filebeat.prospectors: - type: log #日志输出类型 enabled: true paths: #定义收集日志的目录 - /data/apps/logs/test1/* fields: #自定义的两个字段,区分日志类型及host type: test1 host: 161 ignore_older: 1h #忽略一小时以为的日志变化 multiline.pattern: '(WARN|DEBUG|ERROR|INFO) d{4}/d{2}/d{2}' #正则匹配 符合的日志文件. multiline.negate: true #为true,表示不满足正则匹配条件的日志 multiline.match: after #after 追加到文件后面 filebeat.config.modules: path: ${path.config}/modules.d/*.yml reload.enabled: false setup.template.settings: index.number_of_shards: 3 output.kafka: enabled: true hosts: ["192.168.0.11:9092","192.168.0.12:9092","192.168.0.13:9092"] topic: "test-log"
注:multiline字段,必须每个日志类型一个,不然日志不会合并.(坑)
样例图:
