一、filebeat收集单日志到本地文件
1.配置
#编辑Filebeat配置文件
[root@web01 ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
output.file:
path: "/tmp/"
filename: "filebeat_nginx.log"
2.启动
#启动Filebeat(CentOS6)
[root@web01 ~]# /etc/init.d/filebeat start
#启动Filebeat(CentOS7)
[root@web01 ~]# systemctl start filebeat
#检测进程
[root@web01 ~]# ps -ef|grep filebeat
root 10881 1 0 01:06 pts/1 00:00:00 /usr/share/filebeat/bin/filebeat-god -r / -n -p /var/run/filebeat.pid -- /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
root 10882 10881 0 01:06 pts/1 00:00:00 /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
3.验证文件
[root@web01 ~]# ll /tmp/
-rw------- 1 root root 3760 Dec 8 17:47 filebeat_nginx.log
二、filebeat收集单日志到ES
1.配置
[root@web01 ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
output.elasticsearch:
hosts: ["http://10.0.0.71:9200"]
2.启动
[root@web01 ~]# systemctl restart filebeat.service
三、filebeat收集单日志json格式到ES
1.配置nginx的json格式日志
[root@web01 ~]# cat /etc/nginx/nginx.conf
http {
... ...
log_format json '{ "time_local": "$time_local", '
'"remote_addr": "$remote_addr", '
'"referer": "$http_referer", '
'"request": "$request", '
'"status": $status, '
'"bytes": $body_bytes_sent, '
'"agent": "$http_user_agent", '
'"x_forwarded": "$http_x_forwarded_for", '
'"up_addr": "$upstream_addr",'
'"up_host": "$upstream_http_host",'
'"upstream_time": "$upstream_response_time",'
'"request_time": "$request_time" }';
access_log /var/log/nginx/access.log json;
... ...
2.配置收集日志
[root@web01 ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
output.elasticsearch:
hosts: ["http://10.0.0.71:9200"]
3.启动
[root@web01 ~]# systemctl restart nginx
[root@web01 ~]# systemctl restart filebeat.service
四、自定义ES索引名称
1.配置
[root@web01 ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
output.elasticsearch:
hosts: ["http://10.0.0.71:9200"]
index: "nginx_json_log_%yyyy-MM-dd}"
setup.template.name: "filebeat-*"
setup.template.pattern: "filebeat-*"
#注意:配置索引模板需要顶头写,模板名称与指定索引名字无关
2.启动
[root@web01 ~]# systemctl restart filebeat.service
五、filebeat收集单日志到redis
1.配置
[root@web01 ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
output.redis:
hosts: ["10.0.0.81:6379"]
key: "nginx_log"
db: 0
[root@redis01 ~]# vim /etc/redis
bind 10.0.0.81 172.16.1.81 127.0.0.1
2.启动
[root@web01 ~]# systemctl restart filebeat.service
[root@redis01 ~]# systemctl restart redis
3.redis查看数据
127.0.0.1:6379> keys *
1) "nginx_log"
127.0.0.1:6379> LLEN nginx_log
(integer) 33
六、filebeat收集单日志到logstash
1.配置
[root@web01 ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
output.logstash:
hosts: ["10.0.0.81:7890"]
2.启动
[root@web01 ~]# systemctl restart filebeat.service
3.配置logstash
[root@redis01 ~]# vim /etc/logstash/conf.d/filebeat_logstash_es.conf
input {
beats {
port => "7890"
}
}
output {
elasticsearch {
hosts => ["10.0.0.71:9200"]
index => "filebeat_logstash_%{+YYYY-MM-dd}"
}
}
[root@redis01 ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/filebeat_logstash_es.conf &
七、filebeat收集多日志到ES
1.方法一:
[root@web01 ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
- /var/log/nginx/error.log
json.keys_under_root: true
json.overwrite_keys: true
output.elasticsearch:
hosts: ["http://10.0.0.71:9200"]
index: "nginx_json_%{+yyyy-MM-dd}"
setup.template.name: "filebeat-*"
setup.template.pattern: "filebeat-*"
2.方法二:
[root@web01 ~]# cat /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
output.elasticsearch:
hosts: ["http://10.0.0.71:9200"]
index: "nginx_json_%{+yyyy-MM-dd}"
setup.template.name: "filebeat-*"
setup.template.pattern: "filebeat-*"
八、filebeat收集多日志到多个ES索引
1.方法一:
[root@web01 ~]# cat !$
cat /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
output.elasticsearch:
hosts: ["http://10.0.0.71:9200"]
indices:
- index: "nginx_access_%{+yyyy-MM-dd}"
when.contains:
source: "/var/log/nginx/access.log"
- index: "nginx_error_%{+yyyy-MM-dd}"
when.contains:
source: "/var/log/nginx/error.log"
setup.template.name: "filebeat-*"
setup.template.pattern: "filebeat-*"
2.方法二
[root@web01 ~]# cat /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
output.elasticsearch:
hosts: ["http://10.0.0.71:9200"]
indices:
- index: "nginx_access_%{+yyyy-MM-dd}"
when.contains:
tags: "access"
- index: "nginx_error_%{+yyyy-MM-dd}"
when.contains:
tags: "error"
setup.template.name: "filebeat-*"
setup.template.pattern: "filebeat-*"
九、filebeat收集java的报错日志
1.配置收集tomcat日志
[root@web01 ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /usr/local/tomcat/logs/tomcat_access_json.*.log
json.keys_under_root: true
json.overwrite_keys: true
output.elasticsearch:
hosts: ["http://10.0.0.71:9200"]
index: "tomcat_access_%{+yyyy-MM-dd}"
setup.template.name: "filebeat-*"
setup.template.pattern: "filebeat-*"
2.配置收集java报错日志
[root@web01 ~]# cat /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /usr/local/tomcat/logs/localhost_access_log.*.txt
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after
json.keys_under_root: true
json.overwrite_keys: true
json.message_key: log
output.elasticsearch:
hosts: ["http://10.0.0.71:9200"]
index: "tomcat_access_%{+yyyy-MM-dd}"
setup.template.name: "filebeat-*"
setup.template.pattern: "filebeat-*"
十、kibana画图统计客户端IP
1.安装geoip
[root@web01 ~]# cd /etc/logstash/
[root@web01 /etc/logstash]# rz
[root@web01 /etc/logstash]# ll
-rw-r--r-- 1 root root 33255554 May 26 2020 ingest-geoip-6.6.0.zip
[root@web01 /etc/logstash]# unzip ingest-geoip-6.6.0.zip
[root@web01 /etc/logstash]# ll config/
total 65816
-rw-rw-r-- 1 root root 6173457 Jan 24 2019 GeoLite2-ASN.mmdb
-rw-rw-r-- 1 root root 57784030 Jan 24 2019 GeoLite2-City.mmdb
-rw-rw-r-- 1 root root 3428908 Jan 24 2019 GeoLite2-Country.mmdb
2.配置
#进入Logstash配置文件目录
[root@web01 logstash]# cd /etc/logstash/conf.d/
#编辑Logstash配置文件
[root@web01 conf.d]# vim nginx_es_ip.conf
input {
file {
path => "/var/log/nginx/access.log"
codec => "json"
}
}
filter {
geoip {
source => "clientip"
target => "geoip"
database => "/etc/logstash/config/GeoLite2-City.mmdb"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
output {
elasticsearch {
hosts => ["10.0.0.71:9200"]
index => "logstash-%{type}-%{+YYYY.MM.dd}"
}
}
#启动Logstash
[root@elkstack03 ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/redis_es_ip.conf &
3.写入数据
{"@timestamp":"2021-04-11T20:27:25+08:00","host":"222.28.0.112","clientip":"222.28.0.112","size":0,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"www.elk.com","url":"/index.html","domain":"www.elk.com","xff":"10.0.0.1","referer":"-","status":"304"}
{"@timestamp":"2021-04-11T20:40:24+08:00","host":" 124.225.0.13","clientip":"124.225.0.13","size":0,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"www.elk.com","url":"/index.html","domain":"www.elk.com","xff":"10.0.0.1","referer":"-","status":"304"}
{"@timestamp":"2021-04-11T20:45:24+08:00","host":" 124.234.0.12","clientip":"124.234.0.12","size":0,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"www.elk.com","url":"/index.html","domain":"www.elk.com","xff":"10.0.0.1","referer":"-","status":"304"}
{"@timestamp":"2021-04-11T20:46:24+08:00","host":" 123.164.0.18","clientip":"123.164.0.18","size":0,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"www.elk.com","url":"/index.html","domain":"www.elk.com","xff":"10.0.0.1","referer":"-","status":"304"}