[root@SYSDRA-10-254-64-216-cetnos pipeline]# cat /opt/logstash/pipeline/syslog-es.conf
# The # character at the beginning of a line indicates a comment. Use
# comments to describe your configuration.
#input {
# file {
# path => "/var/log/messages"
# #start_position => beginning
# }
#}
input {
tcp {
port => 514
type => syslog
}
udp {
port => 514
type => syslog
}
}
# The filter part of this file is commented out to indicate that it is
# optional.
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
add_field => [ "day", "%{+dd}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
hosts => ["10.254.64.xxx:9200","10.254.64.227:9200","10.254.64.228:9200"]
index => "op-rsyslog-%{year}.%{month}.%{day}"
document_type=>"rsyslog-index"
}
#stdout { codec => rubydebug }
file{
path => "/var/log/syslogdata/syslog-%{+YYYY.MM.dd}.txt"
codec => line {
format => "%{message}"
}
}
}
文档更新时间: 2019-06-20 02:57 作者:月影鹏鹏