Step 1 透過apt方式安裝Logstash
sudo apt install logstash
完成安裝後,建立設定檔並透過設定檔案,設定Logstash,我們在路徑 /etc/logstash/conf.d/ 建立一支名為 apache_logstash.conf的檔案
input {
file {
path => ["/var/log/apache2/access.log"]
start_position => "beginning"
add_field => {
"[fields][logtype]" => "apache-access-log"
}
}
}
filter {
if [fields][logtype] == "apache-access-log" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
geoip { source => "clientip" }
}
}
output {
elasticsearch {
hosts => ["192.168.1.101:9200"]
manage_template => false
index => "apache-log--%{+YYYY.MM.dd}"
document_type => "_doc"
}
}
設定檔中分別有Input{ }、Filter{ }、Output{ }三個區塊,Input主要設定Log檔案位置、Filter為資料的處理,而Output則為輸出設定。
完成設定檔案後,接著移動到 /usr/share/logstash/bin 資料夾,執行剛剛所設定的 apache_logstash.conf 檔案就可以開始執行囉
cd /usr/share/logstash/bin
./logstash -f /etc/logstash/conf.d/apache_logstash.conf
另外在測試階段可以加入 --config.reload.automatic ,Logstash會每三秒reload一次設定檔案,方便我們做測試
./logstash -f /etc/logstash/conf.d/apache_logstash.conf --config.reload.automatic