logstash使用心得
部署:
- 下载logstash-7.2.0.tar.gz包
- 解压
- 在解压出来的文件夹里面的bin里面./logstash即可运行,这样运行的话,它是读取的默认配置文件config/logstash-sample.conf
建议使用方式:
- 部署完成后,自己模仿logstash-sample.conf里面,新写一个配置文件,然后使用./logstash -f logstash.conf运行,比如我自己就写了一个启动脚本:
cd /home/elk/logstash/logstash-7.2.0/bin
pwd
./logstash -f /home/elk/logstash/logstash-7.2.0/config/logstash.conf
- 在写conf文件的时候,往往需要多次调试,每次去重启logstash是很浪费时间的,这时候可以修改config文件夹下的logstash.yml,加入一行配置:
config.reload.automatic: true
conf文件配置心得
整合
input{
jdbc {
type => "fjjkm_healthcode_user_code_change_log"
jdbc_connection_string => "jdbc:oracle:thin:@//110.90.117.14:36018/orcl"
jdbc_user => "jkm"
jdbc_password => "1"
connection_retry_attempts => "1"
jdbc_driver_library => "/home/elk/logstash/logstash-7.2.0/lib/ojdbc8-19.3.0.0.jar"
jdbc_driver_class => "Java::oracle.jdbc.driver.OracleDriver"
statement => " select name,sync_change_time,id,cert_type,origin_health_status,new_health_status,origin_rule_code,new_rule_code,origin_tab_code,new_tab_code,cert_no,create_time from healthcode_user_code_change_log where sync_change_time>to_date(to_char(:sql_last_value,'yyyy-mm-dd hh24:mi:ss'),'yyyy-mm-dd hh24:mi:ss') and rownum<11"
jdbc_paging_enabled => "false"
schedule => "* * * * *"
clean_run => false
record_last_run => true
use_column_value => true
tracking_column=>"sync_change_time"
tracking_column_type => "timestamp"
last_run_metadata_path => "/home/elk/logstash/logstash-7.2.0/config/sql_last_value_file/oracle.yml"
}
kafka {
type => "fjjkm_scene_record_save"
bootstrap_servers => "127.0.0.1:9092"
topics => ["scene_record_save"]
group_id => "logstash_kafka"
client_id => "scene_record_save"
decorate_events => true
}
kafka {
type => "fjjkm_scene_scan_log_save_topic"
bootstrap_servers => "127.0.0.1:9092"
topics => ["scene_scan_log_save_topic"]
group_id => "logstash_kafka"
client_id => "scene_scan_log_save_topic"
decorate_events => true
}
kafka {
type => "fjjkm_qrcode_engine_show_topic"
bootstrap_servers => "127.0.0.1:9092"
topics => ["qrcode_engine_show_topic"]
group_id => "logstash_kafka"
client_id => "qrcode_engine_show_topic"
decorate_events => true
}
}
filter{
if[type] == "fjjkm_qrcode_engine_show_topic" {
ruby {
code => "event.set('timestamp', event.get('@timestamp').time.localtime + 8*60*60)"
}
json {
source => "message"
}
grok {
match => {
"cid" => "(?<countyCode>(.{6}))"
}
}
grok {
match => {
"cid" => "(?<cityCode>(.{4}))"
}
}
grok {
match => {
"cid" => "(?<provinceCode>(.{2}))"
}
}
grok {
match => {
"cid" => "(?<sex>(((?<=.{16})(.{1}))))"
}
}
grok {
match => {
"cid" => "(?<birthday>((?<=.{6})(.{8})))"
}
}
mutate {
gsub => [
"message", '\\"', '"',
"message", '"{', '{',
"message", '}"', '}'
]
add_field => {
"date" => "%{[applyTime][date][year]}-%{[applyTime][date][month]}-%{[applyTime][date][day]}"
}
add_field => {
"time" => "%{[applyTime][time][hour]}"
}
add_field => {
"apply_type" => "%{[type]}"
}
remove_field => ["type"]
remove_field => ["message", "applyTime", "validTime"]
}
mutate {
add_field => {
"type" => "fjjkm_qrcode_engine_show_topic"
}
}
}
if [type] == "fjjkm_scene_record_save" {
ruby {
code => "event.set('timestamp', event.get('@timestamp').time.localtime + 8*60*60)"
}
json {
source => "message"
}
grok {
match => {
"createTime" => "(?<createDate>((.{10})))"
}
}
grok {
match => {
"createTime" => "(?<hour>((?<=.{11})(.{2})))"
}
}
mutate {
remove_field => ["message"]
}
}
if [type] == "fjjkm_scene_scan_log_save_topic" {
ruby {
code => "event.set('timestamp', event.get('@timestamp').time.localtime + 8*60*60)"
}
json {
source => "message"
}
mutate {
remove_field => ["message"]
}
}
if[type]=="fjjkm_healthcode_user_code_change_log"{
ruby {
code => "event.set('timestamp', event.get('@timestamp').time.localtime)"
}
grok {
match => {
"cert_no" => "(?<idcard>(.{6}))"
}
}
grok {
match => {
"cert_no" => "(?<idcard>(.{4}))"
}
}
grok {
match => {
"cert_no" => "(?<idcard>(.{2}))"
}
}
grok {
match => {
"cert_no" => "(?<sex>(((?<=.{16})(.{1}))))"
}
}
grok {
match => {
"cert_no" => "(?<birthday>((?<=.{6})(.{8})))"
}
}
}
}
output{
if[type]=="fjjkm_healthcode_user_code_change_log"{
elasticsearch {
hosts => ["http://192.168.3.52:9200"]
index =>"fjjkm_healthcode_user_code_change_log_%{+yyyyMM}"
user => "elastic"
password => "espassword"
document_id => "%{id}"
}
}
if [type] == "fjjkm_scene_record_save" {
elasticsearch {
hosts => ["http://192.168.3.52:9200"]
index => "fjjkm_scene_record_%{+yyyyMM}"
user => "elastic"
password => "espassword"
document_id => "%{timestamp}%{placeManagerCertCypher}"
}
}
if [type] == "fjjkm_scene_scan_log_save_topic" {
elasticsearch {
hosts => ["http://192.168.3.52:9200"]
index => "fjjkm_scene_scan_log_%{+yyyyMM}"
user => "elastic"
password => "espassword"
document_id => "%{timestamp}%{scanerCertNoCypher}"
}
}
if[type] == "fjjkm_qrcode_engine_show_topic" {
elasticsearch {
hosts => ["http://192.168.3.52:9200"]
index => "fjjkm_t_hc_create_log_%{+yyyyMM}"
user => "elastic"
password => "espassword"
document_id => "%{timestamp}%{cid}"
}
}
}