• 单个logstash文件收集多个filebeat日志

    一 背景说明

    我现在安装了logstash,只配置了一个文件,想同时收集nginx和java的日志,nginx要显示ip,国家城市,状态码,等,java要显示日志的具体内容。

    二 nginx filebeat设置

    filebeat.inputs:
# 收集 nginx 日志
- type: log
  enabled: true
  paths:
    - /var/log/nginx/*.log
  tags: ["nginx_logs"]
 # 日志是json开启这个
  json.keys_under_root: true
  json.overwrite_keys: true
  json.add_error_key: true
  # 如果值为ture,那么fields存储在输出文档的顶级位置
  fields_under_root: true
  fields:
    app: easydong
    logtype: nginx_logs


filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
output.logstash:
  hosts: ["172.17.199.231:5044"]

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~

    三 java filebeat设置

    filebeat.inputs:
- type: log
  enabled: true
  paths: 
    
     -  /xs/logs/app-front1/easydong-app/app.log 
  encoding: utf-8
  tail_files: true
  
  fields:
    app: easydong
    type: applog-V1-appfront1
  fields_under_root: true
  multiline:
     pattern: '^[0-2][0-9]:[0-5][0-9]:[0-5][0-9]'
     negate: true
     match: after
- type: log
  enabled: true
  paths:
     -  /xs/logs/app-front1/easydong-admin/admin.log
  encoding: utf-8
  tail_files: true
  fields:
    app: easydong
    type: adminlog-V1-appfront1
  fields_under_root: true
  multiline:
     pattern: '^[0-2][0-9]:[0-5][0-9]:[0-5][0-9]'
     negate: true
     match: after

- type: log
  enabled: true
  paths:
                   
     -  /xs/logs/app-front2/easydong-admin/admin.log
  encoding: utf-8
  tail_files: true
  fields:
    app: easydong
    type: adminlog-V1-appfront2
  fields_under_root: true
  multiline:
     pattern: '^[0-2][0-9]:[0-5][0-9]:[0-5][0-9]'
     negate: true
     match: after

- type: log
  enabled: true
  paths:
     -  /xs/logs/app-front2/easydong-app/app.log
  encoding: utf-8
  tail_files: true
  fields:
    app: easydong
    type: applog-V1-appfront2
  fields_under_root: true
  multiline:
     pattern: '^[0-2][0-9]:[0-5][0-9]:[0-5][0-9]'
     negate: true
     match: after

filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
output.logstash:
  hosts: ["39.96.179.187:5044"]

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~

    四 logstash设置

    根据 if [logtype] == "nginx_logs 去判断是nginx日志还是java日志,

    input {
 beats {
     port => 5044
     
  }



}


filter{
  if [type] == "adminlog-V1-appfront1"{

      grok {
         match => ["message", "%{SYSLOGBASE} %{GREEDYDATA:message}"]
         overwrite => ["message"]
     }
  }
  if [logtype] == "nginx_logs"{
       mutate {
          convert => [ "status","integer" ]
          convert => [ "size","integer" ]
          convert => [ "upstreatime","float" ]
          convert => ["[geoip][coordinates]", "float"]
          remove_field => "message"
        }

        date {
            match => [ "timestamp" ,"dd/MMM/YYYY:HH:mm:ss Z" ]
        }
        geoip {
          source => "client"  ##日志格式里的ip来源,这里是client这个字段(client":"$remote_addr")
          target => "geoip"
          database =>"/usr/share/logstash/GeoLite2-City.mmdb"   ##### 下载GeoIP库
          add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
          add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
        }
       # mutate {
       #   remove_field => "timestamp"
       # }
    }

}



output {

    if [app] == "easydong" {
        if [type] == "applog-V1-appfront1" {
           elasticsearch {
              hosts => ["http://172.17.199.231:9200"]
              password => "111111"
              user => "elastic"
              index => "applog-v1-appfront1-%{+YYYY.MM.dd}"
           }
        }
        else if [type] == "adminlog-V1-appfront1" {
           elasticsearch {
              hosts => ["http://172.17.199.231:9200"]
              password => "111111"
              user => "elastic"
              index => "adminlog-v1-appfront1-%{+YYYY.MM.dd}"
           }
        }
        else if [type] == "applog-V1-appfront2" {
           elasticsearch {
              hosts => ["http://172.17.199.231:9200"]
              #password => "111111"
              #user => "elastic"
              index => "applog-v1-appfront2-%{+YYYY.MM.dd}"
           }
        }
        else if [type] == "adminlog-V1-appfront2" {
           elasticsearch {
              hosts => ["http://172.17.199.231:9200"]
              #password => "111111"
              #user => "elastic"
              index => "adminlog-v1-appfront2-%{+YYYY.MM.dd}"
           }
        }

        
        else if [type] == "applog-V2-appfront1" {
           elasticsearch {
              hosts => ["http://172.17.199.231:9200"]
              #password => "111111"
              #user => "elastic"
              index => "applog-v2-appfront1-%{+YYYY.MM.dd}"
           }  
        }  
        else if [type] == "adminlog-V2-appfront1" {
           elasticsearch {
              hosts => ["http://172.17.199.231:9200"]
              #password => "111111"
              #user => "elastic"
              index => "adminlog-v2-appfront1-%{+YYYY.MM.dd}"
           }  
        }  
        else if [type] == "applog-V2-appfront2" {
           elasticsearch {
              hosts => ["http://172.17.199.231:9200"]
              #password => "111111"
              #user => "elastic"
              index => "applog-v2-appfront2-%{+YYYY.MM.dd}"
           }  
        }  
        else if [type] == "adminlog-V2-appfront2" {
           elasticsearch {
              hosts => ["http://172.17.199.231:9200"]
              #password => "111111"
              #user => "elastic"
              index => "adminlog-v2-appfront2-%{+YYYY.MM.dd}"
           }  
        }  

        else if [type] == "indonesia-adminlog-1" {
           elasticsearch {
              hosts => ["http://172.17.199.231:9200"]
              #password => "111111"
              #user => "elastic"
              index => "indonesia-adminlog-1-%{+YYYY.MM.dd}"
           }
        }
 
    if [app] == "easydong" {
          if [logtype] == "nginx_logs"{
            elasticsearch {
            hosts => ["http://172.17.199.231:9200"]
            index => "logstash-sanwenqian-nginx-%{+YYYY-MM}"
          }
      }
  }
    
  }

  stdout { codec=> rubydebug }

    最后重启logstash看能否正常启动,可以去/var/log/message查看是否有新的日志产生。
  • 相关阅读:
    后台取得非服务器控件的一种方法(Request.Form.GetKey(i))
    扩展jQuery键盘事件的几个基本方法(练习jQuery插件扩展)
    Javascript得到CheckBoxList的Value
    sql server的count(小技巧)
    oracle数据库约束条件删除、取消、启用
    iis7.0修改网站端口
    session模式和web园
    理解Session State模式+ASP.NET SESSION丢失FAQ (转)
    Gridview中生成的属性rules="all",在Firefox出现内线框解决办法
    一个类windows系统的效果图
  • 原文地址:https://www.cnblogs.com/huningfei/p/12779507.html
Copyright © 2020-2023  润新知