logstash:
input:https://www.elastic.co/guide/en/logstash/current/input-plugins.html
input {
file {
path =>"/var/log/messages"
type => "system"
start_position =>"beginning"
}
file {
path =>"/var/log/elasticsearch/alex.log"
type => "es-error"
start_position =>"beginning"
}
}
output:https://www.elastic.co/guide/en/logstash/current/output-plugins.html
output {
if [type] == "system" {
elasticsearch {
hosts=>["192.168.1.1:9200"]
index=>"system-%{+YYYY.MM.dd}"
}
}
if [type] == "es-error" {
elasticsearch {
hosts=>["192.168.1.1:9200"]
index=>"es-error-%{+YYYY.MM.dd}"
}
}
}
收集java报错堆栈信息,(多行报错)
需要codec plugin
input {
stdin {
codec => multiline {
pattern => "regexp"
negate => "true or false"
what =>"previous or next"//合并到上一行还是下一行
}
}
}
例子1:
input {
stdin {
codec => multiline {
pattern => "^\["
negate => "true"
what =>"previous"
}
}
}
output {
stdout {
codec => "rubydebug"
}
}
案例2:
input {
file {
path =>"/var/log/messages"
type => "system"
start_position =>"begining"
}
file {
path =>"/var/log/elasticsearch/alex.log"
type => "es-error"
start_position =>"beginning"
codec => multiline {
pattern => "^\["
negate => "true"
what =>"previous"//合并到上一行还是下一行
}
}
}
output {
if [type] == "system" {
elasticsearch {
hosts=>["192.168.1.1:9200"]
index=>"system-%{+YYYY.MM.dd}"
}
}
if [type] == "es-error" {
elasticsearch {
hosts=>["192.168.1.1:9200"]
index=>"es-error-%{+YYYY.MM.dd}"
}
}
}
原文:http://www.cnblogs.com/alexhjl/p/7652010.html