docker pull logstash:6.5.0
mkdir /home/software/logstash/config
mkdir /home/software/logstash/pipeline
## logstash.yml
config:
reload:
**** automatic: true
interval: 3s
xpack:
management.enabled: false
monitoring.enabled: false
## pipelines.yml
- pipeline.id: logstash_zkky
path.config: "/usr/share/logstash/pipeline/logstash_zkky.conf"
## ogstash_zkky.conf
input {
tcp {
mode => "server"
host => "0.0.0.0"
port => 5047
codec => json
}
}
filter{
ruby {
code => "event.set('timestamp', event.get('@timestamp').time.localtime + 8*60*60)"
}
ruby {
code => "event.set('@timestamp',event.get('timestamp'))"
}
mutate {
remove_field => ["timestamp"]
}
}
output {
if [level] == 'ERROR' {
elasticsearch {
hosts => ["192.168.150.130:9200"]
index => "zkky-log-error-%{+YYYY.MM.dd}"
}
}
elasticsearch {
hosts => ["192.168.150.130:9200"]
index => "zkky-log-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
}
docker run -d -it restart=awaly --privileged=true --name=logstash -p 5047:5047 -p 9600:9600 -v /Users/huajiejun/projects/logstash/pipeline:/usr/share/logstash/pipeline -v /Users/huajiejun/projects/logstash/config:/usr/share/logstash/config logstash:6.5.0
<aside> 💡 注意黏贴过去的时候字符串是否全部复制了,不然会启动失败。
</aside>