[root@SYSDRA-10-254-64-216-cetnos pipeline]# cat /opt/logstash/pipeline/syslog-es.conf

# The # character at the beginning of a line indicates a comment. Use
# comments to describe your configuration.
#input {
#    file {
#        path => "/var/log/messages"
#        #start_position => beginning
#    }
#}



 input {
    tcp {
        port => 514
        type => syslog
    }
    udp {
        port => 514
        type => syslog
    }
}
# The filter part of this file is commented out to indicate that it is
# optional.
filter {

    if [type] == "syslog" {

        grok {

            match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }

            add_field => [ "received_at", "%{@timestamp}" ]

            add_field => [ "received_from", "%{host}" ]
           add_field => [ "day", "%{+dd}" ]
        }

        date {

            match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]

        }







}
}


output {

    elasticsearch { 

    hosts => ["10.254.64.xxx:9200","10.254.64.227:9200","10.254.64.228:9200"] 

    index => "op-rsyslog-%{year}.%{month}.%{day}"
    document_type=>"rsyslog-index"
    }

    #stdout { codec => rubydebug }

    file{
        path => "/var/log/syslogdata/syslog-%{+YYYY.MM.dd}.txt"

        codec => line {
           format => "%{message}"
        }

}
}
文档更新时间: 2019-06-20 02:57   作者:月影鹏鹏