|
1 2 |
通过logstash的tcp/udp插件收集日志,通常用于在向elasticsearch日志补录丢失的部分日志,可以将丢失的日志通过一个TCP端口直接写入到elasticsearch服务器。 |
配置Logstash
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
#进入Logstash配置文件目录 [root@redis01 ~]# cd /etc/logstash/conf.d/ #编辑Logstash配置文件 [root@redis01 conf.d]# vim tcp.conf input { tcp { port => 1234 type => "tcplog" mode => "server" } } output { stdout { codec => rubydebug } } |
启动
|
1 2 3 4 5 6 |
#启动Logstash [root@redis01 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tcp.conf #检测端口是否启动成功 [root@redis01 ~]# netstat -lntup tcp 0 0 :::1234 :::* LISTEN 8656/java |
使用nc工具
1)安装nc工具
|
1 2 3 |
#使用yum安装nc [root@web01 ~]# yum install -y nc |
收集多个tcp日志到ES
1)配置
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
[root@redis01 ~]# cat /etc/logstash/conf.d/tcp_es.conf input { tcp { port => 1234 type => "nginxlog" mode => "server" } tcp { port => "2345" type => "tomcatlog" mode => "server" } } output { if [type] == "nginxlog" { elasticsearch { hosts => ["10.0.0.71:9200"] index => "tcp_nginxlog_%{+YYYY-MM-dd}" } } if [type] == "tomcatlog" { elasticsearch { hosts => ["10.0.0.71:9200"] index => "tcp_tomcatlog_%{+YYYY-MM-dd}" } } } |
2)启动
|
1 2 |
[root@redis01 ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tcp_es.conf |
3)测试
|
1 2 3 4 5 6 |
[root@web01 ~]# tail -f /var/log/nginx/access.log | nc 10.0.0.81 1234 [root@web01 ~]# tail -f /usr/local/tomcat/logs/tomcat_access_json.$(date +%F).log | nc 10.0.0.81 2345 #页面查看索引 |