安裝 filebeat-7.9.3(與Elasticsearch版本一致)
考慮到Elasticsearch 比較費硬盤空間,所以目前項目中只上傳error的日志。詳細日志還是去具體服務器查看(沒有專門運維)
普通安裝:
- 上傳並解壓filebeat-7.9.3-linux-x86_64.tar.gz,
- 修改 filebeat.yml,
- 啟動 ./filebeat -c filebeat.yml -e
Docker 安裝
docker pull elastic/filebeat:7.9.3
將 filebeat.yml 文件傳到linux 服務器 /opt/filebeat 目錄中
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: log
enabled: true
paths:
- /opt/logs/ai_api_dev/*.log
# - /opt/logs/ai_api_dev/*error*.log # 只看error
#- D:\Projects\logs\*.log
fields:
# 額外添加的字段
project-name: ai_api_dev
exclude_lines: ['DEBUG']
tags: ["ai_api_dev"]
- type: log
enabled: true
paths:
- /opt/logs/ai_schedule_dev/*.log
fields:
project-name: ai_ecgreport_schedule_dev
exclude_lines: ['DEBUG']
tags: ["ai_schedule_dev"]
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["172.16.3.61:9200"]
indices:
- index: "ai_api_dev_%{[agent.version]}-%{+yyyy.MM.dd}"
when.contains:
tags: "ai_api_dev"
- index: "ai_schedule_dev_%{[agent.version]}-%{+yyyy.MM.dd}"
when.contains:
tags: "ai_schedule_dev"
processors:
- drop_fields:
fields: ['agent']
when.contains:
tags: "ai_api_dev"
- drop_fields:
fields: ['agent']
when.contains:
tags: "ai_schedule_dev"
文件權限 755 ,不能是777,否則會報
Exiting: error loading config file: config file ("filebeat.yml") can only be writable by the owner but the permissions are "-rwxrwxrwx" (to fix the permissions use: 'chmod go-w /usr/share/filebeat/filebeat.yml')
#運行
docker run --name filebeat --restart always --privileged=true -d \
-v /opt/filebeat/logs/:/logs/ \
-v /opt/filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml \
-v /data/tenant/service/:/data/tenant/service \
-v /opt/logs/:/opt/logs/ \
elastic/filebeat:7.9.3
#查看日志
docker logs --tail=100 -f d69
Observability => 日志
