如何使用相同的LSF将两种不同类型的日志(具有不同的模式)发送到一个logstash central
我有一个LogStashForward(LSF)代理,它向LogStashCentral代理(版本2.2)发送两种日志。 这些日志是多行的,但模式不同 在LSF中,配置文件如下所示:如何使用相同的LSF将两种不同类型的日志(具有不同的模式)发送到一个logstash central,logstash,multiline,logstash-forwarder,Logstash,Multiline,Logstash Forwarder,我有一个LogStashForward(LSF)代理,它向LogStashCentral代理(版本2.2)发送两种日志。 这些日志是多行的,但模式不同 在LSF中,配置文件如下所示: { "network": { "servers": [ "server1:77009" ], "timeout": 15, "ssl ca": "logstashforwader.jks" }, "files": [ { "paths": [ "/dir1/log1" ],
{ "network": {
"servers": [ "server1:77009" ],
"timeout": 15,
"ssl ca": "logstashforwader.jks" }, "files": [
{
"paths": [
"/dir1/log1"
],
"fields": { "type": "type1",
"environment": "env1" }
},
{
"paths": [
"/dir2/log2"
],
"fields": { "type": "type2",
"environment": "env1" }
} ]}
input {if [type] == "type1" { lumberjack {
host => "@IP"
port => "77009"
ssl_certificate => "/logstash-forwarder.crt"
ssl_key => "/logstash-forwarder.key"
codec => multiline {
pattern => "^%{DATE_EU}"
max_lines => 750
negate => true
what => previous
}
}} else if [type] == "type2" { lumberjack {
host => "server1"
port => "77009"
ssl_certificate => "logstash-forwarder.crt"
ssl_key => "/logstash-forwarder.key"
codec => multiline {
pattern => "^<"
negate => true
what => previous
}
}}}
在logstash central中,我想将良好模式应用于良好类型,例如:
{ "network": {
"servers": [ "server1:77009" ],
"timeout": 15,
"ssl ca": "logstashforwader.jks" }, "files": [
{
"paths": [
"/dir1/log1"
],
"fields": { "type": "type1",
"environment": "env1" }
},
{
"paths": [
"/dir2/log2"
],
"fields": { "type": "type2",
"environment": "env1" }
} ]}
input {if [type] == "type1" { lumberjack {
host => "@IP"
port => "77009"
ssl_certificate => "/logstash-forwarder.crt"
ssl_key => "/logstash-forwarder.key"
codec => multiline {
pattern => "^%{DATE_EU}"
max_lines => 750
negate => true
what => previous
}
}} else if [type] == "type2" { lumberjack {
host => "server1"
port => "77009"
ssl_certificate => "logstash-forwarder.crt"
ssl_key => "/logstash-forwarder.key"
codec => multiline {
pattern => "^<"
negate => true
what => previous
}
}}}
输入{if[type]==“type1”{伐木工人{
主机=>“@IP”
端口=>“77009”
ssl\U证书=>“/logstash forwarder.crt”
ssl_key=>“/logstash forwarder.key”
编解码器=>多行{
模式=>“^%{DATE\u EU}”
最大线=>750
否定=>true
什么=>以前的
}
}}如果[type]=“type2”{伐木工人{
主机=>“服务器1”
端口=>“77009”
ssl_证书=>“logstash forwarder.crt”
ssl_key=>“/logstash forwarder.key”
编解码器=>多行{
pattern=>“^不能对输入使用条件
您可以在多行模式中使用或(“|”)来支持这两种输入
您还可以使用两个不同的端口,并将每个输入发送到不同的端口。我在多行模式中添加了“|”,效果非常好!!Thx好消息。您有可能接受答案吗?