碼上歡樂
相關內容    簡體    繁體

elk日志收集-filebeat多日志文件收集

本文轉載自   查看原文   2019-11-23 16:59   267    elk

官網中文文檔重要參考

https://elkguide.elasticsearch.cn/logstash/plugins/input/

1.准備

rpm -ivh http://192.168.130.150/ELK/filebeat-6.8.5-x86_64.rpm #內網安裝
curl -XDELETE 'http://192.168.120.81:9200/*-2019.11*' #刪除舊日志
[root@java38 ~]# cat /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
  - /testlvnksc/*/*.log
  tags: ["dygabase-app-log"]
  document_type: dygabase-app
  spool_size: 1024
  idle_timeout: "3s"
  multiline.pattern: '^[[:space:]]+(at|\.{3})\b|^Caused by:'
  multiline.negate: false
  multiline.match: after
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 3
output.logstash:
  hosts: ["192.168.120.81:5044"]

常用配置多行合並不是以[開頭的行合並

[root@java38 ~]# cat /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
  - /testlvnksc/*/*.log
  tags: ["dygabase-app-log"]
  document_type: dygabase-app
  spool_size: 1024
  idle_timeout: "3s"
  multiline.pattern: '^\['
  multiline.negate: true
  multiline.match: after
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 3
output.logstash:
  hosts: ["192.168.120.81:5044"]

 

 

日志路徑

/testlvnksc/dygabase-app/spring.log
/testlvnksc/dygabase-service/spring.log

systemctl restart filebeat
ps -ef | grep filebeat

 es上日志收集

vi file.conf #不同主機日志的時候可以區分一下type

input {
beats {
    type => "dygabase-app"
    host => "192.168.120.81"
    port => 5044
  }
beats {
    type => "dygabase-service"
    host => "192.168.120.81"
    port => 5044
  }

}
output {
 if [type] == "dygabase-app" {
 elasticsearch {
 hosts => ["192.168.120.81:9200"]
 index => "dygabase-app-%{+YYYY.MM.dd}"
 }
}
 if [type] == "dygabase-service" {
 elasticsearch {
 hosts => ["192.168.120.81:9200"]
 index => "dygabase-service-%{+YYYY.MM.dd}"
 }
}

}

 

nohup /usr/share/logstash/bin/logstash -f /root/file.conf &

 字段分片處理

filter {
    mutate {
        split => ["message", "|"]
    }
    mutate {
        add_field => {
          "userId" => "%{message[1]}"
          "vissit" => "%{message[2]}"
    }
 }

    mutate {
       convert => {
          "userId" => "string"
          "vissit" => "string"
    }
 }
}

 

logstash配置文件

 

[root@java134 ~]# cat file.conf 
input {
beats {
    host => "192.168.130.134"
    port => 5044
  }
}
output {
 elasticsearch {
 hosts => ["192.168.130.134:9200"]
 index => "dylog-%{+YYYY.MM.dd}"
 }


}
nohup /usr/share/logstash/bin/logstash -f /root/file.conf &

 

filebeat文件配置

[root@java134 filebeat]# cat /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
  - /logstest/*log2019-*
  multiline.pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}' #以日期格式分割多行合並
  multiline.negate: true
  multiline.match: after
  multiline.max_lines: 2000 #超過2000行就丟棄 默認500
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 3
output.logstash:
  hosts: ["192.168.130.134:5044"]
/usr/bin/filebeat -e -c filebeat.yml -d "publish" #測試收集信息效果

 

 日志格式

[2019-11-07 20:01:30] [ main:0 ]  [ DEBUG ]  [Adding PropertySource 'servletConfigInitParams' with lowest search precedence]
[2019-11-07 20:01:30] [ main:3 ]  [ DEBUG ]  [Adding PropertySource 'servletContextInitParams' with lowest search precedence]
[2019-11-07 20:01:30] [ main:11 ]  [ DEBUG ]  [Adding PropertySource 'systemProperties' with lowest search precedence]
[2019-11-07 20:01:30] [ main:12 ]  [ DEBUG ]  [Adding PropertySource 'systemEnvironment' with lowest search precedence]

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 ELK之filebeat收集多類型日志 elk-filebeat收集docker容器日志 elk收集log日志——filebeat配置 ELK之filebeat替代logstash收集日志 日志分析平台ELK之日志收集器filebeat ELK日志方案--使用Filebeat收集日志並輸出到Kafka Filebeat日志收集 使用filebeat收集日志 單個logstash文件收集多個filebeat日志 elk收集windows日志
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM