logstash output配置:
output{
elasticsearch {
hosts => ['10.15.12.181:9200', '10.18.171.17:9200', '10.15.12.153:9200', '10.15.12.95:9200', '10.15.12.97:9200', '10.19.23.206:9200', '10.19.23.205:9200', '10.15.12.130:9200', '10.15.12.131:9200', '10.17.118.171:9200', '10.15.12.96:9200', '10.15.12.182:9200', '10.15.12.155:9200', '10.18.171.18:9200',"10.19.23.206:9200"]
index => "log-dui-rsyslog-audit-%{+YYYY.MM.dd}"
}
}
索引template
curl -H "Content-Type:application/json" -X PUT http://10.15.12.96:9200/_template/cleanning-log -d
'{"index_patterns":["cleanning-log-*"],"settings":{"index":{"number_of_shards":"5","number_of_replicas":"1","search.slowlog.threshold.query.warn":"10s","search.slowlog.threshold.query.info":"5s","search.slowlog.threshold.query.debug":"500ms","refresh_interval":"120s","blocks":{"read_only_allow_delete":"false"}}},"index.mapping.total_fields.limit":5000,"mappings":{"_default_":{"dynamic_templates":[{"message_field":{"path_match":"message","match_mapping_type":"string","mapping":{"type":"text","norms":false}}},{"string_fields":{"match":"*","match_mapping_type":"string","mapping":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword","ignore_above":256}}}}}],"properties":{"@timestamp":{"type":"date"},"message":{"properties":{"time":{"properties":{"kernel":{"properties":{"result":{"type":"float"},"start":{"type":"float"},"stop":{"type":"float"}}}}}}},"@version":{"type":"keyword"},"geoip":{"dynamic":true,"properties":{"ip":{"type":"ip"},"location":{"type":"geo_point"},"latitude":{"type":"half_float"},"longitude":{"type":"half_float"}}}}}}}'
格式化(json)template
{
"index_patterns": ["cleanning-log-*"],
"settings": {
"index": {
"number_of_shards": "5",
"number_of_replicas": "1",
"search.slowlog.threshold.query.warn": "10s",
"search.slowlog.threshold.query.info": "5s",
"search.slowlog.threshold.query.debug": "500ms",
"refresh_interval": "120s",
"blocks": {
"read_only_allow_delete": "false"
}
}
},
"index.mapping.total_fields.limit": 5000,
"mappings": {
"_default_": {
"dynamic_templates": [{
"message_field": {
"path_match": "message",
"match_mapping_type": "string",
"mapping": {
"type": "text",
"norms": false
}
}
}, {
"string_fields": {
"match": "*",
"match_mapping_type": "string",
"mapping": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}],
"properties": {
"@timestamp": {
"type": "date"
},
"message": {
"properties": {
"time": {
"properties": {
"kernel": {
"properties": {
"result": {
"type": "float"
},
"start": {
"type": "float"
},
"stop": {
"type": "float"
}
}
}
}
}
}
},
"@version": {
"type": "keyword"
},
"geoip": {
"dynamic": true,
"properties": {
"ip": {
"type": "ip"
},
"location": {
"type": "geo_point"
},
"latitude": {
"type": "half_float"
},
"longitude": {
"type": "half_float"
}
}
}
}
}
}
}