ProHoster > Π‘Π»ΠΎΠ³ > Maamulka > Codsiga la taaban karo ee ELK. Dejinta logstash

Codsiga la taaban karo ee ELK. Dejinta logstash

Horudhac

Intii aanu dejinnay nidaam kale, waxa ina soo food saartay baahi loo qabo in la farsameeyo tiro badan oo qoraallo kala duwan ah. ELK ayaa loo doortay qalab ahaan. Maqaalkani waxa uu ka hadli doonaa waayo-aragnimadayada samaynta xidhmadan.

Ma dejinno yool aan ku sifeyno dhammaan awoodaheeda, laakiin waxaan rabnaa inaan si gaar ah diiradda u saarno xallinta dhibaatooyinka la taaban karo. Tani waxay sabab u tahay xaqiiqda ah in inkastoo ay jiraan tiro aad u badan oo dukumeenti ah iyo sawirro diyaarsan, waxaa jira waxyaabo badan oo khatar ah, ugu yaraan waanu helnay.

Waxaan geynay xeradii anagoo adeegsanayna docker-compose. Waxaa intaa dheer, waxaan haysanay docker-compose.yml oo si wanaagsan u qoran, kaas oo noo ogolaaday inaan kor u qaadno xirmooyinka dhib la'aan. Waxayna noo muuqatay in guushu ay mar hore soo dhawaatay, hadda wax yar ayaanu ku hagaajin doonaa si aan baahideenna u waafajino waana taas.

Nasiib darro, isku dayga lagu habeeyo nidaamka si loo helo loona habeeyo diiwaannada codsigeena isla markiiba ma guulaysan. Sidaa darteed, waxaan go'aansanay in ay habboon tahay in qayb kasta si gaar ah loo barto, ka dibna aan ku noqonno xiriirkooda.

Markaa, waxaan ku bilownay logstash.

Deegaanka, geynta, ku socodsiinta Logstash weel

Dirista waxaan isticmaalnaa docker-compose; Tijaabooyinka halkan lagu sharaxay waxaa lagu fuliyay MacOS iyo Ubuntu 18.0.4.

Sawirka logstash ee ka diiwaan gashan docker-compose.yml asalkayaga waa docker.elastic.co/logstash/logstash:6.3.2

Waxaan u isticmaali doonaa tijaabooyin.

Waxaan u qornay docker-compose.yml gaar ah si loo socodsiiyo logstash. Dabcan, waxaa suurtagal ah in sawirka laga bilaabo khadka taliska, laakiin waxaan xallinay dhibaato gaar ah, halkaas oo aan wax walba ka wadno docker-compose.

Si kooban oo ku saabsan faylasha qaabeynta

Sida soo socota sharraxaadda, logstash waxaa loo ordi karaa mid ka mid ah kanaalka, taas oo markaa u baahan tahay in la gudbiyo faylka * .conf, ama dhowr kanaal, taas oo u baahan in la dhaafo faylka pipelines.yml, taas oo, markeeda. , waxay ku xidhi doontaa faylalka .conf kanaal kasta.
Waxaan qaadnay wadadii labaad. Waxay nooga muuqatay mid caalami ah oo la cabbiri karo. Sidaa darteed, waxaanu abuurnay pipelines.yml, waxaanu samaynay hagaha dhuumaha kaas oo aanu ku dhejin doono faylasha .conf kanaal kasta.

Gudaha weelka waxaa ku jira faylka qaabeynta kale - logstash.yml. Annagu ma taabanno, sida ay tahay ayaan u isticmaalnaa.

Markaa, qaab dhismeedka hagaha:

Codsiga la taaban karo ee ELK. Dejinta logstash

Si aan u helno xogta gelinta, hadda waxaan u maleyneynaa in tani ay tahay tcp dekedda 5046, iyo wax soo saarka waxaan isticmaali doonaa stdout.

Halkan waxaa ah habayn fudud oo loogu talagalay bilaabista koowaad. Sababtoo ah hawsha bilawga ah waa in la bilaabo.

Markaa, waxaanu haynaa docker-compose.yml

version: '3'

networks:
  elk:

volumes:
  elasticsearch:
    driver: local

services:

  logstash:
    container_name: logstash_one_channel
    image: docker.elastic.co/logstash/logstash:6.3.2
    networks:
      	- elk
    ports:
      	- 5046:5046
    volumes:
      	- ./config/pipelines.yml:/usr/share/logstash/config/pipelines.yml:ro
	- ./config/pipelines:/usr/share/logstash/config/pipelines:ro

Maxaan ku aragnaa halkan?

  1. Shabakadda iyo mugga ayaa laga soo qaatay docker-compose.yml asalka ah (midka lagu soo bandhigay xirmada oo dhan) waxaana u maleynayaa inaysan si weyn u saameyn sawirka guud ee halkan.
  2. Waxaan ka abuurnay hal adeeg (yada) logstash-ka docker.elastic.co/logstash/logstash:6.3.2 sawirka oo waxaan u magacownaa logstash_one_channel.
  3. Waxaan u gudbineynaa dekedda 5046 ee ku jirta weelka, isla deked gudaha ah.
  4. Waxaan ku khariidaynaa faylka qaabeynta tuubadayada
  5. Waxaan khariidad ku samaynaa ./config/pipelines directory, halkaas oo aan ku hayno faylal leh channels settings, galka /usr/share/logstash/config/pipelines directory oo sidoo kale ka dhig mid akhrin-kaliya.

Codsiga la taaban karo ee ELK. Dejinta logstash

Pipelines.yml faylka

- pipeline.id: HABR
  pipeline.workers: 1
  pipeline.batch.size: 1
  path.config: "./config/pipelines/habr_pipeline.conf"

Hal kanaal oo leh aqoonsiga HABR iyo dariiqa loo maro faylka qaabeynta ayaa lagu sharaxay halkan.

Ugu dambeyntiina faylka "./config/pipelines/habr_pipeline.conf"

input {
  tcp {
    port => "5046"
   }
  }
filter {
  mutate {
    add_field => [ "habra_field", "Hello Habr" ]
    }
  }
output {
  stdout {
      
    }
  }

Yaynaan gelin sifadeeda hadda, aan isku dayno inaan socodsiino:

docker-compose up

Maxaan aragnaa?

Konteenarkii baa bilaabmay. Waxaan hubin karnaa hawlgalkeeda:

echo '13123123123123123123123213123213' | nc localhost 5046

Oo waxaan ku aragnaa jawaabta ku jirta konteenarka:

Codsiga la taaban karo ee ELK. Dejinta logstash

Laakiin isla mar ahaantaana, waxaan sidoo kale aragnaa:

logstash_one_channel | [2019-04-29T11:28:59,790][ERROR][logstash.licensechecker.licensereader] Aan awoodin inuu ka soo saaro macluumaadka shatiga server-ka shatiga {: message=>"Elasticsearch lama gaadhi karo: [http://elasticsearch:9200/] [Manticore] :: Qaraarka Failure] elasticsearch",...

logstash_one_channel | [2019-04-29T11:28:59,894][INFO ][logstash.pipeline] Dhuumaha ayaa si guul leh ku bilowday {:pipeline_id=>".monitoring-logstash",:thread=>"# "}

logstash_one_channel | [2019-04-29T11:28:59,988] [INFO] [logstash.agent] Dhuumaha socda {:count=>2, : running_pipelines=>[:HABR, :".monitoring-logstash"], :non_running_pipelines=>[ ]}
logstash_one_channel | [2019-04-29T11:29:00,015][ERROR][logstash.inputs.metrics] X-Pack waxa lagu rakibay Logstash laakiin kuma rakiban Elasticsearch. Fadlan ku rakib X-Pack on Elasticsearch si aad u isticmaasho sifada la socodka. Sifooyin kale ayaa laga yaabaa in la heli karo.
logstash_one_channel | [2019-04-29T11:29:00,526][INFO [logstash.agent] Si guul leh u bilaabay Logstash API dhamaadka barta {:port=>9600}
logstash_one_channel | [2019-04-29T11:29:04,478][INFO]][logstash.outputs.elasticsearch] Socodka hubinta caafimaadka si loo eego haddii xidhiidhka Elasticsearch uu shaqaynayo {:healthcheck_url=>http://elasticsearch:9200/, :path=> "/"}
logstash_one_channel | [2019-04-29T11:29:04,487][DIGNIIN]][logstash.outputs.elasticsearch] Waxa uu isku dayay in uu soo nooleeyo xidhiidhka dhintay tusaale ahaan ES, laakiin waxa uu helay khalad {:url=>"laascaanood: 9200/", : error_type => LogStash :: Natiijada :: ElasticSearch :: HttpClient :: Pool :: HostUnreachable Error, : error=>"Elasticsearch Lama Gaadhi Karo: [http://elasticsearch:9200/] [http://elasticsearch:XNUMX/] elasticsearch"}
logstash_one_channel | [2019-04-29T11:29:04,704][INFO]][logstash.licensechecker.licensereader] Socodka hubinta caafimaadka si loo eego haddii xidhiidhka Elasticsearch uu shaqaynayo {:healthcheck_url=>http://elasticsearch:9200/, :path=> "/"}
logstash_one_channel | [2019-04-29T11:29:04,710][DIGNIIN]][logstash.licensechecker.licensereader] Waxa uu isku dayay in uu dib u soo nooleeyo xidhiidhka dhintay tusaale ahaan ES, laakiin waxa uu helay khalad {:url=>"laascaanood: 9200/", : error_type => LogStash :: Natiijada :: ElasticSearch :: HttpClient :: Pool :: HostUnreachable Error, : error=>"Elasticsearch Lama Gaadhi Karo: [http://elasticsearch:9200/] [http://elasticsearch:XNUMX/] elasticsearch"}

Loogayagiina wuu gurguuranayaa mar walba.

Halkan waxaan ku iftiimiyay fariinta in dhuuntu si guul leh u bilowday, oo casaanka ah fariinta khaladka ah iyo fariinta jaalaha ah ee ku saabsan isku dayga in lala xiriiro laascaanood: 9200.
Tani waxay dhacdaa sababtoo ah logstash.conf, ee ku jira sawirka, ayaa ka kooban hubinta helitaanka elasticsearch. Ka dib oo dhan, logstash waxay u maleyneysaa inay u shaqeyso qayb ka mid ah xirmooyinka Elk, laakiin waan kala soocnay.

Waa suurtagal in la shaqeeyo, laakiin maaha mid ku habboon.

Xalku waa in la joojiyo jeeggan iyada oo loo marayo isbeddelka deegaanka ee XPACK_MONITORING_ENABLED.

Aan wax ka bedel ku samayno docker-compose.yml oo aan mar kale wadno:

version: '3'

networks:
  elk:

volumes:
  elasticsearch:
    driver: local

services:

  logstash:
    container_name: logstash_one_channel
    image: docker.elastic.co/logstash/logstash:6.3.2
    networks:
      - elk
    environment:
      XPACK_MONITORING_ENABLED: "false"
    ports:
      - 5046:5046
   volumes:
      - ./config/pipelines.yml:/usr/share/logstash/config/pipelines.yml:ro
      - ./config/pipelines:/usr/share/logstash/config/pipelines:ro

Hadda, wax walba waa hagaagsan yihiin. Weelku wuxuu diyaar u yahay tijaabooyin.

Waxaan markale ku qori karnaa console-ka soo socda:

echo '13123123123123123123123213123213' | nc localhost 5046

Oo arag:

logstash_one_channel | {
logstash_one_channel |         "message" => "13123123123123123123123213123213",
logstash_one_channel |      "@timestamp" => 2019-04-29T11:43:44.582Z,
logstash_one_channel |        "@version" => "1",
logstash_one_channel |     "habra_field" => "Hello Habr",
logstash_one_channel |            "host" => "gateway",
logstash_one_channel |            "port" => 49418
logstash_one_channel | }

Ka shaqaynta hal kanaal

Markaa waanu bilownay. Hadda waxaad dhab ahaantii qaadan kartaa waqti aad ku habeyn karto logstash laftiisa. Yaynaan taaban faylka pipelines.yml hadda, aan aragno waxa aan ku heli karno innagoo la shaqeyno hal kanaal.

Waa inaan sheegaa in mabda'a guud ee la shaqeynta faylka qaabeynta kanaalka si fiican loogu qeexay buug-gacmeedka rasmiga ah, halkan halkan
Haddii aad rabto inaad ku akhrido luqadda Ruushka, waxaan isticmaalnay kan maqaal(laakin ereyga su'aalaha ee jira waa duug, waxaan u baahanahay inaan tan ku xisaabtano).

Aan si isdaba joog ah uga socono qaybta wax-gelinta. Waxaan horay u aragnay shaqada TCP. Maxaa kale oo xiiso leh halkan?

Tijaabi fariimaha adigoo isticmaalaya garaaca wadnaha

Waxaa jirta fursad xiiso leh oo sidan oo kale ah si loo dhaliyo fariimaha tijaabada tooska ah.
Si tan loo sameeyo, waxaad u baahan tahay inaad karti u siiso fiilo-wadnaha qaybta wax-gelinta.

input {
  heartbeat {
    message => "HeartBeat!"
   }
  }

Daar, bilow helida hal mar daqiiqadii 

logstash_one_channel | {
logstash_one_channel |      "@timestamp" => 2019-04-29T13:52:04.567Z,
logstash_one_channel |     "habra_field" => "Hello Habr",
logstash_one_channel |         "message" => "HeartBeat!",
logstash_one_channel |        "@version" => "1",
logstash_one_channel |            "host" => "a0667e5c57ec"
logstash_one_channel | }

Haddii aan rabno inaan helno marar badan, waxaan u baahanahay inaan ku darno halbeegyada u dhexeeya.
Sidan ayaanu fariin ku heli doonaa 10kii ilbiriqsi kasta.

input {
  heartbeat {
    message => "HeartBeat!"
    interval => 10
   }
  }

Ka soo celinta xogta faylka

Waxaan sidoo kale go'aansanay inaan eegno qaabka faylka. Haddii ay si fiican ugu shaqeyso faylka, markaa laga yaabee in aan loo baahnayn wakiil, ugu yaraan isticmaalka maxalliga ah.

Marka loo eego sharraxaadda, qaabka hawlgalka waa inuu la mid yahay dabada -f, i.e. akhriyo khadadka cusub ama, ikhtiyaar ahaan, akhriya faylka oo dhan.

Haddaba waxa aan rabno inaan helno:

  1. Waxaan rabnaa inaan helno xariiqyo ku lifaaqan hal fayl oo log ah.
  2. Waxaan rabnaa in aan helno xog ku qoran dhowr galal, annagoo kala saari karno waxa laga helo halka.
  3. Waxaan rabnaa inaan hubinno in marka logstash dib loo bilaabo, aysan helin xogtan mar kale.
  4. Waxaan rabnaa inaan hubino in haddii logstash la damiyo, oo xogta ay sii socoto in lagu qoro faylalka, markaa markaan wadno, waxaan heli doonnaa xogtan.

Si loo sameeyo tijaabada, aynu ku darno khad kale docker-compose.yml, anagoo furayna hagaha aanu galnay faylasha.

version: '3'

networks:
  elk:

volumes:
  elasticsearch:
    driver: local

services:

  logstash:
    container_name: logstash_one_channel
    image: docker.elastic.co/logstash/logstash:6.3.2
    networks:
      - elk
    environment:
      XPACK_MONITORING_ENABLED: "false"
    ports:
      - 5046:5046
   volumes:
      - ./config/pipelines.yml:/usr/share/logstash/config/pipelines.yml:ro
      - ./config/pipelines:/usr/share/logstash/config/pipelines:ro
      - ./logs:/usr/share/logstash/input

Oo beddel qaybta gelinta habr_pipeline.conf

input {
  file {
    path => "/usr/share/logstash/input/*.log"
   }
  }

Aan bilowno:

docker-compose up

Si aan u abuurno oo aan u qorno galalka log-ga waxaan isticmaali doonaa amarka:


echo '1' >> logs/number1.log


{
logstash_one_channel |            "host" => "ac2d4e3ef70f",
logstash_one_channel |     "habra_field" => "Hello Habr",
logstash_one_channel |      "@timestamp" => 2019-04-29T14:28:53.876Z,
logstash_one_channel |        "@version" => "1",
logstash_one_channel |         "message" => "1",
logstash_one_channel |            "path" => "/usr/share/logstash/input/number1.log"
logstash_one_channel | }

Haa, way shaqeysaa!

Isla mar ahaantaana, waxaan aragnaa inaan si toos ah ugu darnay goobta wadada. Tani waxay ka dhigan tahay in mustaqbalka, aan awood u yeelan doono inaan ku shaandheeyo diiwaannada.

Aan mar kale isku dayno:

echo '2' >> logs/number1.log


{
logstash_one_channel |            "host" => "ac2d4e3ef70f",
logstash_one_channel |     "habra_field" => "Hello Habr",
logstash_one_channel |      "@timestamp" => 2019-04-29T14:28:59.906Z,
logstash_one_channel |        "@version" => "1",
logstash_one_channel |         "message" => "2",
logstash_one_channel |            "path" => "/usr/share/logstash/input/number1.log"
logstash_one_channel | }

Oo hadda fayl kale:

 echo '1' >> logs/number2.log


{
logstash_one_channel |            "host" => "ac2d4e3ef70f",
logstash_one_channel |     "habra_field" => "Hello Habr",
logstash_one_channel |      "@timestamp" => 2019-04-29T14:29:26.061Z,
logstash_one_channel |        "@version" => "1",
logstash_one_channel |         "message" => "1",
logstash_one_channel |            "path" => "/usr/share/logstash/input/number2.log"
logstash_one_channel | }

Wayn! Faylka waa la qaaday, dariiqa si sax ah ayaa loo cayimay, wax walba waa hagaagsan yihiin.

Jooji logstash oo dib u bilow. Aan sugno. Aamusnaanta Kuwaas. Mar kale ma helin diiwaanadan.

Oo hadda tijaabada ugu dhiirran.

Ku rakib logstash oo fuli:

echo '3' >> logs/number2.log
echo '4' >> logs/number1.log

Orod mar kale logstash oo arag:

logstash_one_channel | {
logstash_one_channel |            "host" => "ac2d4e3ef70f",
logstash_one_channel |     "habra_field" => "Hello Habr",
logstash_one_channel |         "message" => "3",
logstash_one_channel |        "@version" => "1",
logstash_one_channel |            "path" => "/usr/share/logstash/input/number2.log",
logstash_one_channel |      "@timestamp" => 2019-04-29T14:48:50.589Z
logstash_one_channel | }
logstash_one_channel | {
logstash_one_channel |            "host" => "ac2d4e3ef70f",
logstash_one_channel |     "habra_field" => "Hello Habr",
logstash_one_channel |         "message" => "4",
logstash_one_channel |        "@version" => "1",
logstash_one_channel |            "path" => "/usr/share/logstash/input/number1.log",
logstash_one_channel |      "@timestamp" => 2019-04-29T14:48:50.856Z
logstash_one_channel | }

Hooray! Wax walba waa la soo qaaday.

Laakin waa inaan kaaga dignaa arrimaha soo socda. Haddii weelka logstash la tirtiro (docker stop logstash_one_channel && docker rm logstash_one_channel), markaa waxba lama soo qaadi doono. Meesha uu yaal faylka ilaa la akhriyey waxa lagu kaydiyey weelka gudihiisa. Haddii aad ka socodsiiso meel xoqan, waxay aqbali doontaa oo kaliya khadadka cusub.

Akhrinta faylasha jira

Aynu nidhaahno waxaan bilaabaynaa logstash markii ugu horeysay, laakiin waxaan horay u haysanay logs oo waxaan jeclaan lahayn inaan ka shaqeyno.
Haddii aan ku socodsiino logstash qaybta gelinta ee aan kor ku isticmaalnay, waxba heli mayno. Kaliya khadadka cusub ayaa lagu farsamayn doonaa logstash.

Si khadadka faylalka jira kor loogu qaado, waa inaad ku dartaa sadar dheeraad ah qaybta wax gelinta:

input {
  file {
    start_position => "beginning"
    path => "/usr/share/logstash/input/*.log"
   }
  }

Waxaa intaa dheer, waxaa jira nuance: tani waxay saameyneysaa oo kaliya faylasha cusub ee logstash aan wali arkin. Faylasha la midka ah ee horeyba ugu jiray goobta aragtida logstash, waxay horey u xasuusatay cabbirkooda waxayna hadda qaadan doonaan oo kaliya gelitaano cusub iyaga.

Aan ku istaagno halkan oo aan darsano qaybta wax gelinta. Weli waxaa jira doorashooyin badan, laakiin taasi waa nagu filan tahay tijaabooyin dheeraad ah hadda.

Jideynta iyo Beddelka Xogta

Aynu isku dayno in aynu xalino dhibkan soo socda, aynu nidhaahno waxa aynu ka haynaa fariimo hal kanaal ah, qaarna waa fariimo, qaarna waa fariimo khaldan. Waxay ku kala duwan yihiin tag. Qaar waa MACLUUMAAD, qaar kalena waa KHALAD.

Waxaan u baahanahay inaan ku kala saarno meesha laga baxo. Kuwaas. Waxaan ku qornaa fariimaha macluumaadka hal kanaal, farriimaha khaldanna mid kale.

Si tan loo sameeyo, ka guur qaybta wax gelinta si aad u shaandhayso oo u soo saarto.

Isticmaalka qaybta shaandhada, waxaanu kala saari doonaa fariinta soo socota, anagoo ka helayna xashiish (lammaanaha qiimaha muhiimka ah) oo aan horayba ula shaqeyn karno, i.e. kala furfuri si waafaqsan shuruudaha. Qeybta wax soo saarkana, waxaan dooran doonaa fariimaha oo mid walba u diri doonaa kanaalkiisa.

Fariinta oo si xun ula falgala

Si loo kala saaro xadhkaha qoraalka oo aad uga hesho goobo goobo ah, waxaa jira qalab gaar ah oo ku jira qaybta filter - grook.

Anigoon nafteyda dejin hadafka ah inaan sharaxaad faahfaahsan ka bixiyo halkan (tan waxaan tixraacayaa dukumeenti rasmi ah), Waxaan ku siin doonaa tusaalahayga fudud.

Si tan loo sameeyo, waxaad u baahan tahay inaad go'aansato qaabka xargaha wax gelinta. Waxaan u hayaa sidan:

1 fariinta MACLUUMAADKA1
2 dhambaal KHALAD2

Kuwaas. Aqoonsiyaha ayaa marka hore yimaada, ka dibna XOG/QALAD, ka dibna kelmad aan meel bannaanayn.
Ma aha wax adag, laakiin waa ku filan in la fahmo mabda'a hawlgalka.

Markaa, qaybta shaandhada ee plugin grook, waa in aan qeexnaa qaab lagu kala saarayo xadhkahayada.

Waxay u ekaan doontaa sidan:

filter {
  grok {
    match => { "message" => ["%{INT:message_id} %{LOGLEVEL:message_type} %{WORD:message_text}"] }
   }
  }

Asal ahaan waa odhaah joogto ah. Nidaamyo diyaarsan ayaa la adeegsadaa, sida INT, LOGLEVEL, WORD. Sharaxaaddooda, iyo sidoo kale qaabab kale, ayaa laga heli karaa halkan halkan

Hadda, marka la dhex maro shaandhadan, xadhigeenu wuxuu isu rogi doonaa hash saddex goobood: message_id, message_type, message_text.

Waxaa lagu soo bandhigi doonaa qaybta wax soo saarka.

Ku-gudbinta fariimaha qaybta wax-soo-saarka iyadoo la adeegsanayo amarka

Qaybta wax-soo-saarka, sida aan xasuusannahay, waxaan u kala qaybinayna fariimaha laba durdur. Qaar - kuwaas oo ah iNFO, ayaa loo soo saari doonaa console-ka, iyo khaladaadka, waxaan u soo saari doonaa faylka.

Sideen u kala saarnaa fariimahan? Xaaladda dhibaatadu waxay horeba u soo jeedinaysaa xal - ka dib oo dhan, waxaan horay u haysanay fariinta nooca fariinta ah, kaas oo qaadan kara kaliya laba qiyam: INFO iyo ERROR. Taas oo ku saleysan in aan samayn doonno doorasho annagoo adeegsanayna haddii bayaanka.

if [message_type] == "ERROR" {
        # Π—Π΄Π΅ΡΡŒ Π²Ρ‹Π²ΠΎΠ΄ΠΈΠΌ Π² Ρ„Π°ΠΉΠ»
       } else
     {
      # Π—Π΄Π΅ΡΡŒ Π²Ρ‹Π²ΠΎΠ΄ΠΈΠΌ Π² stdout
    }

Sharaxaada la shaqaynta goobaha iyo hawl-wadeenada waxa laga heli karaa qaybtan buug-gacmeedka rasmiga ah.

Hadda, ku saabsan gabagabada dhabta ah lafteeda.

Soo saarida Console, wax walba waa ku cad yihiin halkan - stdout {}

Laakin wax soo saarka faylka - xusuusnow in aan waxaas oo dhan ka wadno weel iyo si faylka aan ku qorno natiijada uu u noqdo mid laga heli karo dibadda, waxaan u baahanahay inaan ku furno buuggan docker-compose.yml.

Wadarta:

Qaybta wax soo saarka ee faylkayagu waxay u egtahay sidan:


output {
  if [message_type] == "ERROR" {
    file {
          path => "/usr/share/logstash/output/test.log"
          codec => line { format => "custom format: %{message}"}
         }
    } else
     {stdout {
             }
     }
  }

Gudaha docker-compose.yml waxaan ku darnaa mug kale wax soo saarka:

version: '3'

networks:
  elk:

volumes:
  elasticsearch:
    driver: local

services:

  logstash:
    container_name: logstash_one_channel
    image: docker.elastic.co/logstash/logstash:6.3.2
    networks:
      - elk
    environment:
      XPACK_MONITORING_ENABLED: "false"
    ports:
      - 5046:5046
   volumes:
      - ./config/pipelines.yml:/usr/share/logstash/config/pipelines.yml:ro
      - ./config/pipelines:/usr/share/logstash/config/pipelines:ro
      - ./logs:/usr/share/logstash/input
      - ./output:/usr/share/logstash/output

Waanu bilownay, tijaabin, oo aragnaa qaybinta laba durdur.

Source: www.habr.com

Add a comment