插件部署继续,docker部署logstash。
一:准备工作目录
创建目录:
/opt/docker/logstash/config
/opt/docker/logstash/data
/opt/docker/logstash/pipeline
/opt/docker/logstash/pipeline/mappings
二:准备配置文件
1:vim /opt/docker/logstash/config/ logstash.yml
http.host: "0.0.0.0"
xpack.monitoring.elasticsearch.username: "xxxx"
xpack.monitoring.elasticsearch.password: "xxxxx"
xpack.monitoring.elasticsearch.hosts: [ "http://127.0.0.1:9200" ]
2:vim /opt/docker/logstash/pipeline/ logstash.conf
input {
tcp {
mode => "server"
host => "0.0.0.0" # 允许任意主机发送日志
port => 5044 # logstash暴露的端口
codec => json_lines # 数据格式
}
}
filter {
ruby {
# 将时间转成毫秒的时间戳
code => "event.set('createTime',(event.get('@timestamp').to_f.round(3)*1000).to_i)"
}
ruby {
# 设置一个自定义字段'timestamp'[这个字段可自定义],将logstash自动生成的时间戳中的值加8小时,赋给这个字段
code => "
event.set('timestamp', event.get('@timestamp').time.localtime + 8*3600)
event.set('threadName', event.get('thread_name'))
event.set('levelValue', event.get('level_value'))
event.set('loggerName', event.get('logger_name'))
event.set('callerClassName', event.get('caller_class_name'))
event.set('callerFileName', event.get('caller_file_name'))
event.set('callerLineNumber', event.get('caller_line_number'))
event.set('callerMethodName', event.get('caller_method_name'))
event.set('stackTrace', event.get('stack_trace'))
"
}
ruby {
# 将自定义时间字段中的值重新赋给@timestamp
# code => "event.set('@timestamp',event.get('timestamp'))"
}
mutate {
# 删除自定义字段
remove_field => ["timestamp","thread_name","level_value","logger_name","HOSTNAME","caller_class_name","caller_file_name","caller_line_number","caller_method_name","stack_trace"]
}
}
output {
elasticsearch {
hosts => ["http://39.99.144.212:9200"] # ElasticSearch 的地址和端口
user => "xxxxx"
password => "xxxxx"
# index => "application-logs-%{[appName]}-%{[springProfile]}-%{+YYY-MM}" # 指定索引名
index => "application-logs-%{+YYYY-MM-dd}" # 指定索引名
# document_type => "_doc"
codec => json
# 是否使用模板创建索引,在模板中可提前定义索引的字段类型
manage_template => true
# 索引模板文件
template => "/usr/share/logstash/pipeline/mappings/application-log-mapping.json"
template_name => "application-log"
# 在logstash重启后,是否使用模板文件覆盖es中已存在的索引模板
template_overwrite => true
}
#stdout {
# codec => rubydebug
#}
file {
# path => "/usr/share/logstash/pipeline/logs/%{+YYYY-MM-dd}-%{appName}-%{springProfile}.log"
path => "/usr/share/logstash/pipeline/logs/%{+YYYY-MM-dd}.log"
}
}
具体的功能代码中都有注释。参考即可。
3:vim /opt/docker/logstash/pipeline/mappings/ application-log-mapping.json
{
"index_patterns": ["application-log*"],
"order": 1,
"mappings" : {
"dynamic_templates" : [{
"message_field" : {
"match" : "message",
"match_mapping_type" : "string",
"mapping" : {
"type" : "keyword",
"index" : true
}
}
}, {
"string_fields" : {
"match" : "*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "keyword",
"index" : true
}
}
}],
"properties" : {
"@timestamp": { "type": "date" },
"@version": { "type": "keyword", "index": true },
"message": {
"type": "text",
"analyzer": "ik_max_word"
}
}
}
}
这里配置分词器,我这里配置的事ik分词器。
被坑了一天,7.X后的es,type 不是再是 string 而是 type="keyword" 或 type="text"
三:运行docker
1:docker命令运行
docker run -d --name logstash \
--privileged=true \
-p 5044:5044 \
-v /opt/docker/logstash/data/:/usr/share/logstash/data \
-v /opt/docker/logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml \
-v /opt/docker/logstash/pipeline/:/usr/share/logstash/pipeline \
logstash:7.17.3
2:docker-compose.yml运行
version: "3.8"
services:
logstash:
container_name: logstash
image: logstash:7.17.3
ports:
- "5044:5044"
environment:
ES_JAVA_OPTS: -Xms64m -Xmx256m
volumes:
- /opt/docker/logstash/data/:/usr/share/logstash/data
- /opt/docker/logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml
- /opt/docker/logstash/pipeline/:/usr/share/logstash/pipeline
restart: always
使用命令运行:
docker compose -d up
到这里,docker部署logstash就完成了。
有好的建议,请在下方输入你的评论。
