我想在一个logstash节点上收集多台服务器的日志。作为输出,我想为每台服务器存储一个文件。在日志中,我有一个“source_host”字段,它指示哪个服务器生成了日志。
作为输出,我想得到一堆以“source_host”命名的文件。源主机经常更改,所以我需要一个通用配置
例如,来自服务器“foo”的日志应该保存在 /logs/foo 中,来自服务器“bar”的日志应该保存在 /logs/bar
我尝试了这样的配置,但文件被命名为“%{source_host}”。使用 %{host} 时,文件获取收集服务器的主机名。
output{
file {
path => "/tmp/%{source_host}"
}
}
我的配置:
input {
tcp {
port => 5544
codec => json_lines
}
}
output{
file {
path => "/tmp/%{source_host}"
}
}
使用您的示例日志输出到文件 /tmp/foo。
echo '{"version":"debug","host":"devel","level":5,"@version":"1","@timestamp":"2016-09-15T10:41:00.549Z", "source_host":"foo","message":"testmsg"}' | nc localhost 5544
编辑:这是我的测试结果:
pancake$ echo '{"version":"debug","host":"devel","level":5,"@version":"1","@timestamp":"2016-09-15T10:41:00.549Z", "source_host":"foo","message":"testmsg"}' | nc localhost 5544
pancake$ cat /tmp/foo
{"version":"debug","host":"devel","level":5,"@version":"1","@timestamp":"2016-09-15T10:41:00.549Z","source_host":"foo","message":"testmsg","port":56716}
pancake$ echo '{"version":"debug","host":"devel","level":5,"@version":"1","@timestamp":"2016-09-15T10:41:00.549Z", "source_host":"bar","message":"testmsg"}' | nc localhost 5544
pancake$ echo '{"version":"debug","host":"devel","level":5,"@version":"1","@timestamp":"2016-09-15T10:41:00.549Z", "source_host":"bar","message":"one more message!"}' | nc localhost 5544
pancake$ cat /tmp/bar
{"version":"debug","host":"devel","level":5,"@version":"1","@timestamp":"2016-09-15T10:41:00.549Z","source_host":"bar","message":"testmsg","port":56717}
{"version":"debug","host":"devel","level":5,"@version":"1","@timestamp":"2016-09-15T10:41:00.549Z","source_host":"bar","message":"one more message!","port":56718}
编辑2:哦,我只是想到了一些事情。您之前说过您没有使用任何过滤器,对吧?您需要使用某种过滤器,否则该字段source_host将不存在。如果您codec => json_lines的输入块中有(因为您的日志是 JSON),就像我在我的示例中所做的那样,它会将您的 JSON 解析为键值对。如果您没有过滤器或编解码器,则整个日志正文将存储在message字段中,未经修改。尝试添加输入编解码器,看看是否有帮助。