Docker运行logstash

前提条件：docker已安装
1.下载镜像
docker pull logstash:7.17.0

2.编写logstash.yml配置文件（如果不想用自己的yml配置文件，可以跳过此步骤）
在主机创建/mnt/logstash/config目录，然后在此目录下编写logstash.yml配置文件，内容如下：
path.config: /usr/share/logstash/pipeline             
注意：(1)7.17版本的管道配置文件默认是在pipeline下，之前版本默认是在conf.d目录下,详细参考官网：https://www.elastic.co/guide/en/logstash/7.17/dir-layout.html

(2)path.config参数名不要写错（写错了的话logstash启动一小段时间后就自动退出了）

3.编写logstash.conf配置文件
在主机创建/mnt/logstash/pipeline目录，然后在此目录下编写logstash.conf配置文件,内容如下：
input {
  stdin { }
}

filter {
  grok {
    match => { "message" => "%{COMBINEDAPACHELOG}" }
  }
  date {
    match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
  }
}

output {
  #elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

4.前台方式运行logstash
docker run --rm -it -v /mnt/logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml -v /mnt/logstash/pipeline/:/usr/share/logstash/pipeline/ logstash:7.17.0
如果第2步跳过，执行如下命令docker run --rm -it -v /mnt/logstash/pipeline/:/usr/share/logstash/pipeline/ logstash:7.17.0，这样logstash.conf会自动解析
（先不要后台方式运行，因为如果有问题不好查找原因，前台方式运行会有日志打印；我先把path.config参数名写错了，老是启动不成功，后来通过前台方式运行才找到原因！）

5.测试
输入如下内容：127.0.0.1 - - [11/Dec/2013:00:01:45 -0800] "GET /xampp/status.php HTTP/1.1" 200 3891 "http://cadenza/xampp/navi.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0"
再回车出现如下内容就表示配置生效：
{
        "message" => "127.0.0.1 - - [11/Dec/2013:00:01:45 -0800] "GET /xampp/status.php HTTP/1.1" 200 3891 "http://cadenza/xampp/navi.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0"",
    "httpversion" => "1.1",
       "response" => "200",
       "clientip" => "127.0.0.1",
           "host" => "d0c6b2bee4eb",
           "verb" => "GET",
          "agent" => ""Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0"",
      "timestamp" => "11/Dec/2013:00:01:45 -0800",
           "auth" => "-",
          "bytes" => "3891",
       "@version" => "1",
       "referrer" => ""http://cadenza/xampp/navi.php"",
     "@timestamp" => 2013-12-11T08:01:45.000Z,
          "ident" => "-",
        "request" => "/xampp/status.php"
}

6.后台方式运行logsash
docker run -itd --name logstash -v /mnt/logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml -v /mnt/logstash/pipeline/:/usr/share/logstash/pipeline/ logstash:7.17.0

参考网址：Running Logstash on Docker | Logstash Reference [7.17] | Elastic