vim /etc/logstash/conf.d/demo.conf

input{

   stdin{}

}

filter{

}

output{

    elasticsearch {

        hosts => ["10.0.0.22:9200"]

        index => "logstash-%{+YYYY.MM.dd}"

    }

    stdout{

        codec => rubydebug

    }

}

[root@saltstack02 ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/demo.conf

[root@linux-node1 ~]# vim /etc/logstash/conf.d/system.conf

input {

  file {

    path => "/var/log/messages"     #日志路径

    type => "systemlog"                 #类型

    start_position => "beginning"    #logstash 从什么位置开始读取文件数据，默认是结束位置，也就是说 logstash 进程会以类似 tail -F 的形式运行。如果你是要导入原有数据，把这个设定改成"beginning"，logstash 进程就从头开始读取，类似 less +F 的形式运行。

    stat_interval => "2"             #logstash 每隔多久检查一次被监听文件状态（是否有更新） ，默认是 1 秒。

  }

}

output {

  elasticsearch {

    hosts => ["10.0.0.22:9200"]      #指定hosts

    index => "logstash-systemlog-%{+YYYY.MM.dd}"    #索引名称

  }

}

[root@saltstack02 ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/system.conf -t #检测配置文件是否有语法错误

WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults

Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console

Configuration OK

[root@linux-node1 ~]# ll /var/log/messages

-rw-------. 1 root root 791209 12月 27 11:43 /var/log/messages

#这里可以看到该日志文件是600权限，而elasticsearch是运行在elasticsearch用户下，这样elasticsearch是无法收集日志的。所以这里需要更改日志的权限，否则会报权限拒绝的错误。在日志中查看/var/log/logstash/logstash-plain.log 是否有错误。

[root@linux-node1 ~]# chmod 644 /var/log/messages

[root@linux-node1 ~]# systemctl restart logstash