【1】filebeat 默認生成到 es 的索引
如果我們不配置則默認會生成 ,如下類格式的索引,且如果檢測到有的話,會默認一直使用這個日期
filebeat-7.14.1-2021.09.24-000001
【2】自定義索引
(2.1)fileds
vim filebeat.yml
# ============================== Filebeat inputs =============================== filebeat.inputs: - type: log enabled: true paths: - /var/log/*.log fields: source: sys - type: log enabled: true paths: - /data/dba/q1.txt fields: source: q1 - type: log enabled: true paths: - /data/dba/t1.txt fields: source: t1 # ============================== Filebeat modules ============================== filebeat.config.modules: path: ${path.config}/modules.d/*.yml reload.enabled: true setup.template.settings: index.number_of_shards: 1 setup.template.name: "system" setup.template.pattern: "system-*" setup.template.enabled: true setup.template.overwrite: true setup.ilm.enabled: false # =================================== Kibana =================================== setup.kibana: host: "192.168.175.132:5601" # ---------------------------- Elasticsearch Output ---------------------------- output.elasticsearch: hosts: ["192.168.175.132:9200"] index: "system-%{[fields.source]}-*" indices: - index: "system-sys-%{+yyyy.MM.dd}" when.equals: fields: source: "sys" - index: "system-q1-%{+yyyy.MM.dd}" when.equals: fields: source: "q1" - index: "system-t1-%{+yyyy.MM.dd}" when.equals: fields: source: "t1" # ------------------------- Processors ---------------------------------- processors: - add_host_metadata: when.not.contains.tags: forwarded - add_cloud_metadata: ~ - add_docker_metadata: ~ - add_kubernetes_metadata: ~
when.contains: 包含
when.equals: 等於
相關模板字段意義:
setup.template.name: “nginx” //設置一個新的模板,模板的名稱
setup.template.pattern: “nginx-*” //模板匹配那些索引,這里表示以nginx開頭的所有的索引
setup.template.enabled: false //關掉默認的模板配置
setup.template.overwrite: true //開啟新設置的模板
# ======================= Elasticsearch template setting ======================= setup.template.settings: index.number_of_shards: 1 #index.codec: best_compression #_source.enabled: false # 允許自動生成index模板 setup.template.enabled: true # # 生成index模板時字段配置文件 setup.template.fields: fields.yml # # 如果存在模塊則覆蓋 setup.template.overwrite: true # # 生成index模板的名稱 setup.template.name: "zheng_log" # # 生成index模板匹配的index格式 setup.template.pattern: "zheng-*" setup.ilm.enabled: auto # 這里一定要注意 會在alias后面自動添加-* setup.ilm.rollover_alias: "park-ssm" setup.ilm.pattern: "{now/d}" # # 生成kibana中的index pattern,便於檢索日志 #setup.dashboards.index: myfilebeat-7.0.0-* #filebeat默認值為auto,創建的elasticsearch索引生命周期為50GB+30天。如果不改,可以不用設置 setup.ilm.enabled: false
生成的索引:
(2.2)同理 tags
你也可以加入一些tags:
這里只簡單寫一個 tags的相關用法方便分組
具體用它來構造不同索引 參考:
elk7.7.1【系列四】filebeat多輸入,自定義不同輸出索引
#=========================== Filebeat inputs ============================= filebeat.inputs: - type: log enabled: true paths: - /root/apache-tomcat-8.5.16/logs/*.txt tags: ["tomcat1"] - type: log enabled: true paths: - /root/apache-tomcat-7.0.92/logs/*.txt # ============== output ========== output.elasticsearch: hosts: ["192.168.81.129:9200"] indices: - index: "tomcat1-%{[agent.version]}-%{+yyyy.MM.dd}" when.contains: tags: "tomcat1" - index: "tomcat2-%{[agent.version]}-%{+yyyy.MM.dd}" when.contains: tags: "tomcat2"
when.contains: 包含
多個可如下面:
這樣可以多個tags,在匹配 when.contains 時,可以用包含其中一個 tag 值即可匹配到
filebeat.inputs: - type: log enabled: true fields: apache: true tags: ["my-service", "hardware", "test"] paths: - /Users/liuxg/data/apache-daily-access.log output.elasticsearch: hosts: ["localhost:9200"]
(如果失敗)關注點
(1)setup.template 等字樣是否頂格
(2)setup.template.enabled: true 一定要為 true 否則可能不生效
(3)setup.ilm.enabled: false 該參數也要有
【3】配置filebeat 引用模板后模板數據使用自定義索引名(mysql為例)
(3.1)關鍵查詢區分字段
假設我們已經用默認配置,啟動,采集了mysql日志數據;查看實際內容
(3.2)在 filebeat.yml中,output 到 es 的配置里
output.elasticsearch: hosts: ["192.168.175.132:9200"] index: "system-%{[fields.source]}-*" indices: - index: "system-sys-%{+yyyy.MM.dd}" when.equals: fields: source: "sys" - index: "system-q1-%{+yyyy.MM.dd}" when.equals: fields: source: "q1" - index: "system-t1-%{+yyyy.MM.dd}" when.equals: fields: source: "t1" - index: "system-mysqlerrorlog-%{+yyyy.MM.dd}" when.equals: fileset.name: "error" - index: "system-mysqlslowlog-%{+yyyy.MM.dd}" when.equals: fileset.name: "slowlog"
# 也可以用下面這種方式 # - index: "mysql-error-%{+yyyy.MM.dd}" # when.contains: # fileset.name: "error" # - index: "mysql-slowlog-%{+yyyy.MM.dd}" # when.contains: # fileset.name: "slowlog"
然后啟動filebeat, ./filebeat -e run,如下圖,沒有error 字樣就OK了
(3.3)結果核驗
成功
【參考文檔】
與本文不同的辦法:elk7.7.1【系列四】filebeat多輸入,自定義不同輸出索引
與本文相同的辦法:https://blog.csdn.net/junxuezheng/article/details/108351039
【3】中給模板中的數據自動以索引:https://blog.csdn.net/weixin_44953658/article/details/118539743
官網:https://www.elastic.co/guide/en/beats/winlogbeat/current/elasticsearch-output.html