1、日志到filebeat。 cat /etc/filebeat/filebeat.yml

filebeat.inputs:
- type: syslog
  format: rfc3164
  protocol.udp:
    host: "0.0.0.0:514"

output.logstash:
  hosts: ["localhost:5044"]

验证方式： tcpdump -i 网卡名称 udp port 514

2、logstash

docker run -d \
  --name=logstash_xx \
  --restart=always \
  -p 5044:5044 \
  -p 9600:9600 \
  -v /data/logstash_xx/pipeline/logstash.conf:/usr/share/logstash/pipeline/logstash.conf \
  docker.elastic.co/logstash/logstash:8.10.3

2.1 logstash 配置如下：logstash.conf

input {
    beats {
        port => 5044
        host => "0.0.0.0"  # 或者 "localhost"
    }
}
filter {
    if "