Filebeat

Filebeat

Filebeat介绍与部署

Filebeat附带预构建的模块,这些模块包含收集、解析、充实和可视化各种日志文件格式数据所需的配置,每个Filebeat模块由一个或多个文件集组成,这些文件集包含摄取节点管道、Elasticsearch模板、Filebeat勘探者配置和Kibana仪表盘。

Filebeat模块很好的入门,它是轻量级单用途的日志收集工具,用于在没有安装java的服务器上专门收集日志,可以将日志转发到logstash、elasticsearch或redis等场景中进行下一步处理。

img

Filebeat部署

官方文档:https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-configuration-details.html

官网下载地址:https://www.elastic.co/downloads/beats/filebeat

安装

# 下拉官方rpm包
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.6.16-x86_64.rpm

# 安装filebeat
yum localinstall -y filebeat-5.6.16-x86_64.rpm

# 备份配置文件
cp /etc/filebeat/filebeat.yml{,.bak}

filebeat收集日志到本地文件

# 编辑配置文件
vim /etc/filebeat/filebeat.yml
filebeat.prospectors:
- input_type: log
  paths:
    - /var/log/nginx/8081_access_json.log
# 不收集的行
  exclude_lins: ["^DBG","^$"]
# 日志类型
  document_type: 8081_log

- input_type: log
  paths:
    - /var/log/nginx/8082_access_json.log
# 不收集的行
  exclude_lins: ["^DBG","^$"]
# 日志类型
  document_type: 8082_log

output.file:
  path: "/tmp"
  filename: "water.txt"

# 启动服务
systemctl start filebeat

# 检查进程
[root@elk03 ~]# ps -ef | grep filebeat
root       9502      1  0 10:13 ?        00:00:00 /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
root       9525   8809  0 10:17 pts/0    00:00:00 grep --color=auto filebeat

# 刷新nginx页面生成日志信息

# 查看日志信息
[root@elk03 ~]# cat /tmp/water.txt |grep blog.yys.com
{"@timestamp":"2023-07-17T02:13:57.593Z","beat":{"hostname":"elk03","name":"elk03","version":"5.6.16"},"input_type":"log","message":"{\"@timestamp\":\"2023-07-17T10:13:54+08:00\",\"host\":\"10.0.0.104\",\"clientip\":\"10.0.0.104\",\"size\":0,\"responsetime\":0.000,\"upstreamtime\":\"-\",\"upstreamhost\":\"-\",\"http_host\":\"blog.yys.com\",\"url\":\"/index.html\",\"domain\":\"blog.yys.com\",\"xff\":\"10.0.0.1\",\"referer\":\"-\",\"status\":\"304\"}","offset":11457,"source":"/var/log/nginx/8081_access_json.log","type":"8081_log"}

[root@elk03 ~]# cat /tmp/water.txt |grep www.xxx.com
{"@timestamp":"2023-07-17T02:13:50.592Z","beat":{"hostname":"elk03","name":"elk03","version":"5.6.16"},"input_type":"log","message":"{\"@timestamp\":\"2023-07-14T09:57:14+08:00\",\"host\":\"10.0.0.104\",\"clientip\":\"10.0.0.104\",\"size\":16,\"responsetime\":0.000,\"upstreamtime\":\"-\",\"upstreamhost\":\"-\",\"http_host\":\"www.xxx.com\",\"url\":\"/index.html\",\"domain\":\"www.xxx.com\",\"xff\":\"10.0.0.1\",\"referer\":\"-\",\"status\":\"200\"}","offset":271,"source":"/var/log/nginx/8081_access_json.log","type":"8081_log"}

filebeat收集日志输出到ES

# 编写配置文件
vim /etc/filebeat/filebeat.yml
filebeat.prospectors:
- input_type: log
  paths:
    - /var/log/nginx/8081_access_json.log
# 不收集的行
  exclude_lins: ["^DBG","^$"]
# 日志类型
  document_type: 8081_log

- input_type: log
  paths:
    - /var/log/nginx/8082_access_json.log
# 不收集的行
  exclude_lins: ["^DBG","^$"]
# 日志类型
  document_type: 8082_log

output.logstash:
  hosts: ["10.0.0.105:6666"]
# 是否开启输出到logstash 默认就是true
  enabled: true
# 工作进程数
  worker: 1
# 压缩级别 3
  compression_level: 3
# 多个输出的时候开启负载
#  loadbalance: true

# 重启filebeat
systemctl restart filebeat

# 检查进程
[root@elk03 ~]# ps -ef |grep filebeat
root       9557      1  0 10:24 ?        00:00:00 /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
root       9567   8809  0 10:24 pts/0    00:00:00 grep --color=auto filebeat

elk04的配置文件

# 编写配置文件
vim /etc/logstash/conf.d/bit.yyy.conf
input{
        beats{
                port => '6666'
                codec => 'json'
        }
}
filter{
        json{
                source => 'message'
                remove_field => ['message']
        }
}
output{
        elasticsearch{
                hosts => ['10.0.0.103:9200']
                index => '%{type}-%{+yyyy.MM.dd}'
                codec => 'json'
        }
}

[root@elk04 ~]# logstash -f /etc/logstash/conf.d/bit.yyy.conf

img

filebeat将日志输出到redis

# 编写配置文件
vim /etc/filebeat/filebeat.yml
filebeat.prospectors:
- input_type: log
  paths:
    - /var/log/nginx/8081_access_json.log
# 不收集的行
  exclude_lins: ["^DBG","^$"]
# 日志类型
  document_type: 8081_log

- input_type: log
  paths:
    - /var/log/nginx/8082_access_json.log
# 不收集的行
  exclude_lins: ["^DBG","^$"]
# 日志类型
  document_type: 8082_log

output.redis:
  hosts: ["10.0.0.51:6379"]
# redis里key的名字
  key: 'nginx_fw_log'
# 设置第6库
  db: 6
# 设置超时时间
  timeout: 5
# 如果设置了redis密码
# passwd: xxx

# 如果没有进程
systemctl stop filebeat
rm -fr /var/lib/filebeat/registry
systemctl start filebeat

# 启动服务
systemctl start filebeat

# redis查看是否导入成功
[root@db01 ~]# redis-cli
127.0.0.1:6379> select 6
OK
127.0.0.1:6379[6]> keys *
1) "nginx_fw_log"
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇