.admin.com.log" {
geoip {
source => "remote_addr"
target => "geoip"
database => "/etc/logstash/GeoLite2-City.mmdb"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
}
output {
if [type] == "logtest-node1-message" {
elasticsearch {
hosts => ["192.168.1.1:9200"]
index => "logtest-node1-message-%{+YYYY.MM}"
}
}
else if [type] == "logtest-node1-access_logtest.admin-test.com" {
elasticsearch {
hosts => ["192.168.1.1:9200"]
index => "logtest-node1-access_logtest.admin-test.com-%{+YYYY.MM}"
}
}
else if [type] == "logtest-node1-access_logtest.clc_json.com" {
elasticsearch {
hosts => ["192.168.1.1:9200"]
index => "logtest-node1-access_logtest.clc_json.com-%{+YYYY.MM}"
}
}
else if [fields][log_source] == "testnode-web1-mysql_slow_log" {
elasticsearch {
hosts => ["192.168.1.1:9200"]
index => "testnode-web1-mysql_slow_log-%{+YYYY.MM}"
}
}
else if [fields][log_source] == "testnode-web1-php_error_log" {
elasticsearch {
hosts => ["192.168.1.1:9200"]
index => "testnode-web1-php_error_log-%{+YYYY.MM}"
}
}
else if [fields][log_source] == "testnode-web-nginx_access_jpx1.admin.com_log" {
elasticsearch {
hosts => ["192.168.1.1:9200"]
index => "logstash-testnode-web-nginx_access_jpx1.admin.com_log-%{+YYYY.MM}"
}
}
else if [fields][log_source] == "testnode-web2-mysql_slow_log" {
elasticsearch {
hosts => ["192.168.1.1:9200"]
index => "testnode-web2-mysql_slow_log-%{+YYYY.MM}"
}
}
else if [fields][log_source] == "testnode-web2-php_error_log" {
elasticsearch {
hosts => ["192.168.1.1:9200"]
index => "testnode-web2-php_error_log-%{+YYYY.MM}"
}
}
else if [fields][log_source] == "ip-nodetest-svnlog" {
elasticsearch {
hosts => ["192.168.1.1:9200"]
index => "ip-nodetest-svnlog-%{+YYYY.MM.dd}"
}
}
else if [fields][log_source] == "ip-nodetest_yn-svnlog" {
elasticsearch {
hosts => ["192.168.1.1:9200"]
index => "ip-nodetest_yn-svnlog-%{+YYYY.MM}"
}
}
else if [fields][log_source] == "abcd-node_web-nginx_access_abcd-node.admin.com.log" {
elasticsearch {
hosts => ["192.168.1.1:9200"]
index => "logstash-abcd-node_web-nginx_access_abcd-node.admin.com.log-%{+YYYY.MM}"
}
}
else {
elasticsearch {
hosts => ["192.168.1.1:9200"]
index => "%{[fields][log_source]}-%{+YYYY.MM}" #这个就是变量,会根据filebeat传过来的fields+log_source直接创建索引,不需要一个一个在这边写,但filebeat那边要写。
}
}
}
filebeat配置实例:
filebeat.inputs:
- type: log
paths:
- /logs/nginx/abc.t.cn_access.log
json.keys_under_root: true
json.overwrite_keys: true
fields: #这个加上下面的log_source logstash会引用,然后自动创建索引
log_source: abc_nginx_access_log
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 3
setup.kibana:
output.logstash:
hosts: ["192.168.1.1:5044"]
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
原文链接:logstash自动配置索引,转载请注明来源!