一、安裝
[root@jumpserver tools]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.4.0-x86_64.rpm [root@jumpserver tools]# rpm -ivh filebeat-6.4.0-x86_64.rpm
#查看安裝內容 [root@jumpserver tools]# rpm -ql filebeat-6.4.0 /etc/filebeat/fields.yml /etc/filebeat/filebeat.reference.yml /etc/filebeat/filebeat.yml => 配置文件 /etc/init.d/filebeat => 啟動腳本 /lib/systemd/system/filebeat.service => systemctl也可以啟動 /usr/bin/filebeat => filebeat命令
....
二、配置
配置文件默認是/etc/filebeat/filebeat.yml,可以參考filebeat.reference.yml 和/etc/filebeat/filebeat.yml ,配置文件支持正則表達式,官方文檔(https://www.elastic.co/guide/en/beats/filebeat/6.2/regexp-support.html)
配置格式為:
#global filebeat configuration options tags: ["10.0.3.199"] max-procs: 1 #Configure inputs filebeat.inputs: - type: log paths: => 日志路徑,支持正則 - /var/log/httpd/*log fields: => 輸出日志中添加額外的字段,用於日志過濾 service: httpd_log => httpd_log 為自定義字段, logstash的輸出可以看到 fields_under_root: true => 自定義字段在第一行,不會被覆蓋 #Configure the output output.logstash: => 這里輸出到logstash hosts: ["10.0.3.60:5044"] => logstash主機 IP + Port compression_level: 0 => 0表示不進行壓縮,壓縮級別有0-9
官網下載地址
https://www.elastic.co/cn/downloads/beats/filebeat
官方文檔:
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-getting-started.html#filebeat-getting-started