方案一:推薦
[root@elk-node-1 filebeat]# cat filebeat.yml|egrep -v "^$|^#|#"
filebeat.inputs:
- type: log
enabled: true
paths:
- /opt/app/nginx/logs/elk.log
fields:
service: nginx
- type: log
enabled: true
paths:
- /var/log/cron
fields:
service: cron
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
output.logstash:
hosts: ["10.0.0.61:5044"]
[root@elk-node-1 filebeat]#
[root@elk-node-1 config]# cat logstash.conf
input {
beats {
port => "5044"
}
}
output {
#輸出時;如果等於nginx則輸出"nginx-%{+YYYY.MM.dd}"
if [fields][service] == "nginx" {
elasticsearch {
hosts => ["10.0.0.61:9200"]
index => "test-yunshi-ht-ngin-%{+YYYY.MM.dd}"
}
}
else if [fields][service] == "cron" {
elasticsearch {
hosts => ["10.0.0.61:9200"]
index => "test-yunshi-ht-cron-%{+YYYY.MM.dd}"
}
}
}
方案二,不推薦使用的設置將繼續工作,但計划在將來從logstash中刪除。在ElasticSearch 6.0中,文檔類型已被棄用,並在7.0中完全刪除
filebeat里添加document_type配置,定義一個識別號- input_type: log
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/logs/xx.log
document_type: xx
paths:
- /data/logs/aa.log
document_type: aa
然后在logstash里配置對應的type
output {
if [type] =="xx"{
elasticsearch {
hosts => ["*.*.*.*:9200"]
index => "xx-%{+YYYY.MM.dd}"
document_type => "log"
}
}
if [type] =="aa"{
elasticsearch {
hosts => ["*.*.*.*:9200"]
index => "aa-%{+YYYY.MM.dd}"
document_type => "log"
}
}
}