vim /root/all.conf
input {
file {
path => "/var/log/messages"
type => "system"
start_position => "beginning"
}
file {
path => "/var/log/elasticsearch/kye.log"
type => "es-error"
start_position => "beginning"
codec => multiline{
pattern => "^\["
negate => "true"
what => "previous"
}
}
}
output {
if [type] == "system"{
elasticsearch {
hosts => ["192.168.56.11:9200"]
index => "system-%{+YYYY.MM.dd}"
}
}
if [type] == "es-error"{
elasticsearch {
hosts => ["192.168.56.11:9200"]
index => "es-error-%{+YYYY.MM.dd}"
}
}
}
注释: codec => multiline 是一个多行的插件
pattern => "^\["是匹配以[开头的做个多行合并,what => "previous"的意思是符合正则的之前的一起做个多行合并事件
/opt/logstash/bin/logstash -f /root/all.conf
