# rpm 安裝
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch # 導入eskey
rpm -ivh logstash-7.7.0.rpm # 安裝logstash
ln -s /usr/share/logstash/bin/logstash /usr/bin/logstash # 可以對logstash可執行檔案建立一個軟連結,便于直接使用logstash指令
有三個注意事項,原文:https://blog.csdn.net/spider_xiaoma/article/details/109952128
否則,會出現logstash啟動成功,logstash日志沒有報錯,但是elasticsearch中沒有添加索引的情況。
# 保證收集的日志有檢視權限
[[email protected] conf.d]# ll /var/log/nginx/access.log
-rw-r----- 1 root root 73148 Nov 15 13:17 /var/log/nginx/access.log
[[email protected] conf.d]# chmod 644 /var/log/nginx/access.log
[[email protected] conf.d]# ll /var/log/nginx/access.log
-rw-r--r-- 1 root root 73148 Nov 15 13:17 /var/log/nginx/access.log
logstash啟動使用者建議修改成root使用者 vim /etc/systemd/system/logstash.service
[Service]
Type=simple
User=root
Group=root #修改成root
- 重新開機 logstash服務 檢視系統日志 是否有權限報錯
systemctl daemon-reload
systemctl restart logstash.service
tail -f /var/log/messages
# 檢查logstash配置檔案 慎用
/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash" "--path.config" "/etc/logstash/conf.d" -t
# 建議單個檢查 不啟動
/usr/share/logstash/bin/logstash -t -f /etc/logstash/conf.d/nginx.conf # 隻檢查測試配置檔案文法 不啟動
# 啟動 一般來測試filter寫的怎麼樣
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/nginx_access.conf # 檢查并啟動conf一般來測試 filter寫的怎麼樣
# filter不長的話也可以直接螢幕cmd 測試 :https://www.cnblogs.com/miclesvic/articles/10468008.html
logstash -e 'input {stdin {}} filter {grok {match => { "message" => "%{COMBINEDAPACHELOG}" }}} output {stdout {}}' # 指令行 測試 filter 是否可用 測試螢幕 标準輸入和輸出
# 測試是 螢幕輸入模式 否可以正常傳輸索引到es
logstash -e 'input {stdin {}} output {elasticsearch { hosts => ["10.69.15.30:9200"] index => "logstash-test-%{+YYYY.MM.dd}"}}'
# 去檢視Elasticsearch現有索引
curl http://10.69.15.30:9200/_cat/indices | grep logstash # 輸入自己的esip:9200 grep過濾索引
![ELK詳細分析nginx日志1. 實驗規劃2. ELK安裝3. logstash伺服器的配置4. kibana檢視配置5. 建立儀表闆顯示pv和uv[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)