负责收集本地日志,传送给远程的logstash,新建一个forward.conf文件

{
 "network": {
     "servers": [ "localhost:5043" ],
     "ssl ca":"/path/to/localhost.crt",  
     "timeout": 15 
  }, 
"files": [
     { 
      "paths": [ "/path/to/sample-log"  ], 
      "fields": { "type": "apache" } 
      } 
  ]}

在logstash中的配置文件input中,加入lumberjack指定数据来源

lumberjack {
   port => "5043" 
   ssl_certificate => "/path/to/ssl-cert" 
   ssl_key => "/path/to/ssl-key" 
}

logstash多日志处理方式input中分别处理syslog,apache日志,指定type,在filter中制定不同规则

input { 
    file { 
        path => "/var/log/messages"
        type => "syslog" 
    }
    file {
        path => "/var/log/apache/access.log" 
        type => "apache" 
    }
}

filter{
   if[type] == "syslog"{
       ... 
    } 
    if[type] == "apache"{
         ... 
    }
}

output{ 
      if[type] == "syslog"{ ... }
     if[type] == "apache"{ ... }
}