input {
file {
path => "/usr/local/elk/mos-log/mt.log"
type => "mos-mt-log"
codec => multiline {
pattern => "^["
negate => true
what => "next"
}
start_position => "end"
}
file {
path => "/usr/local/elk/mos-log/rpt.log"
type => "mos-rpt-log"
codec => multiline {
pattern => "^["
negate => true
what => "next"
}
start_position => "end"
}
}
这是conf文件中的input,再我每往日志文件手动添加一条日志时,logstash总是从头读取一遍,怎么样使logstash只去读取我新添加的日志
