ELKF搭建
logstash
cat /etc/logstash/logstash.yml |grep -v '#'
path.data: /data/logstash/data
pipeline.ordered: auto
path.config: /data/logstash_conf/*.conf
config.reload.automatic: true
config.reload.interval: 3s
log.level: info
path.logs: /var/log/logstash
cat input.conf
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
beats {
port => 5044
}
}
filebeat
[root@pro-bed-10-10-0-120 ~]# cat /etc/filebeat/filebeat.yml
filebeat.inputs:
filebeat.config.prospectors:
enabled: true
path: configs/*.yml
reload.enabled: true
reload.period: 10s
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: true
reload.period: 10s
output.logstash:
hosts: ["*********:5044"]
cat find_file_logstast.sh
#!/bin/bash
dir=$( find /logs/**/*.log)
for i in $dir
do
# echo $i
a1=${i/\/logs\//}
b1=${a1/\//\-}
c1=${b1/\.log/}
# echo $c1
cd /etc/filebeat/configs
rm -rf ${c1}.yml
#if [ -f ${c1}.yml ];then
#echo "文件存在"
#else
echo "
- type: log
enabled: true
paths:
- $i
tags: "\"$c1\""
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
multiline.timeout: 10s
" > ${c1}.yml
#fi
cd /data/logstash_conf
rm -rf ${c1}.conf
#if [ -f ${c1}.conf ];then
#echo "logstash配置文件存在"
#else
echo "
output {
if "\"${c1}"\" in [tags] {
elasticsearch {
action => "\"index"\"
hosts => ["\"http://***************:9200"\"]
index => "\"${c1}-%{+YYYY-MM-dd}"\"
user => "\"**********"\"
password => "\"**************"\"
}
}
}
" > ${c1}.conf
#fi
done
echo `date`
scp -r /data/logstash_conf/* **************:/data/logstash_conf/