- 积分
- 16843
在线时间 小时
最后登录1970-1-1
|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?开始注册
x
filebeat是轻量级日志收集框架,go语言开发。需要在每个日志收集的终端部署,配置日志文件路径。可以将日志收集到es,logstash,这里以收集到elasticsearch为例。配置主要分为input和output两块。解压后有filebeat.yml配置文件,主要针对该文件进行配置。
. u+ |' { W; c5 L( X
5 T3 M8 @# M3 _- type: log
; R; w3 o" @0 P2 L2 v#日志文件位置
' s& x* t7 T$ g+ {$ j paths:
! r5 {3 i3 ?' B! Y' ~/ i - /data/logs/*/*.log# H$ Q! q6 \" ]3 j
output.elasticsearch:
/ q, m' ?7 L6 ]3 D, L #es连接信息
3 t6 R$ K$ T# h$ K& G0 N! Q hosts: ["localhost:9200"]7 x( Y2 l. V% H' {* @0 T/ z$ [, d1 Y& A3 g
protocol: "http"8 C3 x C+ U* N! w" a. I
username: "elastic"
. W7 h8 B4 w# Q& r7 g8 e. y7 t password: "888888"
0 F% j- l+ f& `" ` ]- F会自动创建一个 "filebeat-%{[agent.version]}-%{+yyyy.MM.dd}-%{index_num}"! _/ j& u7 _5 B7 m
4 P; J( E/ j$ U0 B+ q3 e0 f
+ `' W0 a3 C$ r! j9 v
: s* v3 p9 Y, Z& U# c2 e' ^+ @例子:. x" V: p' I, R l( ^. s
# \6 Z( Q6 {# c% Z1 _2 [0 N8 m
vim /etc/filebeat/filebeat.yml
. m/ M7 _# P- q2 ~ e& i
! \* [1 @: ^& \. Q2 ofilebeat.inputs:
6 L" l- D8 G" E5 z% h2 [/ P$ ^ - type: log
$ z5 L; {( H" U. _4 B enabled: true
% F3 h; `) b$ s h2 ~, v paths:
% ~' B% ?+ b s* w6 w- Y' e: P - /var/log/messages0 N( _3 o! ^9 a: F" s: ]
tags: ["messages"]" x( D' R* d( f
fields_under_root: true
; j9 s7 }7 l. @! z8 G+ ~2 J/ }* i
- type: log
. k2 }: c' [4 d0 k: j" v' ^" _; ? enabled: true3 M/ j! p+ f( |2 X: q
paths:( L0 J! l/ R) D d
- /var/log/nova/nova-compute.log7 }/ B% K7 z& ~2 C, Y. o
tags: ["nova-compute"]
8 N* v& z& C: g% l fields_under_root: true. f! T* `/ e0 D0 k9 O$ X: G
( C' L( Z' c2 m$ K( p# [6 P
- type: log" D/ i7 _- b) ?7 D5 X( B
enabled: true
, G9 ^4 V9 s2 z! N paths:* g/ T' ?# C( u- V K+ r. ]
- /var/log/nova/nova-manage.log. V8 o: P" j+ W4 \$ @( [
tags: ["nova-manage"]+ q% S3 g5 L3 y6 r, K
fields_under_root: true
1 U0 m' z/ g2 r- j1 s* F* C
7 N" z& c% f6 c+ r9 o - type: log; D+ j7 k) K1 ?" O9 Y3 L1 A7 [
enabled: true! O& j8 K5 y# L0 g; X' A
paths:
4 m. `0 {2 s0 s5 p6 e - /var/log/nova/scheduler.log& L( \, ^; l+ `* K9 e9 u% ]
tags: ["scheduler"]& ^6 c7 {1 D: h+ ^2 ?
fields_under_root: true
0 S+ X1 T, w! L: R- ?1 I
3 @+ G3 K& P# P) j. \0 P - type: log
- `* F& r) e; C$ K! K* N enabled: true. }8 a+ @% B0 w6 U+ \0 h" n
paths:
8 L. A. U8 o7 A4 I3 Q5 k* J - /var/log/nova/conductor.log
: }# x# g$ n, |- R tags: ["conductor"]
0 Y! Y/ o3 o3 D, i0 R fields_under_root: true; P2 o1 Q' I$ X
" E$ ~8 u6 y% i' j9 N - type: log
0 |5 X7 E% H. t/ q1 T w enabled: true* J) ~" c; j8 m: W
paths:
/ p! [* h& L4 \3 ^6 u - /var/log/nova/cert.log
1 {1 @3 J" c+ W4 P# Y7 B2 @% g, y tags: ["cert"]1 A0 {8 y o, s5 S: {3 v( H) l: @
fields_under_root: true
$ G( c. L+ h1 A; T P8 Y% Q4 g9 M/ h: h) a! D
- type: log* _1 q, W& I& O1 t H7 w/ N
enabled: true
F0 ^1 A+ d* L: p/ @ paths:
! e. v3 P) U& C- X/ m# D) l - /var/log/nova/consoleauth.log / `! ]9 u) u( X+ v- N) M" f- {* O' k
tags: ["consoleauth"]' b4 a+ B7 n2 F7 N0 t0 Z
fields_under_root: true
3 u: S! T; w6 M( _5 q! c+ @7 v9 R: |/ V9 {% T% i
- type: log
# t" r8 }* i+ v! F# ~2 e enabled: true, C. S! w( Z, R+ _5 ]
paths: o0 n6 ]* b8 O; H, {! l
- /var/log/nova/nova-novncproxy.log
/ |& a9 R' `5 { tags: ["nova-novncproxy"]! H7 ^) G+ ^( r
fields_under_root: true1 l, Z4 H+ ]/ f5 c1 Z8 G
! v) T" y9 j" X2 {# g - type: log [1 b) F7 b% T9 i2 C6 z6 F
enabled: true- p7 O% ?. e, h6 h- N
paths:* Z, Z0 ?5 ]2 f( `1 I, C g, W7 S
- /var/log/rabbitmq/rabbit*.log
# N M) w) v; V9 i j$ P+ i2 S' d tags: ["rabbit"]
6 f: m I! P4 f fields_under_root: true9 Y- q) J% w/ i. b7 A' z6 S& v
5 Q, C r0 r7 Q% W7 z9 v3 {
- type: log$ x# \, g1 m3 y' Y L' y
enabled: true# r! M0 U* l6 W! q3 L& d: V/ F
paths:; A3 E8 U2 k/ ^" z X; Q
- /var/log/glance/*.log
3 R7 K8 {6 }6 Q5 c* x) R ]& G tags: ["glance"]5 O3 e+ `& _4 d" f: Q% b
fields_under_root: true
9 U+ U Y% Z* \) }3 k3 L' k2 o; k, F! d5 a" M; R) }
- type: log
7 D( S$ ^0 P4 G2 ^# m& j* r enabled: true
+ X1 B7 h: f" z* U paths:) d; a3 n9 G( P% `3 z4 r! L2 `$ t1 A
- /var/log/neutron/openvswitch-agent.log
, ]7 H! Z; u7 f; p7 x, `5 |# h tags: ["openvswitch-agent"]9 C+ J' h+ {- y* l
fields_under_root: true
4 a3 U0 B& z. @8 ?. @& Z4 I J/ Q+ _0 n, l9 O3 z I
- type: log5 \& V8 ~% A3 }* d5 k( R4 r, N
enabled: true
1 P3 P! `1 V( ` U5 D paths:
0 v. N7 t* k5 q4 F3 A6 L% m' c - /var/log/kuryr/kuryr-controller.log
" L z/ F2 r! L! j# c2 S# Q5 J tags: ["kuryr-controller"]: N5 V0 Y0 L/ @ X- N% j* K+ b
fields_under_root: true
# ]9 @( ~6 K, K! {- c6 F( C7 e( T% b/ @% U6 I, M1 E% [
- type: log" t0 I/ y- P+ {: X7 n* H+ q& \* i7 _
enabled: true# T: e7 J( U. j2 p& D- i
paths:
7 B6 P4 b2 C% V6 }- V - /var/log/keystone/keystone.log" J( C) W7 u( J
tags: ["keystone"]
J% }$ n' [! t' E" D fields_under_root: true
- V5 ^) O$ p7 ?. s' R' v! `6 R' a
output.elasticsearch:8 w9 @( N% [5 {# H
hosts: ["172.24.110.12:9200", "172.24.110.12:9200"]$ X8 w: d$ J; A4 G# U
username: elastic
2 T( t% ^0 _& D# U) `5 D- ], X3 h password: xxxxxxx( ]; J0 i9 O% s6 p. T s9 {- j& \3 P
indices:
" P. ]* Y1 g6 z9 M4 C - index: "compute_messages-error-%{[agent.version]}-%{+yyyy.MM.dd}"
# I7 f% t0 l4 O+ o) e when:
# f( e5 i* R4 j# q6 {% ^$ l or:
3 h7 j/ K! |" l' [% j - contains:
! w j( G2 H* {2 _2 E tags: "messages"
- M, U7 u0 U2 e/ L% i message: "err", U G7 h& u8 [$ R* `
- contains:& C1 ~% v" h0 k0 i( G- Z' I: T$ [
tags: "messages"
; I1 W9 u, C2 V0 S! [ message: "ERR"
' b) L( [* ~7 o6 }# B - contains:
0 T6 T! Z) F3 w tags: "messages"
* o! p; M7 A# L2 v, `+ R message: "fail"
8 x9 h' [1 t2 @' r% U. k - index: "compute_messages-%{[agent.version]}-%{+yyyy.MM.dd}": { v9 Z o6 B- y. K
when.contains:
4 n9 n4 f0 p( j* I- t7 y tags: "messages"" |4 x" _; P5 Y% H6 s8 v* O
- index: "compute_nova-compute-error-%{[agent.version]}-%{+yyyy.MM.dd}"
5 C1 \, o2 r/ L5 z9 v& w( I( v when:
0 O" \3 Y( D h" `; A5 q% {8 G% y+ x. X or:2 Z# q1 _) v9 L( z( ]7 y
- contains:
" b) O {7 H! ]. y5 M" F tags: "nova-compute"
! M* n( M) P( {2 Q5 n% @- j message: "err"
7 s1 T% G5 _" | - contains:
s5 Y% o! K+ ]1 m! F6 A6 c tags: "nova-compute"1 N2 E0 q1 e2 ^, ?$ l g0 L$ \4 A
message: "ERR"
0 u' x* H( _+ ^ - contains:* a: b( p/ M$ X5 r* U4 T! o0 O
tags: "nova-compute"
T8 A; N3 H' h- u2 P2 _, X message: "fail"" b& `* W9 O8 D. C0 c) ]$ R
- index: "compute_nova-compute-%{[agent.version]}-%{+yyyy.MM.dd}"8 d2 a* S3 t% R& z
when.contains:& n: g2 y0 O. r* X
tags: "nova-compute"
( X/ l0 f! A& U# s& q, } ]% F5 A7 M( Z6 G- e! `; V l( G3 k
- index: "controller_nova-manage-error-%{[agent.version]}-%{+yyyy.MM.dd}"
6 J) h0 L8 |, ` when:! a& B5 L8 ?$ Y4 r- A) X
or:! t: t& J% K- ~: U
- contains:
% v( D) [- Q8 `# J5 r7 u: b tags: "nova-manage"
/ A3 ~. F8 h$ T# f; q: @/ j message: "err"
3 Z6 H- L5 c- j8 E8 \5 h5 H - contains:
+ t* p" l9 d" R tags: "nova-manage"9 H+ O( F1 [* c; k4 P2 c. L
message: "ERR"! G" ]3 d \$ f" j* G$ k' |
- contains:
' Q/ @( @7 |9 [; W& w+ w tags: "nova-manage"
8 ?* ]/ F0 d3 o+ ?: v2 w message: "fail"
! x1 _6 F" e) C8 W+ @% ^ - index: "controller_nova-manage-%{[agent.version]}-%{+yyyy.MM.dd}"
0 l* V# f2 l8 K2 w' p" F8 p when.contains:/ Q6 g3 u5 B& E, b4 B j# v/ B
tags: "nova-manage"
R* v0 z% T( q, v/ l3 z u5 N$ o: n z3 z* _& m) o+ S" {
- index: "controller_scheduler-error-%{[agent.version]}-%{+yyyy.MM.dd}"2 s+ e& r2 Q+ Y, |/ G) N2 T
when:: l, P) P* a' l" |8 N
or:; t& H# ]3 t% n* M( s
- contains:
7 k' Y! j# r0 H tags: "scheduler"" F; _& `* j5 s! D4 e/ r) h
message: "err"
" E3 k2 Z4 ~& T8 e$ Z9 |$ z - contains:* \9 m6 Z4 s6 a8 L: p6 j, j' G
tags: "scheduler"
$ H o0 N3 p; B$ i" [ message: "ERR"
' m& a3 e/ R$ s, c; ^& n - contains:
, s" p3 }! j4 ?7 P, l1 f' a1 [/ f tags: "scheduler"! |/ B- k, i( Z$ K/ T, B3 i
message: "fail"; Z& u2 ^3 K0 E& p5 d' ], s U
- index: "controller_scheduler-%{[agent.version]}-%{+yyyy.MM.dd}"
' S; D- s# r2 j6 Q$ C when.contains:
2 K" { N, r) \' c7 ^ tags: "scheduler"1 s% [0 o; ~+ U. ^; |$ [1 h* V$ {
/ W3 z: `+ V5 `/ E, W1 G - index: "controller_conductor-error-%{[agent.version]}-%{+yyyy.MM.dd}"0 {& Q! o- R, F% R: Q9 `4 T3 i
when:
3 v% F' p2 s/ f0 p0 M# Z5 | or:/ L: r# Z* q3 {7 |: m8 _
- contains:
: Q0 z% R8 q5 E( H, v# d tags: "conductor"9 H+ B8 r4 \/ p2 A" v" _2 {' F
message: "err") M3 e' U6 f: ^4 W: q
- contains:3 W0 B( ]& S0 q: \' |$ }4 f
tags: "conductor"
) v/ q# U$ x& t message: "ERR"- a- m5 a& _% \
- contains:4 L- d) Z2 |, k5 j1 T+ W
tags: "conductor" f# V, ~" e3 i7 T. @% T3 N% O
message: "fail"
+ L; Y# t3 x* t8 t - index: "controller_conductor-%{[agent.version]}-%{+yyyy.MM.dd}"
5 `- z; C! P7 z6 F/ f0 o2 e1 K when.contains:
8 O% i+ b$ y7 n) }7 c2 Z tags: "conductor"
( p8 z: z& o$ g b& C2 m. v) B8 I) R# [* ^- G: R0 e) F
- index: "controller_cert-error-%{[agent.version]}-%{+yyyy.MM.dd}"4 [) e2 F5 K6 o6 f# l4 a2 c$ z
when:* F+ {9 Q. J- m% @( d' D0 E
or:
# }: s& `: H1 S8 ]/ h/ x# u - contains:$ s3 y8 S2 j" \ ~7 H
tags: "cert"2 o" g4 Q4 r) ?8 @+ R/ A/ k; z: J
message: "err"/ {) ~, B V" J) X% Q* N, U- H
- contains:
M3 k9 {. r& m* H tags: "cert"5 q2 ^$ W4 M0 V
message: "ERR"9 t3 H$ C, ]/ [; A* }
- contains:
+ J% [2 D. K# ~' a tags: "cert"
3 ]: ` a5 n U8 D# ] message: "fail"
" u. f5 b, p$ y4 b - index: "controller_cert-%{[agent.version]}-%{+yyyy.MM.dd}"$ d5 h# u* {; k+ _8 e! v2 c' W
when.contains:
7 c k3 J8 m* f, R1 u tags: "cert"; R. n4 z Q/ t9 ~- M! C
8 E; S5 v( c- {# k3 j( j
- index: "controller_consoleauth-error-%{[agent.version]}-%{+yyyy.MM.dd}"
* B. A$ j' \9 h& q3 Y* g; Y- q when:
' B7 x+ ?7 S5 d8 h7 S or:
. y9 x6 [5 w( E8 n, u( } - contains:% d' o1 X* A0 t$ m
tags: "consoleauth"7 l( y3 F$ [9 z9 g) Q" S# E3 B
message: "err"( Q# r- g" G4 v9 l- L
- contains:
( Q' u1 l: C& U/ E2 z+ x tags: "consoleauth"
/ i- f2 ~- ~1 n6 k message: "ERR"
, K R8 H ]0 ~) }$ m - contains:
: W8 e, g% |/ M# D' ? tags: "consoleauth"/ K9 l. P& G5 N) e- l
message: "fail"# ]; G+ |2 W$ x% S0 y& E
- index: "controller_consoleauth-%{[agent.version]}-%{+yyyy.MM.dd}"
0 f0 y0 Z$ H, [' q when.contains:
- [- t j6 h1 ^% L7 } tags: "consoleauth"4 t3 o; F6 I }
) s+ J9 R+ Y" B
- index: "controller_nova-novncproxy-error-%{[agent.version]}-%{+yyyy.MM.dd}"
& u0 C' U; R! O; Z: q when:
6 M; C2 A1 R8 P' H# y' A8 g or:5 u# J$ A% N: H/ T, N5 W+ G
- contains:
' n0 w) @+ e0 g* m. C tags: "nova-novncproxy"
& I/ a$ ^5 m9 q7 M message: "err"
$ c" L5 ]. H6 _* K' C - contains:# Q& D$ A; S) m& U1 I" Z
tags: "nova-novncproxy"
/ Q( h: L% p! q# P message: "ERR"9 \6 O/ C% h; N: b
- contains:
! s! q! Q; k: I" u4 E tags: "nova-novncproxy"
+ F: x) `" J4 h3 m# ? O message: "fail"
% V4 I) L- G7 g) y- { - index: "controller_nova-novncproxy-%{[agent.version]}-%{+yyyy.MM.dd}"
/ ^1 K& P# D! h" X1 \: e2 u3 H when.contains:
0 f/ a+ \# @6 H2 l3 p tags: "nova-novncproxy"
* u# G H8 m6 q
+ t2 v! \ F0 \5 R, a/ x5 U1 P - index: "controller_rabbit-error-%{[agent.version]}-%{+yyyy.MM.dd}") L9 y0 C H& g$ y, Y
when:$ C8 v/ F3 ]. a4 P. T0 E! Z
or:
0 }2 U3 T% f5 l; H* M - contains:
' X n. l& a; @# {4 E/ ?3 u$ `/ Q tags: "rabbit"
* E* S5 M2 `( I) r& F5 ]0 D; {9 ` message: "err"
; M& b) V. D3 ^3 C7 E- ?" b - contains:
W% k, P/ t/ ^& ~ C$ A tags: "rabbit"& t9 C$ _3 R& F3 {: N+ f
message: "ERR"- c! I5 F5 q3 b
- contains:
1 k( @- `; V4 Z( u7 e. D2 \5 x tags: "rabbit"
u5 s' l6 g7 D3 X" d7 k message: "fail"6 U% _8 S o& W7 E! K) s+ e
- index: "controller_rabbit-%{[agent.version]}-%{+yyyy.MM.dd}"4 h5 U) i% x0 t1 {- z' \
when.contains:% g& w% a: u" m! l: o
tags: "rabbit"
2 F5 c) n2 l1 A1 U. v# X8 l
$ N6 O( A# R$ [* z6 U7 V - index: "controller_glance-error-%{[agent.version]}-%{+yyyy.MM.dd}"
a1 ]; I; N: a3 d when:
( c4 g0 {7 u/ j- [$ I; @! i or:9 q: c7 f q6 _$ W6 m3 O/ A
- contains:
, j/ t$ d: q G- v' O tags: "glance"
; g% `4 @8 D" r# @& u5 K message: "err" J% O; k3 a2 }) T/ X0 t! M
- contains:: N5 o) A0 r% {; U# }
tags: "glance"3 j2 |3 r- T/ o; e
message: "ERR"
9 ~8 ?; b; A5 d' O4 p - contains:/ }, S3 Y$ l2 ^
tags: "glance") ?6 M9 h) F* e! N) r! H( l
message: "fail"& g& A/ S0 v, q: U8 @( p; r
- index: "controller_glance-%{[agent.version]}-%{+yyyy.MM.dd}"/ c' j _" M' p! j& M. k
when.contains:
1 t) t# e" b/ p& W tags: "glance" G4 Y) m+ t5 Q i/ g1 r7 H+ {
' X ?3 ?+ M2 Z8 H7 n! f0 V; } - index: "controller_openvswitch-agent-error-%{[agent.version]}-%{+yyyy.MM.dd}": h I6 _8 }3 d
when:
! e* b; y, x' I' i$ ] or:3 ?3 Q, [" @% V* Y
- contains:
3 {4 Y' |8 e8 g8 p, ` tags: "openvswitch-agent"/ S% U7 G- C. ^$ |
message: "err"
1 {9 C: y |8 i7 E" ] - contains:! M1 @; G0 d* ]: X0 [6 x& P( ]
tags: "openvswitch-agent"
+ B& t" D8 Q) o' K% Y message: "ERR") e& l# }0 v! K3 h7 B
- contains:8 ]& Y) ]; A8 Z7 k0 ~
tags: "openvswitch-agent"
! ~3 Q& C- p7 p" ^) G message: "fail"
: Z/ P p' J- C# e - index: "controller_openvswitch-agent-%{[agent.version]}-%{+yyyy.MM.dd}"" `, R2 a+ _6 x8 ~
when.contains:7 K& Q! |9 p' J* |0 P0 k* w
tags: "openvswitch-agent"
2 Q/ v" n, N" w" E9 Q: O! B1 ~: u7 Q6 f! w3 ~6 Z, H
- index: "controller_kuryr-controller-error-%{[agent.version]}-%{+yyyy.MM.dd}"! I1 H/ L- h3 {+ s& p) L! x
when:( P- D: m) ]9 }0 v# n8 ^# i
or:
4 W6 ^1 O ^4 W% b - contains:0 y+ f, U" f! w7 Y/ r) x( u
tags: "kuryr-controller"
" i6 v4 V5 X8 g& S" d9 e message: "err"
! z' v. V; c5 y - contains:9 n, l9 ]1 E2 A9 t- S% D! u
tags: "kuryr-controller"
1 p7 B5 ]3 \ ]+ s8 C1 S+ n message: "ERR"
3 |0 q A s+ O - contains:
5 q; e( ?2 L* O% a8 l3 }6 f tags: "kuryr-controller", D! u9 g; L0 r- [* I, j. h2 q' R
message: "fail"# s; I" ]3 a/ V* P- M
- index: "controller_kuryr-controller-%{[agent.version]}-%{+yyyy.MM.dd}"$ U% n1 @9 @9 W' F
when.contains:) }/ U( f$ S0 r1 d
tags: "kuryr-controller"
; l8 ^3 \+ P: B, T6 y2 \) v
9 x. D9 p3 }" m/ V# L" u - index: "controller_keystone-error-%{[agent.version]}-%{+yyyy.MM.dd}"
4 \: O5 Z9 q/ `, C& \: u when:% O0 U& c; Z' d
or:
6 R9 [2 |! I& K3 k7 M( l- H - contains:3 w+ c2 t: ?% Z/ P) g
tags: "keystone"
$ P; l- Z% O( N8 [0 [ I( ] message: "err"1 y9 ]) S- t" s- t: V# F0 r
- contains:1 v- d7 Y/ q( p( z, Q" {
tags: "keystone"
, S7 ~! v: |+ E1 n( ]2 \ message: "ERR"
# L: Q, T5 _2 j: B+ L* j - contains:; E+ q7 q4 w4 Y: i
tags: "keystone"" F9 K$ l/ o+ q8 `8 O
message: "fail"
7 P5 ?- @* V8 _. x% \7 m - index: "controller_keystone-%{[agent.version]}-%{+yyyy.MM.dd}"; F9 o, o0 O8 y4 r3 [& c0 R; {
when.contains:
) M$ O) H5 s+ F9 w4 ? tags: "keystone"
9 \: F. u7 k" J# e4 d' B2 g* Q, a4 c# P1 I0 X ]& X% O! X
setup.ilm.enabled: false
$ ~2 b0 q( V) Z z7 w4 dsetup.template.name: system+ }" I* |+ m7 W% |" A7 v: ~
setup.template.pattern: system-*' ^' [! @7 i1 T
8 g* N$ ]% L7 V, n( Z0 Z* X
8 P: f6 X+ o6 a9 Z" U; V2 y7 Y4 m, [
$ Y- I, q$ }/ ^3 Z! y- i例:filebeat-7.12.1-2023.05.16-000001索引文件
$ o( F% r2 n3 W6 d4 Z J& _ V; `8 X8 M1 [7 V6 W, q
索引创建规则
0 }% u0 M6 f3 w: J+ w5 f c. t0 Y) }4 i3 [
默认使用es的索引声明周期策略& x8 S: c# @$ W
( K. D' _6 _8 ~/ j: e) d. Z8 k# o
index lifecycle management (ILM) 生成索引$ C1 C+ r5 V3 p/ m9 x
7 f( t$ b& P1 x8 I3 [' X; {
配置ILM! R1 G2 o. ]8 [
9 ]# ^& n% j$ P) E1 |
#auto false true' a4 R( ?/ C% L1 C0 ]' v
setup.ilm.enabled: auto
+ m( N3 q* F$ [7 n/ o#索引别名 y9 e9 e3 `' H" B
setup.ilm.rollover_alias: "filebeat"
5 i6 W' ?" v6 L% r, k* ?3 F4 S#索引增加策略9 X1 v; @& G: t/ E7 C) U
setup.ilm.pattern: "{now/d}-000001"
) c% E1 o/ U6 B; t& k% Wsetup.ilm.enabled默认值auto,自动使用es中filebeat生命周期策略创建索引
2 ~- u, h5 v+ ~8 {' D
& @8 S. i$ j# A- @, \$ fsetup.ilm.rollover_alias默认值filebeat-%{[agent.version]} ,创建索引时指定索引别名。7 {( I' i; K; @% V$ D$ h/ T
5 n& J" P! o* K
setup.ilm.pattern默认值%{now/d}-000001,索引rollover增加策略。( }" J% i& @! o
* f. u0 }; }. V+ |7 z
自动生成的索引名就是使用alias+pattern。类似filebeat-7.12.1-2023.05.16-000001这种。
8 b7 O! a/ `+ i9 D' @& M$ @ |% F
更多配置参考:https://www.elastic.co/guide/en/beats/filebeat/7.17/ilm.html
% r. C: K: e! \+ [0 V1 D* Q8 W* W% C& m7 F
自定义索引文件4 R# L. t2 @+ N9 V$ ^
" @: A' [# b- l+ ]' E+ \! n- X
output.elasticsearch可以指定index,使用自定义索引第一步就是要关闭ILM,8 x. O' O& B, o6 n0 _
6 {1 F' m$ O2 ^1 @, ^+ Y* d
setup.ilm.enabled: false* f- y% l+ Z& p) _
下一步要配置setup.template.name和setup.template.pattern
* d8 w3 c' P! ~' n3 @$ e. n9 F- N6 S9 e* \& b* ]( O
setup.template.name: "filebeat"
7 T7 p7 n6 x" y9 D1 t3 y; _0 @2 Asetup.template.pattern: "filebeat-*"
4 Z& Z: M% w- ?1 ~setup.template.overwrite: false
4 {0 V$ U) a) v1 i9 |( P在output.elasticsearch指定index
# O+ A& t Z5 V! }* j, U- J3 A1 R1 h; k3 C
index: "spring-%{[agent.version]}-%{+yyyy.MM.dd}"6 x1 Y4 J- ~0 |! U9 \& K
运行就会自动生成索引spring-7.12.1-2023.05.16。index定义可以使用上下文定义变量。可以在input里自定义field
" M$ l* J/ t5 D" D/ v! `) ~" x5 D" ~4 N9 f7 ~
fields:
. @3 q) j+ T, C level: system+ j0 { m2 A$ _5 N
region: A1! H5 ?# i3 v* N1 T ~
自定义的fields会一并push到索引中,index中使用自定义的fields
$ t6 {6 O* }4 G& v7 n5 |+ W
1 u6 c' i6 [5 G* y; \index: "spring-%{[fields.region]}-%{[agent.version]}-%{+yyyy.MM.dd}") u3 Y7 T+ q: l- E5 c
会生成索引:spring-a1-7.12.1-2023.05.16。这里A1自动转成小写了。
$ K& g4 z# _* a1 d L1 U
; u9 H5 P2 Q- e$ f# a8 x日志多行合并
0 X; C6 ]6 r8 o* J2 \. l% [ v' k5 U( u+ Q2 f
默认情况下收集日志一行一条记录,有些情况下比如格式化输出,异常栈。一条完整的日志会包含多行数据。这时候就需要配置多行匹配。配置项在filebeat.inputs里
! C2 \! t6 V7 g% Z4 ?# A7 e4 O4 p" O! _
multiline.pattern: '^\['9 i0 {$ x f- D1 ^9 I0 A' O& \
multiline.negate: true
3 g: k/ q7 F, f& Z5 Emultiline.match: after" ^; F" C$ I8 E8 A
multiline.pattern指定日志匹配正则,这里'^['就是匹配以 [ 开头的行。这个地方的具体格式就要合实际输出的日志格式相匹配了。
5 ]$ y$ h/ c! J% D1 X0 V8 B, ?) G2 V- e/ m. m- Y# i! j0 o H! d. d8 h
negate和match两个参数结合使用,没太看懂,理解其来感觉有点绕,自己看官方演示例子吧https://www.elastic.co/guide/en/ ... iline-examples.html,有个表格图例。大体意思就是遇到不匹配的是向上合并还是向下合并,归属于那一条。这里配置true和after就是不匹配的格式行归属到上一个匹配的结果行。
0 C, C& x/ ~# b7 b3 k4 Z6 U! r/ {8 O; j ^% W: [! A j
根据条件写入不同索引
- l+ t2 V3 @5 a; O) O
: r, e- _* [+ u! A8 m+ W/ R: coutput.elasticsearch:
% d9 i# `& d5 Y6 q hosts: ["http://localhost:9200"]; I- X9 f6 {# G$ y+ P# Q# ^; S
indices:/ o5 O' B2 a s2 `
- index: "warning-%{[agent.version]}-%{+yyyy.MM.dd}"
/ M4 x+ K, L6 o S- ] when.contains:5 ~- z( J& Y. X7 A( U
message: "WARN"6 e# N, _4 i8 R. E$ \
- index: "error-%{[agent.version]}-%{+yyyy.MM.dd}"( M( B# _5 b- k# c4 K7 h
when.contains:
/ `0 u3 B$ ^ {9 M) V message: "ERR"
) `7 d. o- V: _ [* k5 N! R7 F( _6 \4 g. g8 _" n% Y4 \" D
判断message内容,是否包含某些内容。不做演示。% {; S" `$ X' o
; R2 L' V7 o; k2 e$ b
收集到的日志可在kibana 日志功能界面化查看检索。需要配置日志索引匹配模式,例如上面的我们就需要新增匹配日志模式spring-*。
6 h/ N. c! A( X" X+ a
, K% l( D# _% p+ T' R; j& N最后filebeat.yml有效配置大概这样+ {4 x \: r0 x, u3 ?; ~! Y
& |3 f: s# F5 Y; c2 Q9 w, J. T
filebeat.inputs:
+ A8 F0 B' s/ g, k- type: log
5 C/ b& R/ Q$ \2 z' g enabled: true
+ r0 G; x7 w; ^8 `. [+ } paths:
9 r0 K3 H O8 n - /data/logs/*/*.log
, l9 l" C+ j0 W# w+ F0 c) s8 l, a) z( }& a% I* V* b6 o9 ?
fields:
6 d+ ]2 u' _: K1 Q7 Z9 D# b level: system! g) ^7 @% Q( ~$ C( b8 u
region: A18 V8 z2 y$ `3 @3 B, z! Z
- e- j$ g" m F: f, o+ M3 a multiline.pattern: '^#\['* J- G( c4 m+ |, ]$ L$ x3 d
multiline.negate: true+ l& D0 |+ m/ B3 y8 H; C
multiline.match: after
8 K2 W- o. k! b% R$ ^' {. H& j/ }* j- Q4 n: X
output.elasticsearch:
/ J& z% B3 K+ Q- `% S( A& C hosts: ["localhost:9200"]
- M: K2 _9 o8 {# u1 d' F protocol: "http"
9 I% `7 T3 I) b2 t username: "elastic"( O2 a6 B% Q8 H) U
password: "888888"
" |9 Q+ X! l' p: `3 Z7 \ index: "spring-%{[fields.region]}-%{[agent.version]}-%{+yyyy.MM.dd}") x4 `4 z: u) d( |5 N
) C7 k, L+ F$ @' Usetup.ilm.enabled: false
( \; f, K0 L+ z4 L, Asetup.template.name: "filebeat"
4 j1 ~! Z' W. o+ Zsetup.template.pattern: "filebeat-*"3 K9 H# _. N) Z& `- D" d3 x
setup.template.overwrite: false
9 X {0 T6 H# n' y; ?$ u* l6 [8 t: m7 ^' r7 V% _
1 X& I# ?' }/ s+ G0 q5 w
|
|
/4 
|返回首页|Archiver|小黑屋|易陆发现技术论坛
( 蜀ICP备2026014127号-1 )
窥视卡
雷达卡
发表于 2024-11-8 10:18:15
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
楼主