logstash配置

input{
  beats{
    port => 5044
  }
}

filter{
  grok {
        match => { "message" => [
        "%{NOTSPACE:applicationName} %{NOTSPACE:instanceName} %{TIMESTAMP_ISO8601:[@metadata][timestamp]} \[%{NOTSPACE:sessionid}\] \[%{NOTSPACE:requestid}\] %{LOGLEVEL:level} %{JAVACLASS:class} - (?<logmessage>(.*))"
                   ]
        }
  }
  date { 
          match => [ "[@metadata][timestamp]", "yyyy-MM-dd HH:mm:ss.SSS" ]
        } 
  geoip {
         source => "remote_addr_ip"
  }
}

output{
  elasticsearch{
    hosts => ["xx:xx"]
    index => "iflydocs-log-index-%{+YYYY.MM.dd}"
  }
}

默认生成timestamp字段,这里通过配置date将日志中的timestamp覆盖自动生成的timestamp,即elk查询到的timestamp就是日志发生的时间

发表新评论