centos安装logstash

yum install java，java环境需要
关闭防火墙及selinux
结果：





https://blog.csdn.net/jeikerxiao/article/details/84403437
重命名
mv logstash-6.5.2 logstash
修改配置文件
进入配置文件目录
? cd /opt/software/logstash/config
查看配置文件
? ls
jvm.options        logstash-sample.conf  pipelines.yml
log4j2.properties  logstash.yml          startup.options
复制配置文件
? cp logstash-sample.conf syslog.conf
修改
# 定义日志源
input {  
  syslog {
    type => "system-syslog"      # 定义类型
    port => 10514                # 定义监听端口
  }
}
# 定义日志输出
output {  
  stdout {
    codec => rubydebug          # 将日志输出到当前的终端上显示
  }
}
验证配置文件

? ./logstash --path.settings /opt/software/logstash/config/ -f /opt/software/logstash/config/syslog.conf --config.test_and_exit

    1

正确输出如下：

Sending Logstash logs to /opt/software/logstash/logs which is now configured via log4j2.properties
[2018-11-23T09:28:36,184][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
Configuration OK
[2018-11-23T09:28:38,630][INFO ][logstash.runner          ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash
看到 Configuration OK 可以知道我们的配置没有问题。
命令说明：

    --path.settings 用于指定logstash的配置文件所在的目录
    -f 指定需要被检测的配置文件的路径
    --config.test_and_exit 指定检测完之后就退出，不然就会直接启动了

设置数据源日志输出

配置服务器的ip以及配置的监听端口

? vim /etc/rsyslog.conf
去除注释，增加自己服务器IP:
### RULES ####
*.* @@192.168.0.514:10514
重启rsyslog，让配置生效：

? systemctl restart rsyslog

    1

启动Logstash

指定配置文件，启动logstash：

? cd /opt/software/logstash/bin

    1

? ./logstash --path.settings /opt/software/logstash/config/ -f /opt/software/logstash/config/syslog.conf

    1

打开新终端检查一下10514端口是否已被监听：

? netstat -lntp |grep 10514

tcp    0    0 0.0.0.0:10514    0.0.0.0:*    LISTEN    14580/java
{
          "@version" => "1",
        "@timestamp" => 2018-11-23T01:44:48.000Z,
          "priority" => 86,
         "logsource" => "iZbp18jvb8bcz1z6pqd27",
               "pid" => "14632",
           "message" => "Accepted publickey for root from 113.240.229.5 port 3780 ssh2: RSA 05:4c:4d:59:0d:bd:12:a2:8c:b6:4d:96:29:78:19:43\n",
              "type" => "system-syslog",
    "severity_label" => "Informational",
           "program" => "sshd",
          "severity" => 6,
          "facility" => 10,
              "host" => "192.168.0.514",
         "timestamp" => "Nov 23 09:44:48",
    "facility_label" => "security/authorization"
}
{
          "@version" => "1",
        "@timestamp" => 2018-11-23T01:44:48.000Z,
          "priority" => 86,
         "logsource" => "iZbp18jvb8bcz1z6pqd27",
               "pid" => "14632",
           "message" => "pam_unix(sshd:session): session opened for user root by (uid=0)\n",
              "type" => "system-syslog",
    "severity_label" => "Informational",
           "program" => "sshd",
          "severity" => 6,
          "facility" => 10,
              "host" => "192.168.0.514",
         "timestamp" => "Nov 23 09:44:48",
    "facility_label" => "security/authorization"
}