我想在一个logstash节点上收集多个服务器的日志。作为输出,我想为每个服务器存储一个文件。在日志中,我有一个“source_host”字段,指示哪个服务器生成了日志。
作为输出,我想得到一堆由“source_host”命名的文件。源主机经常更改,因此我需要通用配置
e.g。源自服务器“foo”的日志应保存在/ logs / foo中,日志从服务器“bar”保存在/ logs / bar中
我尝试了这样的配置,但文件名为“%{source_host}”。使用%{host}时,该文件将获取收集服务器的主机名。
output{
file {
path => "/tmp/%{source_host}"
}
}
答案 0 :(得分:1)
我的配置:
input {
tcp {
port => 5544
codec => json_lines
}
}
output{
file {
path => "/tmp/%{source_host}"
}
}
使用您的样本日志输出到文件/ tmp / foo。
echo '{"version":"debug","host":"devel","level":5,"@version":"1","@timestamp":"2016-09-15T10:41:00.549Z", "source_host":"foo","message":"testmsg"}' | nc localhost 5544
修改: 以下是我的测试结果:
pancake$ echo '{"version":"debug","host":"devel","level":5,"@version":"1","@timestamp":"2016-09-15T10:41:00.549Z", "source_host":"foo","message":"testmsg"}' | nc localhost 5544
pancake$ cat /tmp/foo
{"version":"debug","host":"devel","level":5,"@version":"1","@timestamp":"2016-09-15T10:41:00.549Z","source_host":"foo","message":"testmsg","port":56716}
pancake$ echo '{"version":"debug","host":"devel","level":5,"@version":"1","@timestamp":"2016-09-15T10:41:00.549Z", "source_host":"bar","message":"testmsg"}' | nc localhost 5544
pancake$ echo '{"version":"debug","host":"devel","level":5,"@version":"1","@timestamp":"2016-09-15T10:41:00.549Z", "source_host":"bar","message":"one more message!"}' | nc localhost 5544
pancake$ cat /tmp/bar
{"version":"debug","host":"devel","level":5,"@version":"1","@timestamp":"2016-09-15T10:41:00.549Z","source_host":"bar","message":"testmsg","port":56717}
{"version":"debug","host":"devel","level":5,"@version":"1","@timestamp":"2016-09-15T10:41:00.549Z","source_host":"bar","message":"one more message!","port":56718}
编辑2 :
哦,我只是想到了什么。您之前说过,您没有使用任何过滤器,对吧?您需要使用某种类型的过滤器,否则字段source_host将不存在。如果您的输入块中有codec => json_lines(因为您的日志是JSON),就像我在示例中所做的那样,它会将您的JSON解析为键值对。如果您没有过滤器或编解码器,则日志的整个主体将存储在message字段中,未经修改。尝试添加输入编解码器,看看是否有帮助。