它适用于auth.log但不适用于authcopy.log。没有错误消息。没有输出。
这很有效。
sudo /usr/share/logstash/bin/logstash -e 'input { file { path => "/var/log/auth.log" } }'
输出:
{
"@version" => "1",
"host" => "removed",
"path" => "/var/log/auth.log",
"@timestamp" => 2018-01-10T23:51:39.912Z,
"message" => "Jan 10 20:17:55 removed sudo: pam_unix(sudo:session): session closed for user root"
}
...
这不起作用。
sudo /usr/share/logstash/bin/logstash -e 'input { file { path => "/var/log/authcopy.log" } }'
没有错误消息。没有输出。
将auth.log复制到authcopy.log
sudo cp /var/log/auth.log /var/log/authcopy.log
sudo chmod 777 /var/log/authcopy.log
ls -l /var/log/auth*.log
-rwxrwxrwx 1 root root 391617 1月10日19:30 /var/log/authcopy.log
-rw-r ----- 1 syslog adm 395465 1月10日20:13 /var/log/auth.log