http://www.07net01.com/2016/09/1658778.html

http://m.blog.csdn.net/article/details?id=52574988

转:http://www.2cto.com/os/201411/352015.html

[root@web_test logstash-2.4.0]# ./bin/logstash -e 'input { stdin { } } output { stdout {} }'

hello the world!
Settings: Default pipeline workers: 2
Pipeline main started
2017-04-11T06:05:51.665Z web_test hello the world!
hello world
2017-04-11T06:06:03.079Z web_test hello world
yansiyu
2017-04-11T06:07:00.321Z web_test yansiyu

[root@web_test logstash-2.4.0]# bin/logstash -e 'input { stdin { } } output { stdout { codec => rubydebug } }'

hello the world!
Settings: Default pipeline workers: 2
Pipeline main started
{
       "message" => "hello the world!",
      "@version" => "1",
    "@timestamp" => "2017-04-11T06:07:44.525Z",
          "host" => "web_test"
}
hello world
{
       "message" => "hello world",
      "@version" => "1",
    "@timestamp" => "2017-04-11T06:07:48.563Z",
          "host" => "web_test"
}
yansiyu
{
       "message" => "yansiyu",
      "@version" => "1",
    "@timestamp" => "2017-04-11T06:07:51.483Z",
          "host" => "web_test"
}

http://blog.csdn.net/fenglailea/article/details/52472419

[root@web_test logstash-2.4.0]# cat conf/lnmp.conf
input {
        file{
                type => "nginx-access"
                path => "/app/nginx/logs/test.www.com.log"
                start_position => "beginning"
        }
}
#filter {
#       grok {
#        "message"=>"%{IPORHOST:client_ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:http_version})?|-)\" (%{HOSTNAME:domain}|-) %{NUMBER:response} (?:%{NUMBER:bytes}|-) (%{QS:referrer}) %{QS:agent} \"(%{WORD:x_forword}|-)\" (%{URIHOST:upstream_host}|-) (%{NUMBER:upstream_response}|-) (%{WORD:upstream_cache_status}|-) %{QS:upstream_content_type} (%{USERNAME:upstream_response_time}) > (%{USERNAME:response_time})"
#　　　　#匹配模式 message是每段读进来的日志，IP、HTTPDATE、WORD、NOTSPACE、NUMBER都是patterns/grok-patterns中定义好的正则格式名称，对照上面的日志进行编写,冒号，(?:%{USER:ident}|-)这种形式是条件判断，相当于程序里面的二目运算。如果有双引号""或者[]号，需要在前面加\进行转义。
#
#       }
#       kv {
#                source => "request"
#                field_split => "&?"
#                value_split => "="
#
#       }
#　　   #再单独将取得的URL、request字段取出来进行key-value值匹配，需要kv插件。提供字段分隔符"&?"，值键分隔符"="，则会自动将字段和值采集出来。
#       urldecode {
#        all_fields => true
#
#       }
#　　   #把所有字段进行urldecode（显示中文）
#
#}
output {
        elasticsearch{
                hosts => ["localhost:9200"]
                index => "logstash-%{type}-%{+YYYY.MM.dd}"
                document_type => "%{type}"
        }
}
[root@web_test logstash-2.4.0]#

[root@web_test logstash-2.4.0]# bin/logstash -f conf/lnmp.conf
Settings: Default pipeline workers: 2
Pipeline main started
[root@web_test logstash-2.4.0]# bin/logstash -t -f conf/lnmp.conf
Configuration OK

[root@web_test conf]# pwd
/home/test/elk/logstash-2.4.0/conf
[root@web_test logstash-2.4.0]# cat  ./conf/filetoredis.conf
#input { stdin {}  }
input {
    file {
        path => [
            # 这里填写需要监控的文件
            #"/home/test/logstash-2.4.0/data/test.log"
            "/app/nginx/logs/test.www.com.log"
        ]
    }
}
output {
    # 输出到redis
    stdout { codec => rubydebug  } # 输出到控制台  stdout { }
    redis {
        host => localhost   # redis主机地址
        port => 6379              # redis端口号
        #db => 8                   # redis数据库编号
        data_type => "channel"    # 使用发布/订阅模式
        key => "logstash_list_0"  # 发布通道名称
    }
}

http://467754239.blog.51cto.com/4878013/1700828/

[root@web_test logstash-2.4.0]# bin/logstash  -f conf/filetoredis.conf
hello the world!
hello
Settings: Default pipeline workers: 2
Pipeline main started
echo "hello the world!"
hello
yasniyu
test

[root@web_test /app/redis-2.8.3/src]# ./redis-cli monitor
OK
1491892998.254335 [0 127.0.0.1:10062] "set" "name" "yansiyu"
1491893002.189399 [0 127.0.0.1:10062] "get" "name"
1491893009.991604 [0 127.0.0.1:10062] "set" "age" "33"
1491893012.433425 [0 127.0.0.1:10062] "get" "age"
1491893069.163712 [0 127.0.0.1:10067] "publish" "logstash_list_0" "{\"message\":\"hello the world!\",\"@version\":\"1\",\"@timestamp\":\"2017-04-11T06:44:27.939Z\",\"host\":\"web_test\"}"
1491893069.166942 [0 127.0.0.1:10067] "publish" "logstash_list_0" "{\"message\":\"hello\",\"@version\":\"1\",\"@timestamp\":\"2017-04-11T06:44:28.053Z\",\"host\":\"web_test\"}"
1491893078.063533 [0 127.0.0.1:10067] "publish" "logstash_list_0" "{\"message\":\"echo \\\"hello the world!\\\"\",\"@version\":\"1\",\"@timestamp\":\"2017-04-11T06:44:37.832Z\",\"host\":\"web_test\"}"
1491893100.670561 [0 127.0.0.1:10067] "publish" "logstash_list_0" "{\"message\":\"hello\",\"@version\":\"1\",\"@timestamp\":\"2017-04-11T06:45:00.025Z\",\"host\":\"web_test\"}"
1491893103.062579 [0 127.0.0.1:10067] "publish" "logstash_list_0" "{\"message\":\"yasniyu\",\"@version\":\"1\",\"@timestamp\":\"2017-04-11T06:45:02.841Z\",\"host\":\"web_test\"}"

1491893105.131954 [0 127.0.0.1:10067] "publish" "logstash_list_0" "{\"message\":\"test\",\"@version\":\"1\",\"@timestamp\":\"2017-04-11T06:45:04.489Z\",\"host\":\"web_test\"}" 

[root@web_test logstash-2.4.0]# bin/logstash -f conf/basic.conf
hello the world
Settings: Default pipeline workers: 2
Pipeline main started
{
       "message" => "hello the world",
      "@version" => "1",
    "@timestamp" => "2017-04-11T06:56:44.866Z",
          "host" => "web_test"
}
[root@web_test logstash-2.4.0]# cat conf/basic.conf
input {
        stdin {  }
}
output {
        stdout {
                codec=>rubydebug
        }
}

[test@web_test src]$ pwd
/app/redis-2.8.3/src

http://467754239.blog.51cto.com/4878013/1700828/

http://www.cnblogs.com/huangxincheng/p/5002794.html

[root@web_test logstash-2.4.0]# pwd
/home/test/elk/logstash-2.4.0
[root@web_test logstash-2.4.0]# cat conf/redistoes.conf
input {
    redis {
        host => localhost   # redis主机地址
        port => 6379              # redis端口号
        #db => 8                   # redis数据库编号
        data_type => "channel"    # 使用发布/订阅模式
        key => "logstash_list_0"  # 发布通道名称
    }
}
output {
        elasticsearch{
                hosts => ["localhost:9200"]
                index => "logstash-redistoes-%{+YYYY.MM.dd}"
                #codec=>"json",
                #protocol => "http"  #版本1.0+ 必须指定协议http
                document_type => "redistoes"
        }
}

[root@web_test logstash-2.4.0]#  bin/logstash -f conf/redistoes.conf
Settings: Default pipeline workers: 2
Pipeline main started

[test@web_test src]$ ./redis-cli
127.0.0.1:6379> publish one 'hello the world!'
(integer) 0
127.0.0.1:6379> publish one 'hello the world!'
(integer) 0
127.0.0.1:6379> publish "logstash_list_0" "hello"
(integer) 0
127.0.0.1:6379> publish "logstash_list_0" "hello"
(integer) 0
127.0.0.1:6379> publish logstash_list_0 "hello"
(integer) 0
127.0.0.1:6379> publish logstash_list_0 "hello"
(integer) 1
127.0.0.1:6379> publish logstash_list_0 "hello"
(integer) 1
127.0.0.1:6379> publish logstash_list_0 "hello"
(integer) 1
127.0.0.1:6379> publish logstash_list_0 "hello"
(integer) 1
127.0.0.1:6379> publish logstash_list_0 "hello"
(integer) 1
127.0.0.1:6379> publish logstash_list_0 "1"
(integer) 1
127.0.0.1:6379> publish logstash_list_0 "2"
(integer) 1
127.0.0.1:6379> publish logstash_list_0 "3"
(integer) 1
127.0.0.1:6379> publish logstash_list_0 "hehe"
(integer) 1
127.0.0.1:6379> publish logstash_list_0 "hehe"
(integer) 1
127.0.0.1:6379> publish logstash_list_0 "dajiahao"
(integer) 1
127.0.0.1:6379>

http://blog.csdn.net/zhaoyangjian724/article/details/52037986

如有问题，可以QQ搜索群1028468525加入群聊，欢迎一起研究技术