- 打开本地的 tcp udp 5000端口
- 标记类型为 syslog
- filter中作判断如果类型是 syslog
- 拆分解析信息
- 添加 received_at received_from 字段
- 使用 syslog_pri { } 来处理
- 定义 syslog_timestamp 的格式
- 输出到ES
- 以 rubydebug 的格式输出到终端
启动 Logstash
代码语言:javascript复制[root@h102 etc]# /opt/logstash/bin/logstash -f logstash-syslog.conf
Settings: Default filter workers: 1
Logstash startup completed
...
...尝试手动连接本地 5000 端口,然后输入一些内容
代码语言:javascript复制[root@h102 ~]# netstat -ant | grep 5000
tcp 0 0 :::5000 :::* LISTEN
tcp 0 0 ::1:44814 ::1:5000 ESTABLISHED
tcp 0 0 ::1:5000 ::1:44814 ESTABLISHED
[root@h102 ~]# telnet localhost 5000
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Dec 23 12:11:43 louis postfix/smtpd[31499]: connect from unknown[95.75.93.154]
Dec 23 14:42:56 louis named[16000]: client 199.48.164.7#64817: query (cache) 'amsterdamboothuren.com/MX/IN' denied
...
...
