• Filebeat日志收集


    一、Filebeat收集单个日志

    1.配置收集日志到文件

    [root@web01 ~]# vim /etc/filebeat/filebeat.yml
    filebeat.inputs:
    - type: log
      enable: true
      paths:
        - /var/log/nginx/access.log
    output.file:
      path: "/tmp"
      filename: "filebeat.log"
    

    2.配置收集日志到ES

    [root@web01 ~]# vim /etc/filebeat/filebeat.yml
    filebeat.inputs:
    - type: log
      enable: true
      paths:
        - /var/log/nginx/access.log
    output.elasticsearch:
      hosts: ["10.0.0.51:9200"]
    

    3.配置收集日志为json格式

    1)配置

    #由于收集日志内容还是写到了message,没有办法作图
    [root@web01 ~]# vim /etc/filebeat/filebeat.yml
    filebeat.inputs:
    - type: log
      enable: true
      paths:
        - /var/log/nginx/access.log
      json.keys_under_root: true
      json.overwrite_keys: true
    output.elasticsearch:
      hosts: ["10.0.0.51:9200"]
      
      # keys_under_root
    默认情况下,解码后的JSON放在输出文档中的“json”键下。 如果启用此设置,则会将键复制到输出文档的顶层。 默认值是false。
    
    # overwrite_keys
    如果启用了keys_under_root和此设置,则来自解码的JSON对象的值会覆盖Filebeat通常添加的字段(类型,源,偏移量等)以防冲突。
    

    2)修改Nginx日志格式

    #filebeat只支持某种json格式写法
    [root@web01 ~]# vim /etc/nginx/nginx.conf
    ... ...
        log_format log_json '{ "time_local": "$time_local", '
                            '"remote_addr": "$remote_addr", '
                            '"referer": "$http_referer", '
                            '"request": "$request", '
                            '"status": $status, '
                            '"bytes": $body_bytes_sent, '
                            '"agent": "$http_user_agent", '
                            '"x_forwarded": "$http_x_forwarded_for", '
                            '"up_addr": "$upstream_addr",'
                            '"up_host": "$upstream_http_host",'
                            '"upstream_time": "$upstream_response_time",'
                            '"request_time": "$request_time" }';
     ... ...
    

    3)重启

    1.重启Nginx
    2.重启Filebeat
    3.删除原来的索引
    4.清空Nginx日志
    

    4.收集日志配置指定索引名称

    1)配置

    [root@web01 ~]# vim /etc/filebeat/filebeat.yml
    filebeat.inputs:
    - type: log
      enable: true
      paths:
        - /var/log/nginx/access.log
      json.keys_under_root: true
      json.overwrite_keys: true
    output.elasticsearch:
      hosts: ["10.0.0.51:9200"]
      index: "nginx_log_%{+YYYY-MM-dd}"
    setup.template.enabled: false
    setup.template.name: "nginx"
    setup.template.pattern: "nginx-*"
    
    
    
    #模板的名称
    setup.template.name: "nginx"
    #模板模式,通配符-*用于匹配每日索引
    setup.template.pattern: "nginx-*"
    #是否覆盖现有模板
    setup.template.overwrite: false
    #禁用模板加载
    setup.template.enabled: false
    

    2)指定分片数

    [root@web01 ~]# vim /etc/filebeat/filebeat.yml.bak 
    setup.template.settings:
      index.number_of_shards: 3
    

    5.收集日志到redis

    1)配置

    # 这里指定redis的密码为123
    
    [root@web01 ~]# vim /etc/filebeat/filebeat.yml
    filebeat.inputs:
    - type: log
      enable: true
      paths:
        - /var/log/nginx/access.log
      json.keys_under_root: true
      json.overwrite_keys: true
    output.redis:
      hosts: ["172.16.1.51"]
      port: "6379"
      key: "nginx_access"
      password: 123
      db: 0
    

    2)查看redis

    #访问Nginx页面后,查看redis是否有数据
    127.0.0.1:6379> keys *
    1) "nginx_access"
    127.0.0.1:6379> TYPE nginx_access
    list
    127.0.0.1:6379> LLEN nginx_access
    (integer) 8
    127.0.0.1:6379> LRANGE nginx_access 0 -1
    

    6.使用logstash将redis数据取出到ES

    # 建议redis的数据通过logstash进行取出,不要使用filebeat,因为logstash可以对具体索引拿取数据,而不是像filebeat只能指定host。
    [root@web01 conf.d]# vim redis_to_es.conf 
    input {
      redis {
        host => "172.16.1.51"
        port => "6379"
        db => "0"
        data_type => "list"
        key => "nginx_access"
        password => "123"
      }
    }
    output {
      elasticsearch {
        hosts => ["10.0.0.51:9200"]
        index => "nginx_access_%{+YYYY-MM-dd}"
      }
    }
    

    7.filebeat收集日志到logstash

    1)配置收集日志到logstash

    [root@web01 ~]# vim /etc/filebeat/filebeat.yml
    filebeat.inputs:
    - type: log
      enable: true
      paths:
        - /var/log/nginx/access.log
      json.keys_under_root: true
      json.overwrite_keys: true
    output.logstash:
      hosts: ["172.16.1.52:3456"]
      
    #如果启动失败,查看日志,应该是172.16.1.52服务器的3456端口没有启动,需要先启动52的logstash
    

    2)配置logstash收集日志到ES

    [root@db02 ~]# vim /etc/logstash/conf.d/filebeat_logstash_es.conf
    input {
      beats {
        port => 3456
        codec => "json"
      }
    }
    output {
      elasticsearch {
        hosts => ["10.0.0.51:9200"]
        index => "nginx_filebeat_logstash_es"
      }
    }
    

    3)查看es数据

    二、filebeat收集多日志

    1.收集多日志到ES

    1)方式一:

    [root@web01 ~]# vim /etc/filebeat/filebeat.yml
    filebeat.inputs:
    - type: log
      enable: true
      paths:
        - /var/log/nginx/access.log
      json.keys_under_root: true
      json.overwrite_keys: true
    - type: log
      enable: true
      paths:
        - /var/log/messages
    
    output.elasticsearch:
      hosts: ["10.0.0.51:9200"]
      indices:
        - index: "nginx_%{+YYYY-MM-dd}"
          when.contains:
            source: "/var/log/nginx/access.log"
        - index: "message_%{+YYYY-MM-dd}"
          when.contains:
            source: "/var/log/messages"
    setup.template.enabled: false
    setup.template.name: "nginx"
    setup.template.pattern: "nginx-*"
    

    2)方式二:

    [root@web01 ~]# vim /etc/filebeat/filebeat.yml
    
    filebeat.inputs:
    - type: log
      enable: true
      paths:
        - /var/log/nginx/access.log
      json.keys_under_root: true
      json.overwrite_keys: true
      tags: ["nginx"]
    
    - type: log
      enable: true
      paths:
        - /var/log/messages
      tags: ["messages"]
    
    output.elasticsearch:
      hosts: ["10.0.0.51:9200"]
      indices:
        - index: "nginx_%{+YYYY-MM-dd}"
          when.contains:
            tags: "nginx"
        - index: "message_%{+YYYY-MM-dd}"
          when.contains:
            tags: "messages"
    setup.template.enabled: false
    setup.template.name: "nginx"
    setup.template.pattern: "nginx-*"
    

    三、filebeat收集java报错

    1)配置

    [root@web01 ~]# vim /etc/filebeat/filebeat.yml
    filebeat.inputs:
    - type: log
      enable: true
      paths:
        - /var/log/nginx/access.log
      multiline.pattern: '^['
      multiline.negate: true
      multiline.match: after
    
    output.elasticsearch:
      hosts: ["10.0.0.51:9200"]
      index: "tomca_error_%{+YYYY-MM-dd}"
    setup.template.enabled: false
    setup.template.name: "nginx"
    setup.template.pattern: "nginx-*"
    

    2)导入错误日志查看

  • 相关阅读:
    多线程
    IO
    Collections工具类
    File类
    Map
    List与Set接口
    如何把数学作为一种工具
    包装类
    异常
    内部类
  • 原文地址:https://www.cnblogs.com/tcy1/p/13530143.html
Copyright © 2020-2023  润新知