（上）—— ELK介绍及搭建 Elasticsearch 分布式集群

http://blog.51cto.com/zero01/2079879

 

（下）—— 搭建kibana和logstash服务器

http://blog.51cto.com/zero01/2082794

 

ELK 日志相关

https://www.cnblogs.com/zhang-shijie/category/803469.html

 

logstash输出到elasticsearch多索引

https://blog.csdn.net/wangyangzhizhou/article/details/53314022

 

elasticsearch索引自动清理

https://www.cnblogs.com/kasumi/p/6479733.html

 

Logstash处理json格式日志文件的三种方法

https://blog.csdn.net/jiao_fuyou/article/details/49174269/

 

LogStash的Filter的使用

https://www.cnblogs.com/qq27271609/p/4762562.html

 

 

问题1:

elasticsearch: can not run elasticsearch as root

https://www.cnblogs.com/sandyyeh/p/8413724.html 

 

问题2:

启动logstash 用-f

./logstash -f ../config/logstash-sample.conf  

 

问题3:

Logstash.conf 不要配置5044的端口

问题4:

目前input只有tags上能带到输出里，可以做output条件判断

filter可以追加处理数据

 

问题5:

Logstash.conf demo

input {  file {        path => "/var/log/system.log"        tags => ["system"]        #codec => json        #start_position => "beginning" #从文件开始处读写  }  file {        path => "/var/log/kibana.log"        tags => ["kibana"]        codec => json        #start_position => "beginning" #从文件开始处读写  }}filter {        mutate{                add_field => {                        "tmp2" => "1"                }        }}output {        if "kibana" in [tags] {                 elasticsearch {                         hosts => ["http://127.0.0.1:9200"]                         index => "kibana.log"                }       }       if "system" in [tags] {                elasticsearch {                         hosts => ["http://127.0.0.1:9200"]                         index => "system.log"                }       }        #elasticsearch {        #                hosts => ["http://127.0.0.1:9200"]        #                index => [id]        #}        stdout {                codec => rubydebug        }}