|
|
filebeat是轻量级日志收集框架,go语言开发。需要在每个日志收集的终端部署,配置日志文件路径。可以将日志收集到es,logstash,这里以收集到elasticsearch为例。配置主要分为input和output两块。解压后有filebeat.yml配置文件,主要针对该文件进行配置。
- \4 ~7 `- T- h2 O2 ^- R1 U. L. S8 X9 w% G4 E5 w7 `' |2 [
- type: log, t1 i& u" ]. z% v0 J3 { {9 b
#日志文件位置$ E4 ]' a! E0 @% A+ q) K& u
paths:
5 T) F) E) P2 z2 G/ s. F - /data/logs/*/*.log) ]2 s% o! W/ a0 b) c* {7 M3 d1 ^2 a
output.elasticsearch:4 M* G6 e& G5 k o9 {
#es连接信息+ q) s' ^) I3 T/ c Z8 C
hosts: ["localhost:9200"]
( v) a$ D% D7 M; F" t5 s9 D& | protocol: "http") A- x- d- \$ M: P* `
username: "elastic"' I! |! r, ^" K9 \6 L8 E
password: "888888"
7 N% l! C# p' M2 {. } }会自动创建一个 "filebeat-%{[agent.version]}-%{+yyyy.MM.dd}-%{index_num}"
. D2 f; J) u, W% S& S% }
2 p( Y% F" N5 u8 @2 h, r @8 |' t3 f, L4 y" r+ P" L X
0 j5 ^, F' P9 u5 P8 f例子:0 }' V: W( B) P# |' ?3 r
5 _0 g# }; i0 P; ~3 q/ `: ~
vim /etc/filebeat/filebeat.yml
" Z* ]" b9 Q* w
/ o5 d+ v0 X& g6 g% o rfilebeat.inputs:
0 m/ ~# M. j4 j: U - type: log
3 a" O; a7 P3 s/ V; M# b1 j enabled: true
" L" e+ y0 Z/ d4 u( X' v0 v paths:; ^ a+ t V/ p8 l" m
- /var/log/messages. n& t7 ~4 K6 L, f8 F$ C) @
tags: ["messages"]
2 E( Y) ?, o% i. w fields_under_root: true) s4 U% u0 R; ^
$ c; U) R/ p L! f" N# G9 A
- type: log
# |( C2 x1 U4 S. f. Z enabled: true
0 }, i/ g% ^; I% a paths:
, O8 U2 M0 ~; l8 \: A - /var/log/nova/nova-compute.log5 o5 ]+ }/ g: o1 W- E2 k) |- H
tags: ["nova-compute"]' u5 R0 O0 U8 B: r e, n
fields_under_root: true9 D% U( D6 b. t5 W
- K1 a! n, F% L3 t- Z4 n - type: log! J6 V+ F: V% z& ^9 m0 @
enabled: true& M8 J3 Y& ~3 f
paths:
6 i; Q2 |% x: ~& I1 {5 C - /var/log/nova/nova-manage.log" |/ F: j6 a4 T) {! P- ~
tags: ["nova-manage"]
1 U! M" [/ |* D2 u fields_under_root: true9 ]- c. H8 X( U$ g! ^
7 b8 M# |5 o& [0 z. C+ B - type: log) }8 ~0 g: Q0 N6 z! U+ E
enabled: true
5 A# }1 r, \8 _; h; s paths:
5 j" s& Y: t$ p- q% ?' `$ U/ Q - /var/log/nova/scheduler.log
( j: R& O+ a* N* B' d4 L tags: ["scheduler"]
" {0 N; X; e8 \! p& ` fields_under_root: true" ~, H+ Q! |4 f) i6 H! R
6 j5 \# o/ O" Y - type: log
3 X8 S8 P8 m3 |/ T enabled: true
! k- x# ~% Z. ~ paths:
& q! @$ v0 _) q, w5 @ - /var/log/nova/conductor.log
: D& Y& Z* ]; W5 } | tags: ["conductor"]: P5 X/ ]! x$ J+ ^1 R
fields_under_root: true& e7 T \4 f0 K9 B: ]
+ [5 @; _/ N. R9 d1 n# W - type: log" q* ?, X1 j i7 E
enabled: true" r/ {3 a2 w/ x/ A. @
paths:
) L2 f9 _0 g" T - /var/log/nova/cert.log9 p3 s8 N$ b7 m) ^- c
tags: ["cert"]6 r i0 { X, }3 t% l
fields_under_root: true
; w3 v& }, _( R. s9 r( c2 N: i8 S0 g7 M& j% [" J) H3 q, d* e
- type: log3 t; W# M% k5 ]+ E3 a. ]
enabled: true
8 K3 Z. x/ X5 X: O paths:
8 `1 I5 n' X9 e# | - /var/log/nova/consoleauth.log 3 [7 D- r, e- X/ A
tags: ["consoleauth"]1 j$ }- D* T9 Z- K, j
fields_under_root: true
8 C, p. d6 O3 n+ O% C
+ E% f- V2 p9 d' z4 ?7 O0 N' E. | - type: log
; k) W" R% r! ?3 C" S" V0 x enabled: true
* Q+ j% G" r0 Y3 P paths:- p5 C; q* R* B2 A( u/ Z7 i% @1 H
- /var/log/nova/nova-novncproxy.log5 v( {- \3 Z$ E& V) B1 t9 ?' r
tags: ["nova-novncproxy"]- U1 r7 X; {7 n- j5 F3 ^
fields_under_root: true
" M1 [/ C) H. T4 w, _+ i4 I, c. W; g7 ?) ~" T$ g
- type: log. f+ i: Q% N2 t5 a4 E+ ?
enabled: true1 Y$ s/ A/ R5 ]. M4 E1 X0 l# z
paths:
7 j* e- e; [5 Y8 C" F - /var/log/rabbitmq/rabbit*.log, H7 a- A- k* X' \8 v( z/ I" V
tags: ["rabbit"]; l* _/ j( t, \7 o
fields_under_root: true9 ^7 S' a! V# @3 v
2 T0 Z; C; [2 p6 F' R# R4 s) n - type: log
( P- ?! n9 G( v3 t enabled: true
% l. U* D6 O S! s+ v7 { paths:8 q: h- z1 s0 b% @6 ~" T2 s
- /var/log/glance/*.log
3 Z$ x) n5 z: B6 P4 D) E tags: ["glance"]
- _& `# b2 a0 t. e fields_under_root: true
* ~, V- A# W1 K4 |) h R8 s8 F7 g
- type: log
6 k, _( q7 \ I" r& g4 e enabled: true
( r; x6 j$ G: c. z paths:
2 {6 w9 L* `( J" C* u4 L - /var/log/neutron/openvswitch-agent.log- ~! G6 }, ?+ q. H. c. ~
tags: ["openvswitch-agent"]* O4 D2 o; _) y q
fields_under_root: true( U k6 ?1 V0 _: p% w
7 H# S' h' x9 J/ S6 t( d, p
- type: log) D, Y* \- @9 [' n4 w$ ~
enabled: true
. t. f0 y/ m8 `. ] paths:6 v& ~( a0 v) A: n! ?
- /var/log/kuryr/kuryr-controller.log
/ y; C5 G+ Q9 k8 \ tags: ["kuryr-controller"]
2 Q+ y0 m; z, b: l: K- e$ e. ` fields_under_root: true6 C. F9 a8 ~& ~+ p0 \+ ]- }
; x6 C+ ?, m: @5 o3 z/ Q
- type: log" g# M4 ^# ]* N! N
enabled: true
, i/ g( R! C% m4 p$ }9 ~6 \ paths:
% E" j1 B' q2 O8 m - /var/log/keystone/keystone.log. J) p8 o( f: W$ n) B* O1 e
tags: ["keystone"]
, P+ E3 R/ _- w. i: u fields_under_root: true
- ]4 Y$ \) S7 B3 e
& E1 D) O5 } ?* ?7 E2 voutput.elasticsearch:
$ _7 u& ?4 N9 l- t$ {; ~3 p hosts: ["172.24.110.12:9200", "172.24.110.12:9200"]
5 C- E' T) r K8 L) |$ | username: elastic8 J' [1 p2 O# H) q6 G2 \
password: xxxxxxx
- I9 n( r- p- m* \0 g indices:3 y6 ?2 ]+ z) n
- index: "compute_messages-error-%{[agent.version]}-%{+yyyy.MM.dd}"" N; H, M, x( X
when:
; L% j+ ?' K# b or:$ Y( [4 i: F' N3 A% S- H- `8 P
- contains:
3 S# V( e. e, W: I8 _2 R$ ^6 z tags: "messages"* O! r* K0 C) [
message: "err"7 ^. H4 T- h( R9 g/ _
- contains:
) ?- f0 L/ i6 y5 A tags: "messages"
, R2 a0 k, V; ~8 a8 W message: "ERR", E ?' U% z4 O
- contains:
: B3 l# S! `) X' e3 P4 O2 M tags: "messages"7 g9 A4 S$ o5 B+ N( \/ c0 W
message: "fail"
9 t+ c. B8 O; h - index: "compute_messages-%{[agent.version]}-%{+yyyy.MM.dd}"
! T* D$ N+ i3 d, H, I when.contains:
4 U) w: D; m x% ^ tags: "messages"
) e1 G2 B/ V7 f% Y' x6 Y# ]# `& s - index: "compute_nova-compute-error-%{[agent.version]}-%{+yyyy.MM.dd}"
4 G3 V4 [$ |$ y! M1 Q# D; L when:
2 r0 i. y/ e0 ^0 F6 g2 ] or:
. N! f. c3 E8 a6 n4 b$ l2 X - contains:
, V: m% y- M) Z' W* i tags: "nova-compute"3 v& J" k1 N2 v, w8 @& L+ |; I5 [
message: "err"
p3 o9 T2 \+ j1 p6 \% {# W - contains:
- f7 o! {8 E1 F tags: "nova-compute"
. T3 F0 z0 j% c: t message: "ERR"
8 J0 K# u% k) \& l - contains:/ P9 ^0 Q4 Z6 H4 \3 ]8 A
tags: "nova-compute"
- N: R6 S% o+ a; `4 k- k message: "fail"
1 _# X2 T( F2 L; R# E - index: "compute_nova-compute-%{[agent.version]}-%{+yyyy.MM.dd}"# n d$ p3 b) ?. b1 B1 m- v6 G( d
when.contains:3 x* ^/ ^# r' R; l2 ?6 {/ a3 Z
tags: "nova-compute"# s- Q5 W: K5 i- q
. u$ c4 R0 c& Z- C/ H0 i
- index: "controller_nova-manage-error-%{[agent.version]}-%{+yyyy.MM.dd}"
: q2 {4 {, S q9 v4 w4 E/ n1 ~ when:( R( e m- G# o6 A
or:
* T+ z; ?: T9 p1 U! x; \, _ - contains:$ ^' a0 X) r b8 T; T
tags: "nova-manage"$ w# b' h1 V7 b4 K5 Z; R# C* W' n9 z
message: "err"
) J3 V! R k8 A - contains:
6 S# [; z9 }7 v9 E% F& S# O2 Z, Q1 u tags: "nova-manage"1 u8 c; u: k) ]& R- n, u
message: "ERR" T" |3 y$ ]9 [0 m7 x" b
- contains:$ I; D* {$ O ]" N" u3 N" ^
tags: "nova-manage", L7 E3 D' @6 x3 S4 }6 r. @
message: "fail". F+ o# d* k, U" e
- index: "controller_nova-manage-%{[agent.version]}-%{+yyyy.MM.dd}", ?; [: p, c% B" U
when.contains:8 L8 s& u9 y. k, c$ P
tags: "nova-manage"
+ q( V+ ]# Z+ O0 T. s6 G T
! m: B3 a4 b! e5 r; P - index: "controller_scheduler-error-%{[agent.version]}-%{+yyyy.MM.dd}"7 G( N a. X4 d) ^0 h, Y% B$ Q$ o" I
when:
8 c4 D- f0 j b$ j' K; @ or:
+ G O. z( N% S, r2 w, J- R- t; ]8 J - contains:+ T0 x3 v8 m8 W+ G. s$ T
tags: "scheduler"
l3 |4 f4 g3 W6 G, ]7 s$ o message: "err"5 e1 B& \2 ~ z
- contains:
1 q- ?3 C1 l! @5 B1 x tags: "scheduler"
. q: b6 n; i6 n, V* x% F4 p message: "ERR"5 s& O l& u$ J9 y3 O6 v8 Z. H
- contains:/ ?" x1 V3 h8 V9 z, i5 r5 V
tags: "scheduler"; ]) ]4 w3 q: {
message: "fail"
l) O, ^0 P3 H# I- ^! a - index: "controller_scheduler-%{[agent.version]}-%{+yyyy.MM.dd}"
5 y" ~' e; l z# ~3 m* u9 r when.contains:/ f8 k" c6 |4 e/ q$ z4 w% {
tags: "scheduler"" _7 G% t" d; ~8 y, |/ b5 L
( X; M4 a/ Q ~9 b4 P - index: "controller_conductor-error-%{[agent.version]}-%{+yyyy.MM.dd}"
! F9 D8 N) x' k& J; L& e when:
" p7 {) L" [* Z6 q, q5 x6 R/ T or:1 y: V3 i, V7 i0 }
- contains:
5 m( F0 u8 P/ k9 q- W- u* N$ z tags: "conductor"
; f* _# e' i7 b message: "err"
w' a8 l5 ]) |& x4 \' }1 z( \+ K - contains:
+ Q" J2 U' c# ]. e* M tags: "conductor"$ k* K: }1 s" m
message: "ERR"
! q& d% ?9 g( b4 V1 j2 c | - contains:
* q) m7 h8 o% a8 ? tags: "conductor"" A1 I, P- X: R' h, i' K' w/ n- ~
message: "fail"
* s8 a* r* `1 k4 i1 h - index: "controller_conductor-%{[agent.version]}-%{+yyyy.MM.dd}"
+ v! @ n$ m0 ` when.contains:
; A" @7 m1 L) ]4 B tags: "conductor"+ n! F+ c& W. C: Q9 ^" e% T6 I8 I
, ]; y1 c) i2 r- y7 [ - index: "controller_cert-error-%{[agent.version]}-%{+yyyy.MM.dd}"( a6 N, _6 Y0 v( `- f
when:
4 D: P) r6 ^$ ?. A5 D, B$ ^ or:
) s, j2 X9 v. Q8 D6 F - contains:
9 i! s. @* M! k9 G/ n- g8 E# E tags: "cert"$ [4 Z+ E) G* I; `2 f) \; Y
message: "err"2 }( C/ k# v2 R5 @, \
- contains:
% T/ d$ s4 R; s' L tags: "cert"
4 V, ]/ }' f/ d message: "ERR"
3 t4 E( A% [* E; D# T; U) s1 | - contains:7 t1 {8 U9 o( h5 f* w b
tags: "cert", Q4 s8 P* \ a. p
message: "fail"
9 P' X' |& u5 E. G9 t9 } ^ - index: "controller_cert-%{[agent.version]}-%{+yyyy.MM.dd}"
: E) j% |1 T$ q3 f* P- R7 A$ n when.contains:
9 c$ [9 b! x9 V" C4 j& Y tags: "cert"
/ V2 l c) N4 \- a1 h% w( Y3 o- [3 {6 I# Y% X! V1 r. j$ ^- q1 ~
- index: "controller_consoleauth-error-%{[agent.version]}-%{+yyyy.MM.dd}"' B `* r6 t) {; O
when:
# \- a( B) s" T- [% _2 `- I or:: }) l* F$ @& p+ ^$ F
- contains:
& o2 p. h/ U2 H1 i% q- b6 m tags: "consoleauth"4 D2 _8 |. ^$ ^" T# `5 F/ X# F
message: "err"
+ h& B& K9 l. G, p9 s - contains:1 m+ o' T' v- K9 n" D
tags: "consoleauth"
) z3 ?) D$ M5 z message: "ERR"# P' j8 V+ o) z" x( Y {1 k: W7 x
- contains:. O# x* @4 r* H
tags: "consoleauth"
/ T! W( R7 g/ o! E2 \; K message: "fail"5 o# X3 e" [$ {
- index: "controller_consoleauth-%{[agent.version]}-%{+yyyy.MM.dd}"4 Y4 G, @8 v" N- x. I3 V B2 i: ]7 _# n
when.contains:7 ^1 Y" W$ x0 ^2 S
tags: "consoleauth"
2 N1 u W" F" d' I& q( H" b/ P) g4 n( ^% Z! a+ R
- index: "controller_nova-novncproxy-error-%{[agent.version]}-%{+yyyy.MM.dd}"
: c0 y1 |5 v6 P: h8 ~, D when:
, I9 P# G* k) B4 f, ]1 | or:9 G( f5 g8 ~3 E5 E* I
- contains:
0 W2 M& ~+ n- b9 v8 S6 G4 N tags: "nova-novncproxy"
2 H# T" g. P. I' s message: "err"- l" i! t- f' B" b' u2 k- }: x u
- contains:/ U+ R' k: @/ R; o
tags: "nova-novncproxy"
3 q/ Z% I. K$ a$ o7 k. ? message: "ERR"
' O0 ~4 }+ m+ Q+ U - contains:7 v) O F8 z. P
tags: "nova-novncproxy"
$ D% w/ X6 n" W0 g& K message: "fail"1 b; L6 ~* z$ f) D0 U2 O3 O2 n5 E
- index: "controller_nova-novncproxy-%{[agent.version]}-%{+yyyy.MM.dd}"& Z. p7 w" T( q9 |+ b* h3 C1 q
when.contains:, q4 Z5 o$ L: R& E( A) |
tags: "nova-novncproxy"; b: P8 Q4 t0 {+ Y9 y
: o1 Y3 k3 Q; K! [1 l2 ?5 h - index: "controller_rabbit-error-%{[agent.version]}-%{+yyyy.MM.dd}"
9 Q ~; u1 b# B* t6 L& W- ]' _! Y when:
2 K6 o; h2 {4 C0 V+ @& X3 O or:
?8 P3 ~- v8 l/ _ - contains:
8 w6 O% j" K5 E9 |7 _+ Z5 W$ G tags: "rabbit"4 q. t, |* I* K; t% t* |
message: "err"1 S. c, G. U: z& `' u: ~
- contains:
7 m) n8 T; I7 p' X& c tags: "rabbit"1 L' I& e% y! l
message: "ERR"
; Q7 R) P, |1 h- x# \, j - contains:8 w7 M. F' Y D+ S+ t
tags: "rabbit"! ^% s2 S$ Z7 y
message: "fail"
3 U3 l, @! s g r/ u0 \ - index: "controller_rabbit-%{[agent.version]}-%{+yyyy.MM.dd}"
" Q" X$ D5 H- L; k$ ^ when.contains:6 q; c- U% s- R+ r4 l
tags: "rabbit"
5 a$ _6 C. B4 v) Y( X7 H5 o' E. j8 B$ ^8 c4 S% {0 I
- index: "controller_glance-error-%{[agent.version]}-%{+yyyy.MM.dd}"& o6 r- `8 S# J& {% D C
when:/ y! E3 C: v( a8 {% W; I# {# V
or:3 f- L) v+ e2 e/ W c
- contains:
! q6 g& m5 [+ Y3 S tags: "glance"/ O% \( L7 a. ]; ~
message: "err"
0 q7 F$ ]3 z1 v - contains:
3 S6 x0 f! u( E4 V; k" K4 W) ` tags: "glance"
2 D+ M8 A" R1 i- R! n- a message: "ERR"
% s: W$ I& |# l8 P' v) t! g - contains:
+ @& F. ^" s5 H- Y tags: "glance"
# j ]+ y: ~0 ]1 ^/ G! W @- j message: "fail"6 c: D0 M! ~# D$ ~7 N4 p
- index: "controller_glance-%{[agent.version]}-%{+yyyy.MM.dd}", a& q3 g; q4 \& I1 J$ o
when.contains:
" X" i: |* @) P2 U% H! a/ t tags: "glance"+ F& K; v2 L) d+ C9 U
+ u& P4 H, I4 |0 x- P4 Q - index: "controller_openvswitch-agent-error-%{[agent.version]}-%{+yyyy.MM.dd}", p7 K3 p9 M3 c8 F8 z5 S
when:- w% G. `, F1 ^- ~9 N( M
or:
3 v# e/ R- Z% i( P& j B2 V4 A1 { - contains:
# z( B2 f; l2 M- _ tags: "openvswitch-agent"
0 v$ u! H! P- `5 ]0 D message: "err"" K8 @% S# s x8 G' J. V
- contains:4 @5 R- ]: i H+ f) y8 ~8 N
tags: "openvswitch-agent"; ~2 H: z5 u& z: p7 [
message: "ERR"; ^' }- X1 Q7 H. R
- contains:0 N8 }- L9 S1 `1 g+ d. e& |
tags: "openvswitch-agent"
" V8 Z4 X9 @# ? message: "fail"
i3 D' @& V% c. ^$ Y( @ - index: "controller_openvswitch-agent-%{[agent.version]}-%{+yyyy.MM.dd}"
9 Q( ^, l: W' L+ Z0 R when.contains:. s" C. K9 R6 e6 N9 i' W( U ]
tags: "openvswitch-agent"
4 J" N0 m) S" P. }+ Z- ]6 C u( y0 g& I6 \
- index: "controller_kuryr-controller-error-%{[agent.version]}-%{+yyyy.MM.dd}"
% \4 E$ k! x) a+ G$ ]5 m6 U/ Z when: } ^' B1 X& n3 K0 W
or:
2 Q3 ?3 c. A, q/ K - contains:: \* \* A4 }: {* \
tags: "kuryr-controller"
3 M- E8 e* \4 b: I7 `2 \; h+ v+ I message: "err"4 U2 P( c2 z5 \4 X& r1 e* `' m( r
- contains:! ]8 {: \8 f" z1 J! b. ~1 q( C4 D
tags: "kuryr-controller"
5 q' b' _# a! j+ R8 @1 p n message: "ERR"
S& q2 ~+ X& v/ B8 ^ - contains:. `/ L! i- e% z& t# @
tags: "kuryr-controller"
5 @- w T( | o message: "fail"
! J% G; O4 d* x2 H% k - index: "controller_kuryr-controller-%{[agent.version]}-%{+yyyy.MM.dd}"
7 y$ V4 o9 v1 G4 \. _9 n! u: r( X when.contains:# h; s4 A8 k. P; I7 K
tags: "kuryr-controller"$ ~; H9 ]- p) h1 @# O9 r
, g( `) F% ?2 W) G4 P; Y+ ?
- index: "controller_keystone-error-%{[agent.version]}-%{+yyyy.MM.dd}"
% L- z4 n4 v0 @) s2 n% E when:
% x. w$ a, B$ X( k# @$ `0 e+ N or:
' V r1 N$ f4 }1 z - contains:
1 j6 J4 O& x1 y, N% {; x2 g1 [0 b tags: "keystone"
& u a) T" v6 M1 e; M4 N7 f message: "err"
0 v& J. R3 m; D' K# U - contains:( \1 ]7 |- y" j S" n
tags: "keystone"
; m, G6 Q" D# t |3 s message: "ERR"
' M! _/ G% c4 W) i - contains:
2 K, h: c1 M, E8 ?6 x4 I2 ~ g; ` tags: "keystone"! |! [, H; q' H# y" [
message: "fail"
( q- {! ]7 P" k* h) [4 l - index: "controller_keystone-%{[agent.version]}-%{+yyyy.MM.dd}"
7 R% T8 A9 R; j! a5 P* X( q when.contains:, K( M4 H7 V' u# c4 k; O6 t6 R
tags: "keystone"
' k: n U$ B" B+ o2 W2 j8 {$ ~& [# ^- F' [+ E$ X
setup.ilm.enabled: false
A% e9 g/ l4 d5 L Bsetup.template.name: system. I% \! F; P: h- [- ~3 @, ~
setup.template.pattern: system-*" ?% M5 {, ]& C$ I1 M' d+ ^
* T* f1 B b, i3 j/ |" r( ?# A. s3 Q
9 q2 ]' d! k8 V( I3 i( w" W' q# {- T9 j7 Q2 g
- u4 I) U+ ` z+ S
例:filebeat-7.12.1-2023.05.16-000001索引文件, m# A( N' E( f0 s2 F3 e/ E
' x6 ~3 w: c& s9 X, [. l- g& x
索引创建规则: _5 Q( l. H8 a( J5 o/ `
4 u8 R" J+ j0 u6 l默认使用es的索引声明周期策略
6 x, B7 Q r6 ~ m
0 \& t, F. @# {7 E* W! M+ pindex lifecycle management (ILM) 生成索引9 P% |) \) r9 e
# r7 ]$ [" l4 B2 a# U* e
配置ILM
, Z+ t0 b1 U# q5 A: ?6 _' h% w% ~4 v
#auto false true
2 P( u) T! }. ^7 [% q( a+ Asetup.ilm.enabled: auto
& ], y% x f0 }0 B _) a* c8 U#索引别名
; U' I0 u0 q0 t2 Q. esetup.ilm.rollover_alias: "filebeat") `( k, k ~3 }9 F7 Q5 l \, {
#索引增加策略
/ n+ c9 f5 T* N: `% Isetup.ilm.pattern: "{now/d}-000001"' A- N E/ E m
setup.ilm.enabled默认值auto,自动使用es中filebeat生命周期策略创建索引
$ D# W5 m, ?. O9 {7 Z' a+ ?& b3 I. P/ ^* n& o
setup.ilm.rollover_alias默认值filebeat-%{[agent.version]} ,创建索引时指定索引别名。
; @7 d2 E7 a& {. |* X
5 z) r' l4 _( }: l1 ksetup.ilm.pattern默认值%{now/d}-000001,索引rollover增加策略。
- ~, K' ?/ [7 U
- g" p1 E+ l4 O* A自动生成的索引名就是使用alias+pattern。类似filebeat-7.12.1-2023.05.16-000001这种。
5 f+ E1 d7 X* p o1 p
3 o5 O8 e/ H6 }- O: _更多配置参考:https://www.elastic.co/guide/en/beats/filebeat/7.17/ilm.html3 C+ f& C; C# i B) Q" ?
, ^0 v$ S% v8 |9 |自定义索引文件' K2 ^8 N5 C2 U- R! e8 c
+ b# p/ j& A' V4 ]output.elasticsearch可以指定index,使用自定义索引第一步就是要关闭ILM,
) ?3 Q2 w# F& y4 }( h
2 L2 h; x1 {5 Msetup.ilm.enabled: false
1 e6 p e6 K, l) @+ F9 X9 _6 Z: L' L下一步要配置setup.template.name和setup.template.pattern
9 K2 Q) V5 h) ]) z$ q) \' T% w+ M" d2 Y
setup.template.name: "filebeat"+ w0 O) A& q9 s( t( I# ^
setup.template.pattern: "filebeat-*"
0 m) [: t3 C1 F" s3 j: I" Usetup.template.overwrite: false
" u6 \3 v: E6 c$ s1 q在output.elasticsearch指定index
% X4 m5 b9 n- j" t2 l; M& h2 x; ]
* e6 K9 {. ^) \index: "spring-%{[agent.version]}-%{+yyyy.MM.dd}") l' m3 d/ }7 E
运行就会自动生成索引spring-7.12.1-2023.05.16。index定义可以使用上下文定义变量。可以在input里自定义field1 u* F% `5 ] Q* M0 j* p1 E
+ C) r* G1 D/ q1 R2 k5 S! O
fields:
3 A, D! q. P* m) }) C, }7 V/ Y8 P level: system. l) m" T1 ?. P
region: A1+ H- X; o" f, A1 D& M; I# L% w
自定义的fields会一并push到索引中,index中使用自定义的fields
. r6 m' m/ e4 W+ p Z, b& Z
. A* t8 L! e# ^index: "spring-%{[fields.region]}-%{[agent.version]}-%{+yyyy.MM.dd}" z) D0 ~6 P8 {& _; [
会生成索引:spring-a1-7.12.1-2023.05.16。这里A1自动转成小写了。# W' f! ^! e2 `0 L8 ^; z2 h; a
6 l& n& j8 i# [2 g X) X
日志多行合并
" a6 _/ b) l4 K5 `6 Y
: L4 [5 b# J$ _. u- [6 h默认情况下收集日志一行一条记录,有些情况下比如格式化输出,异常栈。一条完整的日志会包含多行数据。这时候就需要配置多行匹配。配置项在filebeat.inputs里5 a5 _# g% e# Z- f. D
4 M1 _- G" x) u$ d- xmultiline.pattern: '^\['2 {) R, e8 S) X
multiline.negate: true+ R) \* `6 @( t2 L/ K' `, w
multiline.match: after
/ q2 ^7 V. Z. N3 Z4 t6 |2 [$ Amultiline.pattern指定日志匹配正则,这里'^['就是匹配以 [ 开头的行。这个地方的具体格式就要合实际输出的日志格式相匹配了。
4 o& B: b$ e- G n8 {- C7 J
8 ^6 x: i% q- S# {; enegate和match两个参数结合使用,没太看懂,理解其来感觉有点绕,自己看官方演示例子吧https://www.elastic.co/guide/en/ ... iline-examples.html,有个表格图例。大体意思就是遇到不匹配的是向上合并还是向下合并,归属于那一条。这里配置true和after就是不匹配的格式行归属到上一个匹配的结果行。3 E/ C) U8 ?: D1 g0 l' g2 N: y
8 }( o4 R; Q: Z. B/ v1 N; ~
根据条件写入不同索引8 r# k$ e8 L/ U2 C+ e. ]% J
/ s' N+ L4 \" e0 U/ i5 M! Y. r
output.elasticsearch:4 {5 \+ [0 y N1 C
hosts: ["http://localhost:9200"]
% `0 |( K* L) b: y4 M indices:
* q, K& g8 D( L0 l9 Q2 G9 s) @ - index: "warning-%{[agent.version]}-%{+yyyy.MM.dd}"8 k8 `1 Y- A \7 V5 i+ x A
when.contains:
3 E6 Q; e# q2 b& b$ T. n message: "WARN"' l) K6 }- l1 K6 ~& w* A0 V M( H, H
- index: "error-%{[agent.version]}-%{+yyyy.MM.dd}"
* Q3 ?3 U$ a' r0 ^' w3 m# @ H when.contains:
5 F0 S2 }, ~/ y0 k message: "ERR"/ w! B, {9 {* z6 |
+ [; @" m3 Y7 k1 G' N3 t判断message内容,是否包含某些内容。不做演示。
# M0 e. D! [4 E8 `* _3 V
/ K) i( o& l* O3 Q( X收集到的日志可在kibana 日志功能界面化查看检索。需要配置日志索引匹配模式,例如上面的我们就需要新增匹配日志模式spring-*。. u4 h8 L# w0 E4 [
% W0 ]& `6 Q+ O# c6 C) O最后filebeat.yml有效配置大概这样) X5 m3 j' Y9 @# }* ]7 k$ g
. L1 \5 S. A/ v' F; Z2 ^# t# w7 f
filebeat.inputs:
1 |2 g! r& ]. r2 a" u0 L$ {- type: log/ A3 u) t% T5 o3 y |" l0 e
enabled: true
' `1 u+ l) c/ g paths:
$ x9 L' ]6 A9 Z# y' p" y - /data/logs/*/*.log+ H" Z3 E/ u: t( e
8 i1 v$ s5 g7 f: g fields:, g+ o4 [8 m" V: C9 r. L- ^, z: X
level: system! A- x/ ^- o- o
region: A1! k! {' W' E" v
+ N3 e; ~0 ?+ M: P2 z
multiline.pattern: '^#\['
+ v; h! c: R( Y5 o x ]1 l multiline.negate: true
3 `. n' ?( {$ A9 a+ F5 h1 } multiline.match: after" L5 \' L1 O" g+ ]
. l4 u6 ]! C7 S' {) L/ r5 {0 `' Zoutput.elasticsearch:, b2 f" P% q1 R7 b( \2 x: b
hosts: ["localhost:9200"]2 ]% c, {4 u) J$ O' M
protocol: "http"& T" ?8 X: z/ F7 I
username: "elastic"
: G& q) f6 Z4 E' K2 K* f6 Y password: "888888"
+ E5 a8 k/ A1 \3 X* j index: "spring-%{[fields.region]}-%{[agent.version]}-%{+yyyy.MM.dd}"
% z7 j; F$ Z2 k5 f0 b
6 Z/ m, P0 @. ?1 c" Z9 Xsetup.ilm.enabled: false6 J" O" ~" l# B" D
setup.template.name: "filebeat"
1 b6 o$ E* \; g& k& S) X1 @setup.template.pattern: "filebeat-*"" t% K1 g! j m) a
setup.template.overwrite: false
8 m: [+ D! _4 y: X& ?' a- Q- d- l
2 Q% x" O( b0 `/ n. e# r- L" n4 z. m+ z& N5 d
|
|
发表于 2024-11-8 10:18:15