下载对应的logstash

https://artifacts.elastic.co/downloads/logstash/logstash-7.10.1-linux-x86_64.tar.gz

解压logstash

tar -xf logstash-7.10.1-linux-x86_64.tar.gz

移动到自己的目录就可以了

测试

../bin/logstash -e 'input { stdin{} } output { elasticsearch {hosts => ["192.168.50.80:9200"]} }'

测试文件结构input {        file {

                path => "/var/log/messages"
                type => "system"
                #按行读取日志
                start_position => "beginning"
        }

        file {
                path => "/usr/local/elasticsearch/logs/elasticsearch.log"
                type => "elasticsearch"
                start_position => "beginning"
　　　　　　　　　　#按事物读取　　
                codec => multiline {
                        pattern => "^\["
                        negate => true
                        what => "previous"
                }
        }
}

output {

        if [type] == "system" {
                elasticsearch {
                        hosts => ["192.168.50.80:9200"]
                        index => "system-%{+YYYY.MM.dd}"
                }

        }

        if [type] == "elasticsearch" {
                elasticsearch {
                        hosts => ["192.168.50.80:9200"]
                        index => "elasticsearch-%{+YYYY.MM.dd}"
                }
        }
}