精简配置
日志输出可以是多种的,比如输出到文件或者控制台,输出到控制台有利于调试 输出到控制台
output {
stdout {
codec => "rubydebug"
}
}
输出到文件
output {
file {
path => "/tmp/nginx.log"
}
}
启动命令
./bin/logstash -f config/nginx.conf -r
# 需要放入后台,-r 能再配置文件更新时自动重载,不需要每次重启
docker启动
20241111,这次使用 docker swarm 来运行 logstash,并且在版本是 8.15.3 的情况下,大概需要做如下配置:
- 创建持久话配置的目录 config 、pipline
- 配置
config/logstash.yml文件
http.host: "0.0.0.0"
xpack.monitoring.elasticsearch.hosts: [ "https://192.168.10.120:9200","https://192.168.10.121:9200","https://192.168.10.122:9200" ]
xpack.monitoring.elasticsearch.username: "elastic"
xpack.monitoring.elasticsearch.password: "jdCMnvR9QjDxkHqdH4BG"
xpack.monitoring.elasticsearch.ssl.verification_mode: "none"
pipeline.batch.size: 1000
pipeline.batch.delay: 5
pipeline.workers: 4
queue.type: persisted
queue.max_events: 1_000_000
queue.max_bytes: 1gb
config.reload.automatic: true
config.reload.interval: 10s
有几个重点:
- 忽略证书的错误,否则无法连接 elasticsearch
- 优化推送的队列,缓存等
- 配置更新自动重载,避免每次都要重新创建容器,重新下载地图资源很慢
- 配置
pipline/logstash.conf文件 - 启动服务
docker service create --name logstash \
--mount type=bind,src=/docker/others/logstash/pipeline/,dst=/usr/share/logstash/pipeline/ \
--mount type=bind,src=/docker/others/logstash/config/logstash.yml,dst=/usr/share/logstash/config/logstash.yml \
--network mynets \
--replicas 1 \
harbor.xxx.com/sz/logstash:8.15.3
评论