概述
ELK 日志分析系统的搭建
相关说明
网上有很多搭建教程,这里仅记录配置
[toc]
服务地址
-
ElasticSearch: localhost:9200 ElasticSearch-head: localhost:9100
-
LogStash: localhost:9200
Kibana: localhost:5601
LogStash 配置文件
input {
file {
codec => plain {
# 处理中文GBK编码文件
# charset => "GBK"
charset => "UTF-8"
}
# Windows路径需要使用正斜杠或双反斜杠
path => "C:/Users/holdy/Downloads/Cactus/Cactus/*MsgRouterCopy*"
# 从文件开头开始读取
start_position => "beginning"
# Windows下禁用sincedb或指定具体路径
sincedb_path => "NUL"
# 可选,为事件添加类型标识
type => "elasticsearch"
}
}
filter {
grok {
match => {
"message" => "内容:(?<json_data>\{.*\})"
}
tag_on_failure => []
}
if [json_data] {
json {
source => "json_data"
target => "event_data"
}
mutate {
remove_field => ["json_data"]
}
}
}
# 输出
output {
stdout { codec => rubydebug }
# 输出到 ElasticSearch
elasticsearch {
# ElasticSearch地址
hosts => ["http://localhost:9200"]
# ElasticSearch索引名
index => "es-%{+YYYY.MM.dd}"
user => "elastic"
password => "Admin@2022"
ssl_verification_mode => "none" # 若为 HTTP 需关闭 SSL 验证
}
}一键启动
启动顺序如下所示:
-
ElasticSearch 已安装到服务,这里就不用再启动了
# 如果未安装服务,启动命令如下所示 bin\ElasticSearch.bat -
ElasticSearch-head
npm run start -
LogStash
@echo off logstash -f C:\ELK\logstash-9.1.0\bin\logstash.conf -
Kibana 运行
bin\kibana.bat即可,需要最终启动 Kibanna 才能访问数据查看页面
备注
日志文件需要格式转换,统一将日志文件转换为 UTF-8 编码。