2.1. 开始使用 Logstash

8.9

8.9

本章节将引导您通过安装 Logstash 的过程来确保一切都能正常运行。当你掌握了如何存储第一个事件以后，你将继续创建一个更高级的管道功能——它可以将 Apache 的网络日志作为输入，然后进行转换，最后再将转换后的数据写入到 Elasticserarch 集群。最后你还会学到如何通过聚合多个输入和输出插件将来自大量分散的数据源的数据整合到一起。

本章节包含以下主题：

• Java (JVM) 版本
• 安装 Logstash
• 保存你的第一个事件
• 通过 Logstash 转换日志
• 聚合多个输入和输出插件

Java (JVM) 版本

Logstash 需要以下版本的其中之一:

• Java 11
• Java 17 (默认). 查看 使用 JDK 17 设置信息。

Use the official Oracle distribution or an open-source distribution, such as OpenJDK. See the Elastic Support Matrix for the official word on supported versions across releases.

Bundled JDK

Logstash offers architecture-specific downloads that include Adoptium Eclipse Temurin 17, the latest long term support (LTS) release of the JDK.

Use the LS_JAVA_HOME environment variable if you want to use a JDK other than the version that is bundled. If you have the LS_JAVA_HOME environment variable set to use a custom JDK, Logstash will continue to use the JDK version you have specified, even after you upgrade.

检查你的 Java 版本

运行以下命令：

java -version

On systems with Java installed, this command produces output similar to the following:

java version “11.0.1” 2018-10-16 LTS Java(TM) SE Runtime Environment 18.9 (build 11.0.1+13-LTS) Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.1+13-LTS, mixed mode)

LS_JAVA_HOME`edit

Logstash includes a bundled JDK which has been verified to work with each specific version of Logstash, and generally provides the best performance and reliability. If you need to use a JDK other than the bundled version, then set the LS_JAVA_HOME environment variable to the version you want to use.

On some Linux systems, you may need to have the LS_JAVA_HOME environment exported before installing Logstash, particularly if you installed Java from a tarball. Logstash uses Java during installation to automatically detect your environment and install the correct startup method (SysV init scripts, Upstart, or systemd). If Logstash is unable to find the LS_JAVA_HOME environment variable during package installation, you may get an error message, and Logstash will not start properly.

Using JDK 17edit

Logstash uses JDK 17 by default, but you need to update settings in jvm.options and log4j2.properties if you are upgrading from Logstash 7.11.x (or earlier) to 7.12 or later.

Updates to jvm.optionsedit

In the config/jvm.options file, remove all CMS related flags:

GC configuration -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly

For more information about how to use jvm.options, please refer to JVM settings.

Updates to log4j2.propertiesedit

In the config/log4j2.properties:

• Replace properties that start with appender.rolling.avoid_pipelined_filter.* with:

  appender.rolling.avoid_pipelined_filter.type = PipelineRoutingFilter

• Replace properties that start with appender.json_rolling.avoid_pipelined_filter.* with:

  appender.json_rolling.avoid_pipelined_filter.type = PipelineRoutingFilter

• Replace properties that start with appender.routing.* with:

appender.routing.type =  PipelineRouting appender.routing.name = pipeline_routing_appender
appender.routing.pipeline.type =  RollingFile appender.routing.pipeline.name = appender-${ctx:pipeline.id} 
appender.routing.pipeline.fileName = ${sys:ls.logs}/pipeline_${ctx:pipeline.id}.log
appender.routing.pipeline.filePattern = ${sys:ls.logs}/pipeline_${ctx:pipeline.id}.%i.log.gz
appender.routing.pipeline.layout.type =  PatternLayout appender.routing.pipeline.layout.pattern =  [%d{ISO8601}][%-5p][%-25c]  %m%n
appender.routing.pipeline.policy.type =  SizeBasedTriggeringPolicy appender.routing.pipeline.policy.size =  100MB 
appender.routing.pipeline.strategy.type =  DefaultRolloverStrategy appender.routing.pipeline.strategy.max =  30