1、下载并解压:
wget https://artifacts.elastic.co/downloads/logstash/logstash-6.5.4.tar.gz
tar -zxvf logstash-6.5.4.tar.gz
cd logstash-6.5.4/config
cp logstash-sample.conf default.conf
2、启动示例
cd bin/
./logstash -f …/config/default.conf
3、安装filebeat
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.5.4-linux-x86_64.tar.gz
cd filebeat-6.5.4-linux-x86_64
配置:
vim filebeat.yml
filebeat.inputs:
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /tmp/logs/test.log
fields:
app_id: query_oalog_1
log_type: api-hub
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
# Defines if the pattern set under pattern should be negated or not. Default is false.
multiline.negate: true
# Match can be set to "after" or "before". It is used to define if lines should be append to a pattern
# that was (not) matched before or after or as long as a pattern is not matched based on negate.
# Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
multiline.match: after
#加载不同的模板
setup.template.name: "filebeat"
setup.template.pattern: "filebeat-*"
setup.template.settings:
index.number_of_shards: 3
#写入搜索引擎
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["10.10.10.10:9200"]
#默认情况下,Filebeat写事件到名为filebeat-6.4.0-yyyy.MM.dd的索引,其中yyyy.MM.dd是事件被索引的日期。为了用一个不同的名字,你可以在Elasticsearch输出中设置index选项。
index: "%{[fields.log_type]}-%{[beat.version]}-%{+yyyy.MM.dd}"
enabled:true 代表开启这个配置节
paths: 监控指定目录下的文件,支持模糊搜索
fields: 增加fields额外字段,本例在fields下面增加了app_id、log_type字段
multiline: 多行日志监控,下面配置的意思是:不以时间格式开头的行都合并到上一行的末尾(正则写的不好,忽略忽略)
pattern:正则表达式
negate:true 或 & false;默认是false,匹配pattern的行合并到上一行;true,不匹配pattern的行合并到上一行
match:after 或 before,合并到上一行的末尾或开头
output.elasticsearch: 配置host指定搜索引擎地址
4、启动:
./filebeat -e -c filebeat.yml > filebeat.log
来源:CSDN
作者:学徒魏菱延
链接:https://blog.csdn.net/u014628146/article/details/103479518