Filebeat介绍与使用
介绍:
Filebeat附带预构建的模块,这些模块包含收集、解析、充实和可视化各种日志文件格式数据所需的配置,每个Filebeat模块由一个或多个文件集组成,这些文件集包含摄取节点管道、Elasticsearch模板、Filebeat勘探者配置和Kibana仪表盘。
filebeat和logstash是一样的作用
ELK都是Java程序写的
filebeat是golang写的 #速度非常快
Filebeat模块很好的入门,它是轻量级单用途的日志收集工具,用于在没有安装java的服务器上专门收集日志,可以将日志转发到logstash、elasticsearch或redis等场景中进行下一步处理。
filebeat 支持的服务
1.安装filebeat
#上传代码包
[root@logstash ~]# rz filebeat-6.6.0-x86_64.rpm
#安装
[root@logstash ~]# rpm -ivh filebeat-6.6.0-x86_64.rpm
2.配置文件
[root@logstash ~]# rpm -qc filebeat
/etc/filebeat/filebeat.yml
3.日志
[root@logstash ~]# less /var/log/filebeat/filebeat
二、Filebeat收集单类型日志到本地文件
配置Filebeat
1.配置
[root@logstash ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true #配置文件的格式必须遵守yml的格式写法,否则报错
paths:
- /var/log/messages
output.file:
path: "/tmp"
filename: "filebeat_message.log"
2.启动
[root@logstash ~]# systemctl start filebeat.service
[root@logstash ~]# ps -ef | grep filebeat
[root@logstash ~]# ps -ef | grep filebeat
root 12418 1 2 16:55 ? 00:00:00 /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
root 12438 7019 0 16:56 pts/0 00:00:00 grep --color=auto filebeat
3.测试
[root@logstash ~]# echo 1111 >> /var/log/messages
#得到内容
[root@logstash ~]# tail -f /tmp/filebeat_message.log
{"@timestamp":"2020-07-21T08:58:00.373Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.6.0"},"source":"/var/log/messages","offset":230243,"prospector":{"type":"log"},"input":{"type":"log"},"beat":{"version":"6.6.0","name":"logstash","hostname":"logstash"},"host":{"name":"logstash"},"log":{"file":{"path":"/var/log/messages"}},"message":"1111"}
三、filebeat收集单个日志到ES
1.配置
[root@logstash ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/nginx_json.log
output.elasticsearch:
hosts: ["10.0.0.51:9200"] #收集日志到elasticsearch 不需要指定索引名字
[root@logstash ~]# systemctl restart filebeat.service
2.访问nginx测试
3.指定ES索引名配置
[root@logstash ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/nginx_json.log
output.elasticsearch:
hosts: ["10.0.0.51:9200"]
index: "nginx_json-%{+yyyy.MM.dd}" #filebeat 不支持自定义索引,需要添加下面的setup几项
#index: "nginx_json-%{[beat.version]}-%{+yyyy.MM.dd}" 如果有多个filebeat版本号,可以加上filebeat版本
setup.template.pattern: "nginx-*"
setup.template.overwrite: false
setup.template.json.enabled: true #注意 这几行配置必须顶个写
setup.template.enabled: false
setup.ilm.enabled: false
[root@logstash ~]# systemctl restart filebeat
4.修改kibana中日志展示格式
[root@logstash ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/nginx_json.log
json.keys_under_root: true
json.overwrite_keys: true
output.elasticsearch:
hosts: ["10.0.0.51:9200"]
index: "nginx_json-%{+yyyy.MM.dd}"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.overwrite: false
setup.template.json.enabled: true
setup.template.enabled: false
setup.ilm.enabled: false
四、收集单个日志到reids
1.配置
[root@logstash ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/nginx_json.log
json.keys_under_root: true
json.overwrite_keys: true
output.redis:
hosts: ["172.16.1.53:6381"]
db: "0"
key: "nginx_json_redis"
2.启动
[root@logstash ~]# systemctl restart filebeat
3.访问nginx,查看redis
[root@db03 ~]# redis-cli -p 6381 --raw
127.0.0.1:6381> keys *
nginx_json_redis
127.0.0.1:6381> LLEN nginx_json_redis
8
4.配置将redis数据取出到ES
[root@logstash ~]# vim /etc/logstash/conf.d/filebeat_redis_es.conf
input {
redis {
host => "172.16.1.53"
port => 6381
data_type => "list"
db => "0"
key => "nginx_json_redis"
}
}
output {
elasticsearch {
hosts => ["10.0.0.51:9200"]
index => "filebeat_redis_es_%{+YYYY-MM-dd}"
}
}
[root@logstash ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/filebeat_redis_es.conf
五、filebeat收集日志到logstash
1.配置filebeat
[root@logstash ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/nginx_json.log
json.keys_under_root: true
json.overwrite_keys: true
output.logstash:
hosts: ["10.0.0.54:6666"]
2.配置logstash接收数据传给ES
[root@logstash ~]# vim /etc/logstash/conf.d/filebeat_logstash_es.conf
input {
beats {
port => 6666
}
}
output {
elasticsearch {
hosts => ["10.0.0.51:9200"]
index => "ngx_file_log_es_%{+YYYY-MM-dd}"
}
}
一、filebeat收集多个日志到ES
1.配置方式一:
[root@logstash ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/nginx_json.log
json.keys_under_root: true
json.overwrite_keys: true
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
output.elasticsearch:
hosts: ["10.0.0.51:9200"]
indices:
- index: "nginx_json_%{[beat.version]}-%{+yyyy.MM.dd}"
when.contains:
source: "/var/log/nginx/nginx_json.log"
- index: "nginx_access_%{[beat.version]}-%{+yyyy.MM.dd}"
when.contains:
source: "/var/log/nginx/access.log"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.overwrite: false
setup.template.json.enabled: true
setup.template.enabled: false
setup.ilm.enabled: false
2.配置方式二:
[root@logstash ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/nginx_json.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["json"]
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
tags: ["access"]
output.elasticsearch:
hosts: ["10.0.0.51:9200"]
indices:
- index: "nginx_json_%{[beat.version]}-%{+yyyy.MM.dd}"
when.contains:
tags: "json"
- index: "nginx_access_%{[beat.version]}-%{+yyyy.MM.dd}"
when.contains:
tags: "access"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.overwrite: false
setup.template.json.enabled: true
setup.template.enabled: false
setup.ilm.enabled: false
二、filebeat收集java报错日志
1.配置
[root@logstash ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/nginx_json.log
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after
output.elasticsearch:
hosts: ["10.0.0.51:9200"]
index: "nginx_json_%{[beat.version]}-%{+yyyy.MM.dd}"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.overwrite: false
setup.template.json.enabled: true
setup.template.enabled: false
setup.ilm.enabled: false
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· AI与.NET技术实操系列:基于图像分类模型对图像进行分类
· go语言实现终端里的倒计时
· 如何编写易于单元测试的代码
· 10年+ .NET Coder 心语,封装的思维:从隐藏、稳定开始理解其本质意义
· .NET Core 中如何实现缓存的预热?
· 分享一个免费、快速、无限量使用的满血 DeepSeek R1 模型,支持深度思考和联网搜索!
· 基于 Docker 搭建 FRP 内网穿透开源项目(很简单哒)
· ollama系列01:轻松3步本地部署deepseek,普通电脑可用
· 25岁的心里话
· 按钮权限的设计及实现