Question

我是ELK堆栈中的新手。我现在有： https://github.com/deviantony/docker-elk/blob/master/docker-compose.yml

的ELK堆栈

我选择通过“ syslog”发送日志。例如，我的docker-compose.yml文件的一部分用于记录：

    logging:
      driver: syslog
      options:
        syslog-address: "tcp://192.168.75.131:5000"

logstash.cong：

input {
    syslog {
        port => 5000
        type => "docker"
    }
}

filter {
  grok {
    match => { "message" => "%{COMBINEDAPACHELOG}" }
  }
  date {
    match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
  }
}

output {
    elasticsearch {
        hosts => "elasticsearch:9200"
    }
}

我可以在“ kebana”中看到这一点：

version:1 message:<30>Apr 10 02:49:43 39f32cdf297d[919]: 123 facility:0 host:192.168.75.128 priority:0 tags:_grokparsefailure_sysloginput, _grokparsefailure @timestamp:April 10th 2019, 11:49:43.186 facility_label:kernel type:docker severity:0 severity_label:Emergency _id:ka-nBmoBArSKuFvFODwR _type:doc _index:logstash-2019.04.10 _score: -

如何分隔日志？每个容器的每种类型。通过“ _index”字段？
我不知道如何从消息中删除“ <30> Apr 10 02:49:43 39f32cdf297d [919]：”部分？

有关ELK的几个问题

0 个答案: