logstash->redis->logstash->elasticsearch
1.安装部署redis
cd /usr/local/src wget http://download.redis.io/releases/redis-3.2.8.tar.gz tar xf redis-3.2.8.tar.gz cd redis-3.2.8/ make ln -s /usr/local/src/redis-3.2.8 /usr/local/redis cd /usr/local/redis/ vim redis.conf bind 10.0.0.22 daemonize yes save "" #save 900 1 #save 300 10 #save 60 10000 requirepass root123 cp src/redis-server /usr/bin/ cp src/redis-cli /usr/bin/ redis-server /usr/local/redis/redis.conf
登录redis需要认证
配置logstash的systemlog_to_redis.conf
vim systemlog_to_redis.conf
input {
file {
path => "/var/log/messages"
type => "systemlog"
start_position => "beginning"
stat_interval => "2"
}
}
output {
if [type] == "systemlog" {
redis {
data_type => "list"
host => "10.0.0.22"
db => "1"
port => "6379"
password => "root123"
key => "systemlog"
}
}
}
systemctl restart logstash
# 手动写入messages日志
cat /etc/hosts >> /var/log/messages
echo "helloword" >> /var/log/messages
登陆redis查看
2.配置logstash从reids中取出数据到elasticsearch
# 使用linux-elk2(10.0.0.33)上的logstash从redis取数据
vim redis-es.conf
input {
redis {
data_type => "list"
host => "10.0.0.22"
db => "1"
port => "6379"
key => "systemlog"
password => "root123"
}
}
output {
elasticsearch {
hosts => ["10.0.0.33:9200"]
index => "redis-systemlog-%{+YYYY.MM.dd}"
}
}
systemctl restart logstash
logstash统计日志,有两个以上的key时,就必须加判断
收集日志写入redis及读取redis:http://blog.51cto.com/jinlong/2056563