|
|
filebeat是轻量级日志收集框架,go语言开发。需要在每个日志收集的终端部署,配置日志文件路径。可以将日志收集到es,logstash,这里以收集到elasticsearch为例。配置主要分为input和output两块。解压后有filebeat.yml配置文件,主要针对该文件进行配置。
# D d& ~: \8 U7 [. c+ }$ C, q% P' S, @2 p
- type: log
0 H, X! h- t/ J- D#日志文件位置
) K6 {$ n r9 l8 ^: Q, W4 |, E paths:9 L% _# C- w1 U3 q# Z/ z* C
- /data/logs/*/*.log
! _" b1 ?, U C; G9 i% q houtput.elasticsearch: h; C1 |! H) F* e- F* Z T$ ?
#es连接信息& m7 u& E+ @2 R4 X1 N( H, I
hosts: ["localhost:9200"]* D3 m/ ]( p& q! O' Y& h
protocol: "http"% t4 `9 q3 E: Q3 A& Z( B
username: "elastic"5 d( A; m. D: W- D2 W' N+ f
password: "888888"
0 f9 v+ n) n8 g2 f# H+ A5 l会自动创建一个 "filebeat-%{[agent.version]}-%{+yyyy.MM.dd}-%{index_num}") |* Q6 g* w0 t$ z
1 o9 |& a1 I% U/ K7 B
9 ]1 \2 Q$ W( M
, u9 s' B# O; C* U' h2 s. B
例子:% R( Q, ^/ S, m5 P
! y' Y0 j6 B* c9 a: mvim /etc/filebeat/filebeat.yml
V1 s; ^4 f' x( N1 s% f" \% X" X! C" @! r- L- C0 m
filebeat.inputs:: x) B) I+ ^' d$ x: c
- type: log, ]% A% f6 I H! ?+ e9 h) l
enabled: true7 U& I/ R9 \+ x8 ?
paths:0 L. T8 u) w3 S# t: }" N- ?3 F
- /var/log/messages
1 H- l+ i! p$ `8 `8 i tags: ["messages"]; X7 |5 O# w( A5 Y- ~% E
fields_under_root: true
+ b# Y2 P# t7 r0 Y, T! X) I+ b5 _1 h2 r! ]! Q3 D7 m* j
- type: log" k, m0 ~ k, c* L& b6 B
enabled: true
+ V' R' m8 @/ G, R' G+ z+ M( h paths:
. z0 `0 k- J0 x1 h0 v3 a" v - /var/log/nova/nova-compute.log- e' W4 u9 @( U* O. y1 G% Z5 w
tags: ["nova-compute"] ]- y6 L+ ?6 J5 `0 N; A" L
fields_under_root: true
& m0 |( l) c: K0 `' E
# m5 h$ Z6 C* U3 h/ F/ V5 u - type: log8 X( w% Y. x/ M" Q. [
enabled: true0 c9 [' D% D# j; D, a. u
paths:
2 N, Y. @. }0 K/ G8 X - /var/log/nova/nova-manage.log
# T/ i5 t* v5 E& G0 O9 @: B tags: ["nova-manage"]
0 Z" H' d/ C: n3 }9 M5 g fields_under_root: true
^0 f) s- U- d. J
5 B" R1 x1 ~% L# o7 J: X/ F - type: log
% q+ \; K& a( E* r enabled: true
+ J' J# {0 |, e2 a9 g paths:
1 S% o: y( O- L- O) Q- j - /var/log/nova/scheduler.log
$ q' B. g! R/ Q: S# n% } tags: ["scheduler"]
9 G, W2 x$ ~2 h2 b fields_under_root: true
! u; g6 o& Q6 g; V1 q# Q+ n
+ ?/ J) i3 |! Q. a9 }8 R - type: log
- o$ r$ g( b: i" U3 u* L enabled: true* u+ e5 m" a) O1 n! M) [6 U& r: V
paths:
$ N6 G3 |7 ^& ^* V, G - /var/log/nova/conductor.log
) o) W# ]: p ?3 \, ^ tags: ["conductor"]
! i. f8 v1 s z0 \ fields_under_root: true
- a$ r( Q! }) b4 \& n1 n
: C( o4 i8 d- H1 F - type: log Z$ z( S" G" z/ T8 G
enabled: true4 V7 F! Q9 t3 ]( z
paths:4 f" ]5 l ^( ?9 l( q+ ` P3 e: b p
- /var/log/nova/cert.log: D, @+ c1 [4 [* K: ?6 n
tags: ["cert"]8 {3 X' |6 Q" p
fields_under_root: true
0 s/ ~; L5 p; m) \8 }+ @" V6 Y& i( H( W
- type: log
, w5 l8 X; n# t1 @ enabled: true' O3 \# y3 Z. D' |1 G+ x
paths:# {- M( M4 t) N! |! g& c, M
- /var/log/nova/consoleauth.log
& @; D/ V& r& Z+ P- G+ p, }+ L' v/ v tags: ["consoleauth"]4 N8 ~4 t6 T% d9 L! X
fields_under_root: true) W1 T( W1 d. p* w& Z* r D1 J
' ]+ v) z ?& }' A3 ? - type: log
" s7 u: O( U& e$ h enabled: true3 D9 b9 R" Y, I* N/ p7 g" |
paths:
! A9 Z5 ^/ Q5 E - /var/log/nova/nova-novncproxy.log
9 r1 V R/ G! M8 T% [$ s* c1 V tags: ["nova-novncproxy"]- a6 w; U0 b9 @
fields_under_root: true- ]5 s8 W8 g1 {- L& C; P
`' S' S( N( e# } - type: log
4 D2 h/ A2 @! ?: J* Y enabled: true4 H: ~. _# ~ v; y0 Y. t& {
paths:+ L+ U( D; ?! G& @2 N2 c H/ I
- /var/log/rabbitmq/rabbit*.log* \+ r- S1 ^ G! M2 V0 k7 H
tags: ["rabbit"]
+ ?6 S# e& z* H% c/ | fields_under_root: true& L% H" V1 ~4 K0 f- ^$ J
4 ^, n4 ^% n# I2 W1 p
- type: log
# o M- Y5 I/ o# n: }9 X8 R enabled: true
) P7 ?' X# k/ S) v# l. E paths:; [9 L/ }' X$ S
- /var/log/glance/*.log. n" u% b7 o: @/ s( l
tags: ["glance"]5 \. t) ^$ d; N0 t: ^8 [
fields_under_root: true" q2 E) g. n L
( h1 y/ S9 v. P( Y+ C! A' s" a0 m
- type: log& S# o& S; t& p, O
enabled: true
* v0 B8 Z; U/ ` paths:% E: h. Z2 Y6 ~
- /var/log/neutron/openvswitch-agent.log
" W1 W; t: u2 Z5 T8 X8 ] tags: ["openvswitch-agent"]0 F( p: P: \) @* |
fields_under_root: true2 W$ B w% B' E- `& O
! `9 O% p4 w# m: M7 K2 }
- type: log
2 X( t& D1 `) l enabled: true9 D# G% w l, y2 z) R/ ?9 E
paths:
/ ~: D5 ~/ l% K" { - /var/log/kuryr/kuryr-controller.log* [# _7 J4 `( D: r0 ^1 N5 M
tags: ["kuryr-controller"]
! h Q3 w7 V' p( D5 ]# R' O fields_under_root: true
0 U6 ^" E4 X' a. l, Y" V! P; u' H/ p( A ?) I
- type: log* T L. R5 l" k2 B! N
enabled: true( g4 g- ~! }) e" z* P
paths:
" c) d. d5 @2 a$ i! }& r8 a( a - /var/log/keystone/keystone.log5 T2 m2 m1 H* R r9 H
tags: ["keystone"]3 g, w+ Q6 _. O8 d4 s u( x N
fields_under_root: true0 S S0 a" b( H
2 J7 }+ k: d; H0 N; Uoutput.elasticsearch:
. x, E2 F# C& B# V hosts: ["172.24.110.12:9200", "172.24.110.12:9200"]* j, b7 k+ R. p
username: elastic! ^$ G: u* p& i% W$ _
password: xxxxxxx) g4 c, z: a$ }2 o8 Z' C' k9 g
indices:# P( o/ o) q3 \& U9 H
- index: "compute_messages-error-%{[agent.version]}-%{+yyyy.MM.dd}"' m; H1 s' }& V6 X9 z! t: u- l# w, A- r
when:9 q! p1 I5 n! P9 r+ |6 D8 t
or:# U! o) M( T0 K4 t# v2 t# q
- contains:7 t/ d5 M: `8 g; t1 u4 V
tags: "messages"- y; A2 A8 N: ^ s- B% c
message: "err"% f& ~# a$ I- R, Q* W
- contains:
) y$ U5 z1 P8 d( N, W tags: "messages"
% }8 O$ O. H% _0 [9 Y9 z/ i message: "ERR"
' Y2 {- C! f" Q2 ^2 f# c+ F9 i - contains:+ w. L0 W$ ~- d( d' @6 Q9 |5 P
tags: "messages"
& i8 I- @8 J' @9 m message: "fail", N# {* L, `! @$ n7 \
- index: "compute_messages-%{[agent.version]}-%{+yyyy.MM.dd}"8 s9 j* }$ t. V7 d& q3 ^
when.contains:3 p6 z3 t: P( c: q7 q
tags: "messages"
- @: ]) q V$ ~ @) n - index: "compute_nova-compute-error-%{[agent.version]}-%{+yyyy.MM.dd}"
' M, |: g7 I0 x+ }4 T% d) F t when:
! I6 ?1 I) y' }$ {- |7 d' }) [$ v3 [ or:- l7 N- p2 N9 }# E$ k6 D
- contains:
. T+ n% i$ b0 Z tags: "nova-compute"" x4 {- T9 J( y9 e, l! Y2 g& l
message: "err"+ B W" V/ D2 L0 w
- contains:
% o, E3 G& {5 A2 g5 H% {* \8 [ tags: "nova-compute", p6 O. q3 Z% l' A
message: "ERR"
6 r6 K9 G, {' G9 W8 @ e2 D - contains:1 y$ o* Y- J+ _$ V* |+ L3 c
tags: "nova-compute"
0 f+ \" c- g9 f9 }+ s& G message: "fail"8 F7 V' Z/ G; U3 B" A" j1 | M
- index: "compute_nova-compute-%{[agent.version]}-%{+yyyy.MM.dd}"
1 k$ U) X8 T1 F, |+ Y when.contains:
]5 F$ X Y5 u9 j# H l# t9 s tags: "nova-compute": F: k8 m) g: G5 a5 t9 K
5 s4 Y, U' C& o' b* d
- index: "controller_nova-manage-error-%{[agent.version]}-%{+yyyy.MM.dd}"" P! Z' V }; T' }& |; _& U, N
when:+ n: h# ~% B) w% ^" ^. ^
or:' _# G+ [$ H, Y
- contains:
# \3 j3 ^# @5 ~9 ?6 U tags: "nova-manage"0 z! j3 w! n1 O' p6 v8 `2 r" I
message: "err"
) P+ h/ E& i4 w& I - contains:2 l0 ?7 T' K1 Z) E- C0 Y6 l H' ~
tags: "nova-manage"
# ?- [; L# Y _2 d. G. d \1 x message: "ERR"
$ w1 l0 ^6 ~: [9 e& \: ] - contains:1 q* f$ j1 s5 j0 @6 w0 {
tags: "nova-manage"8 m1 R: D5 N% A; F' U; F
message: "fail"4 U8 Z( Y1 k- V# v( _8 Q
- index: "controller_nova-manage-%{[agent.version]}-%{+yyyy.MM.dd}"
* t& N; _; d- a% q. O" X& A: K when.contains:/ j% m3 R9 g- {! [
tags: "nova-manage"
) \4 P! @% Y7 M& w8 s |& g9 }' z' J: Z( O1 @9 \$ i
- index: "controller_scheduler-error-%{[agent.version]}-%{+yyyy.MM.dd}"
! F& z6 _' f6 D4 c- y/ e& | when:1 S& B+ ?; I' Y, g3 g
or:* B; `/ n* ^, R( G
- contains:7 ^7 v) x' U$ J% o4 \
tags: "scheduler"
* B8 ^# L2 q$ j( Z" U/ F* Y message: "err"7 h g7 C. J! d) }9 j
- contains:7 ?! A* B. W6 j
tags: "scheduler"
. C$ P, ~! D7 o8 R: c; p; N message: "ERR", e" b5 f% X5 M l
- contains:1 W$ q* c. w8 M8 t
tags: "scheduler"
8 i. U6 y/ ]4 b3 w2 P# G6 R) O message: "fail"
6 I& N9 r+ y6 s* I - index: "controller_scheduler-%{[agent.version]}-%{+yyyy.MM.dd}"
% W- x4 D l9 @0 c when.contains:
4 H' s* \* s, H c3 S tags: "scheduler"- T" D9 V4 P; l) s3 A! Y" t. E
5 ~1 H2 P9 g0 `6 P1 r; g% c
- index: "controller_conductor-error-%{[agent.version]}-%{+yyyy.MM.dd}"
# m& Q6 v" [6 N( p* Y) d when:
; G4 X, l; L$ G3 \; W or:
" b0 c$ d: F8 M0 C - contains:
* g# c8 i6 K/ I tags: "conductor"3 I) U: W+ O" d9 R$ N. ]
message: "err"
$ C' P$ A1 M# D' P0 a - contains: }4 o, N1 z. G- z
tags: "conductor"
. a. n) `& a0 O+ J message: "ERR"& g4 k" t9 B2 x/ _" z# M
- contains:
5 Z0 K1 U+ q$ w2 T9 p J tags: "conductor"/ W3 j" J+ T* H5 O0 C e0 {
message: "fail"1 e7 y& ?! ~, }. z
- index: "controller_conductor-%{[agent.version]}-%{+yyyy.MM.dd}"
5 ?7 B* d3 H# J, N! W9 M when.contains:+ V2 ?" p0 @$ L; Z) a+ x
tags: "conductor"' z: k6 W' p4 t7 x. I
/ A- Y# J7 J, ]4 ^% c; Q3 `/ } - index: "controller_cert-error-%{[agent.version]}-%{+yyyy.MM.dd}"- H( s e3 i2 S" e% J0 i3 b
when:$ Z, w) G5 B+ f3 q
or:
) ]/ D3 T C8 U0 m - contains:: y: c1 t! a/ ?- G; d ^
tags: "cert"4 ]2 \; W# D9 p+ f. K- a
message: "err"' C% x8 O, M0 l& V+ ^
- contains:
5 `2 H6 G! [% l% r" F- ^ tags: "cert": b, e0 H' p) v' {) V' T/ _
message: "ERR"
9 R4 ?! q+ L9 c, R y - contains:5 w) k. V1 @4 C% O+ a8 i0 ]- \
tags: "cert"
3 x. T7 F; S, G3 ? message: "fail"
) x. `# r. B# S/ N& V - index: "controller_cert-%{[agent.version]}-%{+yyyy.MM.dd}"; B6 j* {; l- y$ `' X) K
when.contains:7 p$ Q$ L6 G. `
tags: "cert"# s) W) m5 Z& A8 u& P+ N. ?* Y
9 l+ G( j7 W+ s1 c0 ]7 B, v& Z# T - index: "controller_consoleauth-error-%{[agent.version]}-%{+yyyy.MM.dd}"
) W& P$ ?( t% h when:
! R. p5 X. l+ h& B @ or:
' k) g' @# H$ a+ e ]- J0 q& Y - contains:
. {1 _% j; q" H, ?% |) L1 Z tags: "consoleauth"
5 S6 o& D. a( @% H; x9 m message: "err"
- r0 D( p2 b8 n - contains:/ O3 N( B& \+ }# |$ g
tags: "consoleauth") V: E- z* F7 g3 p
message: "ERR"3 j. Z, y9 \7 S+ K/ |: T
- contains:
* N' i- s8 q5 x tags: "consoleauth"
) n' c% ~- y+ s+ G, t message: "fail"% S. p7 E4 m8 r) W$ ?& U; b
- index: "controller_consoleauth-%{[agent.version]}-%{+yyyy.MM.dd}"
0 c# W, {: a$ [; t$ o when.contains:* k7 Y4 r b3 {3 ^
tags: "consoleauth"
6 _# J2 g2 j1 U' _: {
* `2 A7 o5 x a2 @ - index: "controller_nova-novncproxy-error-%{[agent.version]}-%{+yyyy.MM.dd}"$ R3 C* ^7 N$ A8 K- k: G
when:
" H7 u4 p" F3 ] or:3 y: k! c8 a4 f3 Y3 `$ P
- contains:
/ f% m# C" h1 Z4 U; r3 z tags: "nova-novncproxy"
# z9 |6 c, j+ ~9 B8 }8 x message: "err"- \9 s2 b2 W/ B- _- \: o1 B0 m& Q: K( }! N
- contains:
2 `- T, b- K" i0 c tags: "nova-novncproxy", T1 ?6 p# d- f, p( S/ m; d
message: "ERR"
) _8 X+ h+ W {) H' Z' g - contains:
) Y- r1 A" D9 Y# r, F tags: "nova-novncproxy": g/ H$ [4 U) `; ?
message: "fail") w' A4 r1 I( |: |/ x
- index: "controller_nova-novncproxy-%{[agent.version]}-%{+yyyy.MM.dd}"" q" C; E* r0 K8 T9 \
when.contains:
, V4 y4 U2 @, @ tags: "nova-novncproxy"
& ?1 V1 \1 @7 D7 r3 l
: e! r, ^: l& q2 ?0 X6 m( j. _' n% o, a - index: "controller_rabbit-error-%{[agent.version]}-%{+yyyy.MM.dd}"
# Y7 K. s$ P3 G9 b, E% U4 g; @ when:, a% x% B* d! [3 o/ P% `3 G; o+ `
or:
3 h+ P' i6 ]/ P3 [ t7 x - contains:
4 y: ^. D3 B7 x tags: "rabbit"0 E, I z1 ]- g! ?6 ?( V
message: "err"
/ ]' ] a$ b8 E a6 r' |" j - contains:
# G% _/ q: l! t. [3 I2 {& W4 [ tags: "rabbit"" g8 r. _ @/ ?3 c
message: "ERR"
2 T7 s+ S4 h: G1 y - contains:
7 G6 M% K$ Q, ]0 Q5 w7 A) N tags: "rabbit"6 w' O! {; o4 G, g0 L
message: "fail"
: }. k1 N- Q. \, r4 Z# q" f - index: "controller_rabbit-%{[agent.version]}-%{+yyyy.MM.dd}"
' S! e( u9 }. N when.contains:3 @& J8 q8 z' r, {
tags: "rabbit"
) A8 Q5 z& r; W9 ~* D6 g2 S; p; l+ j$ f0 b; U3 `
- index: "controller_glance-error-%{[agent.version]}-%{+yyyy.MM.dd}"
( k0 J+ n, K0 S0 k when:! p4 u( v# s, ?% H' Y- H
or:! y; w- `+ d) o1 y/ ^
- contains:
" z5 p7 A6 g0 \, _2 Z tags: "glance"
8 ?; R9 H5 h5 u# h7 {' r message: "err": \3 T1 e5 a" R* B" ?8 n2 j8 {
- contains:7 D! [2 t6 q/ _' z2 A4 d4 [9 H
tags: "glance"" ], m) S3 y: r! F; x( T! ?* D
message: "ERR"
_! L2 D1 H+ N% J - contains:4 I. p3 ]* Z$ v: h6 q; J5 A( i
tags: "glance"+ b* R1 Z' o$ R5 w
message: "fail"% p; s9 o" n' M8 Q2 L1 w* Q
- index: "controller_glance-%{[agent.version]}-%{+yyyy.MM.dd}"
! k9 W" q; D9 c1 J" k+ ` when.contains:
/ K9 A: U' M) T- h# ^5 D5 r" A tags: "glance"5 P2 G6 I9 U5 |
7 u$ F7 ]/ l& D0 L+ T
- index: "controller_openvswitch-agent-error-%{[agent.version]}-%{+yyyy.MM.dd}"
' I; G) A: Q+ y4 T% C; |7 v+ K when:
5 K2 v7 R' F5 N5 A0 r or: T. \ _! N7 R/ y2 \$ E+ v& b
- contains:6 t2 R3 R' `9 a/ P
tags: "openvswitch-agent"
! Z+ ]( V+ V: R+ j- o0 ^0 q message: "err"
! o. G- M$ L' }+ {: k1 F# m5 A - contains:' j4 L1 x7 M9 c6 _9 Q7 w5 O8 p
tags: "openvswitch-agent"' H6 ~, \% r" A
message: "ERR"5 i" }/ o- G# B$ w: N$ w# r
- contains:% p, M% Y7 R3 ^! ]3 c2 H
tags: "openvswitch-agent"
9 e# ` O7 ?- [+ R7 x message: "fail"
& S0 h/ `* @, E" X% E/ j4 G; J - index: "controller_openvswitch-agent-%{[agent.version]}-%{+yyyy.MM.dd}"
( r F+ W2 v( ]& z6 H+ g& r when.contains:6 r0 l0 S/ n8 W1 c
tags: "openvswitch-agent"1 z% o# _& u) ~
6 i; f- M( N% y( \6 ?' \ - index: "controller_kuryr-controller-error-%{[agent.version]}-%{+yyyy.MM.dd}"
8 Q2 t( b8 V4 o% `& Z, \ when:
+ i- c2 ]/ f3 ~: T4 K: j8 ? or:: G- n( g# P2 U7 _
- contains:- w+ d7 L' L7 J9 x, [ P( V* S
tags: "kuryr-controller"
9 k1 R% e; g- c. G message: "err", p. _0 q3 U4 `" j' p# l
- contains:
0 N* z8 q' b- B3 f tags: "kuryr-controller" D. D+ c& Z- T2 z" |/ n
message: "ERR"! ]7 j3 H+ S0 P4 B+ c# c( p
- contains:5 A0 |# `9 y, J# x k) k" ?) y
tags: "kuryr-controller"* c% i' j$ Y8 o. {9 C
message: "fail"8 _* W( d7 A+ ~) N6 |% Z6 n
- index: "controller_kuryr-controller-%{[agent.version]}-%{+yyyy.MM.dd}"
; L8 ]6 @! a7 ~' j) {. f0 e4 C when.contains:
8 ^+ D; H- g2 X tags: "kuryr-controller"
z/ g: ]0 E2 W! i7 A5 k: w" x
2 t; j; E+ Y5 c0 B, j7 y - index: "controller_keystone-error-%{[agent.version]}-%{+yyyy.MM.dd}"
8 l! Z# a& w9 v" G: r when:5 C7 p2 k' P. h. m' t4 ~2 @
or:
4 ~, p) G# z8 i% n# M* w, A. Q. t2 n - contains:! P2 `+ _0 I5 N
tags: "keystone"
0 y7 o1 l! b7 C message: "err"
* Y( r# C% W4 c% Y- K* {) j# _ - contains:8 [ Q# A* Y) @" I8 G( U& K. |
tags: "keystone"
w6 d9 B! G, D" c8 `# E message: "ERR"
0 L2 h0 S6 Z! i8 U, n& I0 K0 |" \ - contains:1 L o# V/ e& c2 S5 I
tags: "keystone"
% S1 Z9 v) ^8 N- X- u p message: "fail"
( W0 v: D, g- L7 P7 J- {; x - index: "controller_keystone-%{[agent.version]}-%{+yyyy.MM.dd}"
3 ^: U e5 u7 Y n* @) q* n when.contains:: w& Z l8 Z, D
tags: "keystone"3 C" E6 C- k8 O, @9 G+ B; H. D: Y
2 b$ v: c% K9 V- xsetup.ilm.enabled: false* U7 \, D8 n3 k& K3 @3 A$ x, o
setup.template.name: system
1 ^" d1 O% y$ t! U# K$ \! f5 ^8 lsetup.template.pattern: system-*# g1 j) k& L/ `7 N# t0 e
, S9 _! d; a9 a: I( ?, h! D
0 Q( i/ H5 T( A% U0 r5 C5 ~) A
# @$ L" o+ N2 w$ f% _! _* T9 m+ q' h; s$ d! |
例:filebeat-7.12.1-2023.05.16-000001索引文件( v; }/ e& R% `. j& _1 J ?( p% _
5 {* I2 M) Q: n4 V
索引创建规则
4 N+ H: `( N0 ~8 U2 f* [; R& x& _4 j0 ~4 j) M! Q
默认使用es的索引声明周期策略# a9 o$ z! E: n: X
$ }. I/ M# V i7 _! v
index lifecycle management (ILM) 生成索引) A3 k, J% }: S3 v: q0 e
* E; O4 g& ]" g# I) _配置ILM( `2 R: P! N: W! ]4 [
5 @& K2 `- E$ H x( V
#auto false true( `( J& h0 _3 D: z0 T
setup.ilm.enabled: auto
* |! h% a2 Z6 ?7 v, d: ]#索引别名
7 V/ Q6 T8 x% _6 asetup.ilm.rollover_alias: "filebeat"
4 Y/ {( X; D8 k) X" O#索引增加策略
x) {0 E" `) P/ ?) b% @4 M( wsetup.ilm.pattern: "{now/d}-000001"
& s. d! z' U+ k, o9 }setup.ilm.enabled默认值auto,自动使用es中filebeat生命周期策略创建索引
# G' `, x$ _, t& x4 |
$ o7 w3 p( a1 b6 ]! bsetup.ilm.rollover_alias默认值filebeat-%{[agent.version]} ,创建索引时指定索引别名。# S# d8 D4 U. t4 }3 j
$ X# z l- i; v. I3 r- j( d' q4 j. lsetup.ilm.pattern默认值%{now/d}-000001,索引rollover增加策略。# m- z0 z& S, w- ~* A5 T7 P0 ]
# x( ]- Z4 p3 D& V4 K* b
自动生成的索引名就是使用alias+pattern。类似filebeat-7.12.1-2023.05.16-000001这种。
9 D" I1 l" Q2 E5 g' W: Q( U0 n* u0 v4 `& o
更多配置参考:https://www.elastic.co/guide/en/beats/filebeat/7.17/ilm.html
+ u M* G9 P$ F; H! j! I4 j! t8 o | `& F G' W0 z
自定义索引文件
* I% D1 P! w1 {, B" I# w& i& F0 J( J, A" {# O7 k
output.elasticsearch可以指定index,使用自定义索引第一步就是要关闭ILM,
9 f3 f f) a, B: C6 [$ Y5 p, k$ b9 S s+ Q# a3 l2 j* t$ ~# Z: ]
setup.ilm.enabled: false/ K$ l$ d0 X/ d8 O
下一步要配置setup.template.name和setup.template.pattern$ I7 z9 V/ g4 Q$ b4 X
3 ?* d. V! D: B- ]% @$ Hsetup.template.name: "filebeat"
: R% {) j9 Y, E4 ?( P9 `, ~setup.template.pattern: "filebeat-*"
8 l3 s+ P8 e3 f4 e$ m' fsetup.template.overwrite: false1 Z# G" k$ ?# d$ a) R: C
在output.elasticsearch指定index
4 u6 I- R+ \% H& @! p$ \" \( i0 V7 D# A. H% y" C2 I6 l
index: "spring-%{[agent.version]}-%{+yyyy.MM.dd}"
) I: H! m# \5 W# h$ `% v2 _4 P5 w运行就会自动生成索引spring-7.12.1-2023.05.16。index定义可以使用上下文定义变量。可以在input里自定义field s: f; E. g* g6 F
2 ]+ u: z# o, ^# u8 a, ^
fields:" k. Y, V8 w) `" F! J
level: system
. M: C" J) r% y6 Q a region: A1
4 H% J+ _5 x) K0 m0 C自定义的fields会一并push到索引中,index中使用自定义的fields
9 e( z/ @. E! ]0 ]" H/ B) P" ?* Y! Y. J' I5 S; p1 L
index: "spring-%{[fields.region]}-%{[agent.version]}-%{+yyyy.MM.dd}"- X. U; T& W* s: a9 ^
会生成索引:spring-a1-7.12.1-2023.05.16。这里A1自动转成小写了。
* A- y* P$ y! `6 f4 B
y G/ p) _7 x+ e$ @8 E日志多行合并
$ S. b. x- t% H( ^' V p* K; ?& N, m! D- n- x
默认情况下收集日志一行一条记录,有些情况下比如格式化输出,异常栈。一条完整的日志会包含多行数据。这时候就需要配置多行匹配。配置项在filebeat.inputs里
9 ]( h+ |& v% \% I; Q
7 k6 f+ N$ Q- |2 @* C* ^' nmultiline.pattern: '^\['
2 Y* U# {" y" Rmultiline.negate: true% B9 ] |5 R- X# ?- q
multiline.match: after7 H8 b& B& l- r! Y7 J* L( f
multiline.pattern指定日志匹配正则,这里'^['就是匹配以 [ 开头的行。这个地方的具体格式就要合实际输出的日志格式相匹配了。6 Q+ X) m* h. g8 a( n+ l( t1 o: d
- e/ _3 S; V H* N: L- u! m' a
negate和match两个参数结合使用,没太看懂,理解其来感觉有点绕,自己看官方演示例子吧https://www.elastic.co/guide/en/ ... iline-examples.html,有个表格图例。大体意思就是遇到不匹配的是向上合并还是向下合并,归属于那一条。这里配置true和after就是不匹配的格式行归属到上一个匹配的结果行。
" v1 l' A6 P% Z" @: r# T4 a4 S% }, {' z0 E. I
根据条件写入不同索引* E: M' A9 e; @
5 ~; ?1 Q9 H* `# y( Zoutput.elasticsearch:+ i- o( E6 |. }
hosts: ["http://localhost:9200"]
H+ y0 T# t/ I indices:8 k, q, \* [) b( R" P8 F
- index: "warning-%{[agent.version]}-%{+yyyy.MM.dd}": }4 {# e0 ^# e2 m- Y6 d' p
when.contains:1 l- N, k" I' B/ a
message: "WARN"& E* D% ^& v) r8 ?4 Z/ g
- index: "error-%{[agent.version]}-%{+yyyy.MM.dd}"
0 f5 Y! ?5 } u2 u$ W- e# | when.contains:' S) b0 Q: Z. q( Q
message: "ERR"6 t: x$ H+ j) t$ g" q, i2 j. Y
. u) F4 b+ m7 C$ j' Z! @: @
判断message内容,是否包含某些内容。不做演示。2 k% W3 {, s9 n! [* C- O' q) g d% ]
# s6 Q# a& O5 b; r3 y' j
收集到的日志可在kibana 日志功能界面化查看检索。需要配置日志索引匹配模式,例如上面的我们就需要新增匹配日志模式spring-*。
/ i E0 b- j; B5 y3 t# f, w7 w' |) O4 j+ z7 P
最后filebeat.yml有效配置大概这样; u0 _3 X% k+ A6 \0 C# y
4 k1 _( `% m0 L( M
filebeat.inputs:
+ p( e1 z3 H' B7 {- type: log" h7 y1 d* @0 t' H7 x& ^% _
enabled: true" z1 e+ q @% h) j/ H
paths:
8 r: ~5 Y3 j) v& X ?1 ?9 ]( ? - /data/logs/*/*.log
8 j1 {9 l$ e: m/ P" H
& B% @5 h( E5 Y& n. Y fields:6 W! y6 v7 D& i9 F# K* i; D# ^
level: system# l+ m+ p3 ^4 j
region: A1: x4 m# u* R2 T v1 b
2 R4 c1 x" T0 B) g3 {. l multiline.pattern: '^#\['/ h P( G! s. L4 R
multiline.negate: true
) z) E2 Q( f- z5 u" S& {" f multiline.match: after+ Y+ e/ F; ^) K8 l& r7 O1 C& J* a
/ ~3 y9 w; }- G; moutput.elasticsearch:
; l7 G" e4 b J* n( m# g! M hosts: ["localhost:9200"]
0 `; r' l `5 j- _) y ~6 b6 o! K8 { protocol: "http"; t- c' i+ g5 A, h& r4 m3 r7 w
username: "elastic"7 e0 o* V* i9 n }3 m4 }
password: "888888"; V& i0 i' K7 {& k" d
index: "spring-%{[fields.region]}-%{[agent.version]}-%{+yyyy.MM.dd}"0 N0 ^4 z- f A, o
* g: q& v8 W' _4 T) vsetup.ilm.enabled: false" E8 P+ x( f+ Q3 g: U
setup.template.name: "filebeat"% N* s4 |' q& f/ V
setup.template.pattern: "filebeat-*"
( ^. O u t8 tsetup.template.overwrite: false& A F8 \! P& ]' x
' ~% N3 J. k2 X8 v
2 \$ L- W' ^8 O |
|
发表于 2024-11-8 10:18:15