- 积分
- 16843
在线时间 小时
最后登录1970-1-1
|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?开始注册
x
filebeat是轻量级日志收集框架,go语言开发。需要在每个日志收集的终端部署,配置日志文件路径。可以将日志收集到es,logstash,这里以收集到elasticsearch为例。配置主要分为input和output两块。解压后有filebeat.yml配置文件,主要针对该文件进行配置。
; n% P- f5 k3 N- F
% G& F) q. E) d' \- type: log
$ D! f3 C& R- g; `. s#日志文件位置
8 J' V3 s6 M9 D% k paths:
; y, z7 W! d, E4 s - /data/logs/*/*.log
! [$ u0 w! D5 B7 Q; Z! G7 u; poutput.elasticsearch:
4 M% w3 I/ G8 b #es连接信息
- ?0 I4 I: ^1 w9 w, b4 @ z hosts: ["localhost:9200"]
+ ^) i4 j& r* H- j; K) c2 H/ Q- ]" E protocol: "http"8 x3 Z- Q. l5 n. O9 e
username: "elastic"# U5 S; `3 g0 B
password: "888888" ; P; y5 J v& t( z1 z: D
会自动创建一个 "filebeat-%{[agent.version]}-%{+yyyy.MM.dd}-%{index_num}"; O* G6 B0 T6 z7 m
- t, q2 b+ `5 P" x2 r
4 T4 E; P! P0 z ~- Z8 Z j' o0 {: E
% J0 g* t! O3 ], d* y, o- T例子:% K. f+ Y; {: c, C% g
. V5 h+ ?1 }2 d$ O( ]: |6 `5 p
vim /etc/filebeat/filebeat.yml
, @, S: e4 |1 c# R8 P7 k# @: s. r' \3 \) p. {( _4 i A; m% A* U
filebeat.inputs:* u' [$ \* J7 ~. I6 ^ ~. }+ j
- type: log
! x' z0 [1 w; w1 P0 {5 ^3 A5 ] enabled: true
) {- h0 }2 N4 H% Q* `0 D* p# v paths:" F+ e* M) Y, w; L. z
- /var/log/messages# _0 D3 t4 z$ q* I- c
tags: ["messages"]; n$ f& W9 \& j9 a
fields_under_root: true: B. ]! q7 W/ L- {3 m" ~' @9 J8 Q
) j7 S6 y8 D# w. j0 i$ Z - type: log( p I5 \7 N6 g( u8 Y
enabled: true
4 h' m# @) x Z6 o7 i- `* y paths:$ l9 V9 }" h: _
- /var/log/nova/nova-compute.log
0 }9 {. u7 D, y( X) X tags: ["nova-compute"]. U% j, R" ?, g, {
fields_under_root: true. T$ \( I5 | L
( r: l. e& m7 Z/ T
- type: log
* \! m( C1 g2 b3 |; X; z. ] enabled: true
# B0 S# j: l( M% Z* e* S/ V7 K paths:3 {* [7 m5 C) r) {" R4 i- R
- /var/log/nova/nova-manage.log9 H* M$ U9 L$ z% @3 x5 F
tags: ["nova-manage"]5 @ @5 B9 l, F" P I9 }4 G
fields_under_root: true+ o) t( l0 I: r1 M4 u, ^0 I
, J' D) A3 \' K' Z e - type: log
8 x7 ~* H/ H P- N3 i) W enabled: true
! A C) v$ k( X3 k3 }5 ? paths:/ R! b* e, h& q3 \, `6 o
- /var/log/nova/scheduler.log7 t# x5 H* a, U E e
tags: ["scheduler"]; Y4 w, I5 |* n! V4 y2 n$ w
fields_under_root: true r( J7 I! U, W# l0 i
/ t1 F' I. y; K, X% o8 w4 N | - type: log6 _3 X) B/ H; h. }
enabled: true) r. ~. [3 ~. @# s' N
paths:$ B8 c' U$ @/ `# A9 K
- /var/log/nova/conductor.log' A0 K. S1 s' c! q6 n- U/ F& v7 _- W
tags: ["conductor"], p0 \9 y4 k% O7 X' l
fields_under_root: true' e0 ]& n% s" ]8 C4 w
+ ~( e5 J( Y1 p - type: log
' k# }* q# N" X; V$ i enabled: true$ Z6 P; z8 q' o- M1 V. D
paths:
4 E7 s/ K; }4 J1 O" D7 u9 ^ m: l - /var/log/nova/cert.log
. N- R9 p1 ]1 W; o. F# x9 c6 R: J) G tags: ["cert"]: ]" U( p4 `" t% ~0 g) F
fields_under_root: true8 {' U: b6 x7 n2 k
1 S& t( v0 H6 m, t: K3 H
- type: log7 {3 U( S4 w% K. ~. @
enabled: true F. B% i; J; s: O0 X
paths:
. p# }( d0 u( G/ ?) ?$ [ - /var/log/nova/consoleauth.log
( ?' E4 e r. l* D tags: ["consoleauth"]. }7 `- S# x* @- i' g% j2 ]5 \
fields_under_root: true0 ?+ ^$ N: q3 e. D* `. o8 e; @
2 ~: u; N) J b - type: log4 n; m6 i1 q- r9 Z
enabled: true
6 ^ k5 B) ]& a paths:
# r2 J) @9 s. ^6 W6 w - /var/log/nova/nova-novncproxy.log* t" ]* h5 G/ W/ p" y0 Z) G
tags: ["nova-novncproxy"], Q5 y! y( n4 a. f; c
fields_under_root: true0 P( N0 p# V4 s! ~6 C
9 t6 U$ W# f; O+ ?+ A) E. E
- type: log4 O3 [7 q! x1 ~4 e4 O1 R* r
enabled: true
% w ?/ y1 D4 m paths:7 J5 ^$ X* g- P, V' q7 q( C" n: Z( g
- /var/log/rabbitmq/rabbit*.log2 U* u: U+ _# K/ V3 L
tags: ["rabbit"]
5 `% f( ^( W! {9 _) z$ F fields_under_root: true
- D# b, |& f3 }. P) n
* ~2 J' \" T) n8 z2 k9 Q - type: log
% h/ o: I0 z( j; ?, f enabled: true
9 w9 [* i3 m# j# T! U paths:
7 ?3 E2 N& W* @: x3 G# f - /var/log/glance/*.log
7 u& ~8 M2 J7 }( q, T8 R# v tags: ["glance"]
7 t5 F8 Q6 J. J% P& q. s' G& _! W fields_under_root: true2 t; ?5 @; K3 S0 `8 R
3 W5 \" [$ k; R- m" V1 [
- type: log
+ s* h. I( V5 s" J5 B) ~( d. G enabled: true
8 W1 m6 @$ ]( u2 I1 [' O- v paths:
- R- n( T! D' W - /var/log/neutron/openvswitch-agent.log$ d; L$ \9 Y8 y9 U0 H
tags: ["openvswitch-agent"]5 a( @+ t8 Z, [' G" F( B* T
fields_under_root: true3 Q2 O6 o h5 s0 U
; B, x% ^8 Z, e5 q- f - type: log' y% L; U, D; A* N1 o
enabled: true4 R! j" ]( e0 @ r9 e; d- v
paths:
8 k* K1 G. ~/ K% J - /var/log/kuryr/kuryr-controller.log
$ y: d7 p. B6 D: u tags: ["kuryr-controller"]8 K4 }+ k& q; \8 L! |' w7 _, E
fields_under_root: true
9 F2 @$ s8 \8 u0 ~4 n# _. p$ ^' ^4 N% C
- type: log
' _( \' Y& Y7 V/ a3 Q enabled: true* q6 ~3 O5 y) a
paths:
, A+ w. F+ P2 }4 k9 {, s - /var/log/keystone/keystone.log
& \: P3 W. v( d+ Y- H- n tags: ["keystone"]
3 F' C0 Q& ]7 o fields_under_root: true
$ V4 L# b. n" h! @$ m) z7 z3 U) Y4 y& E! i
- K3 e9 N) z1 w/ W/ @output.elasticsearch:
- Q- I' l% Y5 t7 p) i' Q+ N; ^ hosts: ["172.24.110.12:9200", "172.24.110.12:9200"]2 f# @7 h! U2 ~6 g7 E0 h, I8 i3 O
username: elastic& M" t- E: M4 ~2 {: I2 S
password: xxxxxxx7 b9 g y6 |$ _, g
indices:
3 H% r$ b: i/ q' `4 c3 }6 ] - index: "compute_messages-error-%{[agent.version]}-%{+yyyy.MM.dd}"
; E+ {" L6 w+ k4 ^ when:
8 A% v, ]3 X J% p0 G) x or:& `, y5 p( O8 U- l
- contains:
* |( a+ D7 [6 r) y& A* g tags: "messages"
+ f+ C0 ` J2 [" x: ~- m5 f& o message: "err"
0 Q- U4 V2 h* c& o$ K, H - contains:
3 ~1 k% I- @4 A9 i, p' l8 M d/ a tags: "messages". U& ~: w2 e. S: ~8 Z+ y* y% q
message: "ERR"( q8 o8 b" o' {6 _( n6 J2 G$ x1 ~
- contains:
. s+ R; [& F* J* W5 |/ p6 m: F tags: "messages"
# I* I( M6 _- f; P7 s; n& \ message: "fail"
) r6 _! n) P9 ]9 r" W - index: "compute_messages-%{[agent.version]}-%{+yyyy.MM.dd}"
1 R. W, v) s0 _4 o when.contains:, e$ h8 `4 K# e
tags: "messages"
/ ?, y3 y9 n, r9 }% `' Q9 X* F - index: "compute_nova-compute-error-%{[agent.version]}-%{+yyyy.MM.dd}", R3 L: i& V7 P+ W- h8 K* l
when:. I: m. \% |* L
or:
! o" A- z1 g; {% B) T - contains:
2 {& B2 Q, T) ?3 H1 f tags: "nova-compute") t3 A+ y# X$ a+ B: ^0 @- N; R
message: "err"
: ?+ o- a* S/ T9 z. H - contains:) o& g& o/ X7 Z. E0 J; {2 E
tags: "nova-compute"
/ g' ^4 h3 w) i, } message: "ERR"
( ^; }, N3 t. ^0 v& ?; g( S9 Q: y - contains:$ y+ X9 J. _0 t9 r
tags: "nova-compute": X! n4 J: ~: u( P$ F
message: "fail"
8 ^7 V, C) F) G' \) s# G - index: "compute_nova-compute-%{[agent.version]}-%{+yyyy.MM.dd}") q2 u: S+ V/ J0 V
when.contains:! f' h% j6 l) R. a+ a' X
tags: "nova-compute"
3 Y* O! R( Z" w' P% P) ^
& p' a) ]; }1 J7 o8 X4 N m - index: "controller_nova-manage-error-%{[agent.version]}-%{+yyyy.MM.dd}"6 k- T" R" N0 g( @) n3 C9 |( p
when:
9 s9 B9 _( W: Q or:( N% L! e( _. N
- contains:% \: v" J, f& [5 F* y* I! m! ], @
tags: "nova-manage"
9 E) D: |0 v3 l# c. R message: "err"8 X. y" p, T( Y' D, Q; m$ ?
- contains:
; o* C7 Z) d3 b8 M2 k2 `/ T tags: "nova-manage"
4 k% j& o* @6 O1 X3 N message: "ERR"
7 I- p% A' A2 o8 k' Q8 f* q8 B - contains:- t9 L) s6 _$ H+ L! r: f4 A: f D
tags: "nova-manage"% Y8 Y) f2 b; X$ {
message: "fail"/ r0 \- q. J# M3 D
- index: "controller_nova-manage-%{[agent.version]}-%{+yyyy.MM.dd}"
' u) x6 O0 I# C' I+ P when.contains:, o0 g5 n! E8 D. f6 C
tags: "nova-manage"8 T1 ]6 Q. U, _% p
( u% E6 F8 c/ u- _. y
- index: "controller_scheduler-error-%{[agent.version]}-%{+yyyy.MM.dd}"0 z, ~! Z8 r4 Q0 n1 [/ K4 Q% M
when:
) `5 T7 {( |9 n; P4 F7 P$ X or:* c& E( z0 p6 W& w6 E; z
- contains:
: t" i# J5 n: } tags: "scheduler"
4 C, w0 u8 r* |: _' q, N message: "err"
0 t$ N# @& Y3 T& b/ l z - contains:
p. P. n% `4 p' X$ h tags: "scheduler"7 ^4 L' z1 p! |+ A
message: "ERR"0 F- _4 [+ l( }% \2 L" ?, y
- contains:: e# u [2 f" D8 Z3 J0 R( f2 T: U
tags: "scheduler"
/ }- f, a, w3 Z' B, o B# Y message: "fail"
# h. s+ N5 H" X - index: "controller_scheduler-%{[agent.version]}-%{+yyyy.MM.dd}"* e3 f& L0 [, Q) U4 ~& y
when.contains:
8 v, Z$ }! S1 ]$ y tags: "scheduler"7 I' l0 T( n5 \
3 N5 f/ G+ Y) Y- b# {( A
- index: "controller_conductor-error-%{[agent.version]}-%{+yyyy.MM.dd}"1 z& D4 o7 I( c" H4 `
when:; f, C! e3 ^% F, L; p N
or:
( e3 [. c: P) X$ o% e9 t - contains: d H' |- ~9 V; _
tags: "conductor"8 I( C0 P+ U9 C+ E2 y
message: "err"$ L* f. {" R5 w
- contains:# b- r: A% X4 ~( u$ P8 o" _. ]
tags: "conductor") j' T4 p. r1 ~/ U- R
message: "ERR"4 j0 k% e$ c( ], Z' i; ]0 V
- contains:5 N+ f' M9 v7 V1 E: {
tags: "conductor"2 G1 E& H& I7 ?$ q) u
message: "fail"
! X* p& B7 w$ e9 a0 P - index: "controller_conductor-%{[agent.version]}-%{+yyyy.MM.dd}"& L5 P! S- C! |3 F0 ?
when.contains:) N2 W3 x+ G5 D( ?' O
tags: "conductor") e7 W; ~. l, l) y- U2 W' t: Z" O4 W1 X
! b( y n! F, q& N) Y - index: "controller_cert-error-%{[agent.version]}-%{+yyyy.MM.dd}"! i# f, r+ p! B V! ^. ~% F
when:
; u$ {. T6 a6 }) s# H' y% R! c" ~& T% b or:$ O) A# M1 \) X2 b7 D J
- contains:, M) F: O/ Y7 {: | {
tags: "cert"
+ o# K! H( A% j$ d9 e) Q, f# e/ o message: "err"
. r, ?4 {# W- } - contains:, e t& I' L3 A6 j8 u
tags: "cert"5 a4 T- j) R6 D* m
message: "ERR"& f4 i; }$ `4 ^" s, B4 d
- contains:
0 N# U' s2 |4 T! r k* N/ C' e tags: "cert"
, W1 ?5 ^1 `" f6 S message: "fail"
& o: x' m. j( |) u" I. m - index: "controller_cert-%{[agent.version]}-%{+yyyy.MM.dd}"
9 |! n, ]6 h, D( C1 b5 ?4 N when.contains:) `8 }" V2 u3 M3 i7 P
tags: "cert"* }+ D" o$ C5 ~1 r2 u( t5 d( a. W' Z
* f+ q: C. `0 L5 L
- index: "controller_consoleauth-error-%{[agent.version]}-%{+yyyy.MM.dd}"
, i: c5 F: p0 |; v when:
6 ]; } C$ x" W4 V* z or:0 ]5 y8 L0 Z1 M# y$ ?
- contains:$ ^. b J. M5 I$ I+ b: k; g. j
tags: "consoleauth"* C! U4 ~4 J3 U7 ~' J
message: "err" x* u+ m. _! C+ F, c0 ~; M& A
- contains:
( u6 {- d" q2 S5 t9 f" `" Q* v tags: "consoleauth"
/ m, r# N, ~& }1 {. [+ K* a+ r message: "ERR"
+ G' k( g. q" k B5 s - contains:" G8 Y* d/ [) S9 o Q! R! W. C$ Z
tags: "consoleauth"
+ [9 d4 \0 {0 J5 Z message: "fail"
& \7 T% G8 d' i' B - index: "controller_consoleauth-%{[agent.version]}-%{+yyyy.MM.dd}"
2 j' k+ _* e: `' U) h; o when.contains:5 ?' g7 k3 X& c( k
tags: "consoleauth"
9 C1 K' c# u ^5 K, E$ r
) j- o1 t# d& S y( F, F% i, s - index: "controller_nova-novncproxy-error-%{[agent.version]}-%{+yyyy.MM.dd}"7 `2 g, I4 C- q/ |- k
when:3 Z0 r1 j8 }$ b7 u8 K: D, M
or:+ A+ }* r( |4 h$ N
- contains:
/ z5 B0 a) q7 K3 w+ a tags: "nova-novncproxy"4 {! S6 M! l# u4 B0 i" u( o
message: "err"
( g( c& q" P' W" D3 v; ~ - contains:
0 _- e! {9 h4 p/ D5 E& { tags: "nova-novncproxy"
# v. y7 P6 [1 N" d P8 R message: "ERR"
( e) b$ s; U, ^$ N( a7 N7 m - contains:" r& w' O! f& d# V% U
tags: "nova-novncproxy"+ v! u, \4 Z- o3 b3 ?3 U9 i) V
message: "fail"
4 K" j* ~% E5 i% i8 U4 R - index: "controller_nova-novncproxy-%{[agent.version]}-%{+yyyy.MM.dd}"9 F" r+ o7 A0 H3 n9 ?6 C$ W
when.contains:
+ P g: h5 z7 W- z0 P. D: U tags: "nova-novncproxy"
) p: ~6 E/ ?: B! Y3 b, l. w: l* P7 W5 }
- index: "controller_rabbit-error-%{[agent.version]}-%{+yyyy.MM.dd}"
, l5 k, D s# Z0 a! t! C6 Q6 |- U: b when:
# ^; t& m0 v. y$ v or:
6 Y; ^* r3 Y% j. i6 x/ Q - contains:
3 `* f" e1 X @2 o" w8 M2 K: p tags: "rabbit"
% n* q# W2 O9 ~& n* B3 [ _: x1 c message: "err"6 L( w+ s. K+ ^% R* U% l. n/ g
- contains:
; U/ Q8 Z. @$ p! l( y& ]4 K% S8 g tags: "rabbit"
) E$ r/ t" f) X message: "ERR": [# @+ N0 }/ X
- contains:
! G+ B2 x. {/ Y0 _ tags: "rabbit"* q3 x, \, S: p. r) I* U( ?# {9 c
message: "fail"
3 |! N, S0 U" K, m( n - index: "controller_rabbit-%{[agent.version]}-%{+yyyy.MM.dd}"- w3 f: W1 i9 F5 Y& k" ?
when.contains:
+ P5 I* q* U2 p) _9 o tags: "rabbit"
% Q. y4 ~# o3 y" O" v" a% m& l/ e0 E$ C0 d/ S$ q
- index: "controller_glance-error-%{[agent.version]}-%{+yyyy.MM.dd}"
! Y. s) Q; _( r) r when:7 D+ B4 ?' M5 f& U5 X! d3 F
or:
% z1 Y/ d9 m- f2 a( P% | - contains:
8 Q1 m4 d1 m: }7 g) r tags: "glance"1 M, H6 c+ Y9 ^( p% ~+ |5 M6 l
message: "err"& }. _# j, G# `% D1 T, U4 [4 Y
- contains:
- j, i* M8 y; d, I3 C tags: "glance"
- B, _. C' q7 V+ I$ U1 P1 h message: "ERR"$ a& M' X7 @2 t" F# h* T9 F
- contains:
+ F9 P1 [9 x: U W& [/ c tags: "glance"
' l' p+ e& Z8 @7 \9 n message: "fail"
( e- W& Q$ D/ B" _. p3 c6 ^ - index: "controller_glance-%{[agent.version]}-%{+yyyy.MM.dd}"- }5 c6 B4 y3 R
when.contains:
) ?3 v( K @6 M tags: "glance"6 \7 G. M2 J, U. L! F+ c# @
4 n$ y2 B) }7 S - index: "controller_openvswitch-agent-error-%{[agent.version]}-%{+yyyy.MM.dd}"
- {7 n' [2 I4 w; t4 E l- L when:8 O+ a! X2 `. M( K" i
or:
) X0 W: D. R* G7 X - contains:
( X4 ]; q5 G1 i& Z& A/ I& n tags: "openvswitch-agent": F6 y- d% U8 B* |: u; D
message: "err". {6 Y" Z* t0 e- ?
- contains:
) ] J0 ~* u4 r0 E: S. ~ tags: "openvswitch-agent"
- D7 N- l, f T2 l9 E message: "ERR"
0 X5 S [2 ^2 X1 G3 o# D - contains: W0 {6 E+ `0 ]% J7 S" Q( b( t! T
tags: "openvswitch-agent"
7 ~, J) t$ [ S, M% }; ]1 J message: "fail"
1 f3 e% }; y" i# v+ D; N8 K0 y2 y - index: "controller_openvswitch-agent-%{[agent.version]}-%{+yyyy.MM.dd}"0 m) j/ F7 W3 g8 n2 ^3 m
when.contains:
0 n7 e5 S& t3 [: V6 O tags: "openvswitch-agent" A. ]0 f: I" ?9 K$ o o! ~$ n
) K" {; p8 f; V V% z" t! q
- index: "controller_kuryr-controller-error-%{[agent.version]}-%{+yyyy.MM.dd}"+ n, S! H1 b) @; q u
when:0 F7 c* [( e/ T3 u+ J. l
or:3 V* r: U* A1 |$ g2 @
- contains:
4 K0 f( H! {3 v tags: "kuryr-controller"
( ]6 _, l8 {3 p0 t. R C1 ?9 P message: "err"
D* T3 s% p3 E6 n# V- {. | - contains:7 f7 X2 g4 Y t1 n5 Y5 t- l6 Q5 J
tags: "kuryr-controller"; Q* }; N# D8 H% W& b, H
message: "ERR"& m. ~, i0 P+ o j: o; p
- contains:1 o! `7 ?9 K8 a/ g
tags: "kuryr-controller"
. f# A, U$ K# Z( e1 S message: "fail". C0 H& P! ~7 _& N# P
- index: "controller_kuryr-controller-%{[agent.version]}-%{+yyyy.MM.dd}"2 ]# u) B9 V5 E" [
when.contains:
: T9 Z2 f; t$ n" Z$ V4 Y tags: "kuryr-controller", `! @( G! d( c' P, b6 a$ O
" T% h+ W# q5 `% @. }* f - index: "controller_keystone-error-%{[agent.version]}-%{+yyyy.MM.dd}"
+ k6 f. Y9 y* W7 u when:
& u$ t$ t: k& s- z) f or:/ M1 o" e* `! {/ j0 h9 X8 L, s
- contains:$ ~3 A: o5 _; K- D8 d
tags: "keystone"+ J) P+ N7 q- B" n
message: "err"6 J/ ~9 v* z4 g1 ^3 _ H
- contains:
* i% @; U8 {, o+ ?0 { tags: "keystone"& P7 M# {; w, A2 P R
message: "ERR"
# k% C; A0 W4 n+ w- ]9 L - contains:; ]* K4 i4 N9 ]! n$ e
tags: "keystone"9 V# i% T/ s4 F2 Z1 ?
message: "fail"
" S; k! k& @8 G# A0 c' p - index: "controller_keystone-%{[agent.version]}-%{+yyyy.MM.dd}"" \& {% ]1 B2 I9 f/ K7 e( n6 q0 ~
when.contains:! z7 }, V* U8 S- D! ^" b* Z
tags: "keystone"
3 R9 {6 I7 \0 e% V+ |$ t) N( U4 F+ b& r8 g
setup.ilm.enabled: false! a( l( q5 U2 `
setup.template.name: system5 D+ |: Z6 R! d* u& i! O
setup.template.pattern: system-*7 O% V- ^1 _/ B) G# P
$ k' Q* O' c3 d% o- B
7 @9 ^* Q3 z% Z' c, \+ n
Q B! C. }5 Y- G& y$ J2 Y' s4 e& X; r4 Z+ o5 v& `( u- e
例:filebeat-7.12.1-2023.05.16-000001索引文件
+ P2 ^! L; s+ S" P v7 L7 \! n( H9 t, z+ O, }" G
索引创建规则
* i. {( R2 s) C+ u
9 L1 N) o3 h1 j. I默认使用es的索引声明周期策略. s/ W( N' z8 C ~" v% H* |& o
/ h* H1 N, A4 H u% mindex lifecycle management (ILM) 生成索引1 ^( u: b7 _8 j- [# q; X' y. A" r4 A
) ~5 a# h Y$ A3 S! G6 ^: C; I M配置ILM( X. p: E, X4 ?) R( x9 T5 m
7 X1 m t3 N- Q4 d4 u#auto false true
% u& m9 g" W; Y' Y- @setup.ilm.enabled: auto$ ]; B2 R: ?3 i# k
#索引别名7 J6 U/ N! Q7 M# t
setup.ilm.rollover_alias: "filebeat"
+ l& n& G, ^, k- a. l#索引增加策略
, ~; ^1 s N# W t9 B, Jsetup.ilm.pattern: "{now/d}-000001"" M" ^6 L8 l9 |) V2 m* U
setup.ilm.enabled默认值auto,自动使用es中filebeat生命周期策略创建索引+ x1 [% z7 b2 z. M/ Y
) y/ u" V* ~ A$ h* ]setup.ilm.rollover_alias默认值filebeat-%{[agent.version]} ,创建索引时指定索引别名。4 e9 P8 q+ m( g9 ] y- k s
& u' i$ K' `% N4 P8 h+ |6 s; S
setup.ilm.pattern默认值%{now/d}-000001,索引rollover增加策略。+ `) n! j) \% |# g4 R
: w' Y$ R S, Q* M5 U" P自动生成的索引名就是使用alias+pattern。类似filebeat-7.12.1-2023.05.16-000001这种。
2 y: \, \0 n) m7 l
. O3 \7 Y! ]# q7 n4 Q/ D更多配置参考:https://www.elastic.co/guide/en/beats/filebeat/7.17/ilm.html% w, @/ s: U# L
' m5 I, K, f$ C% q1 L% l0 F# x自定义索引文件
- O3 Z, g' @/ I/ C( |: G) F+ s! V5 H; ~, E" R6 w+ R. c
output.elasticsearch可以指定index,使用自定义索引第一步就是要关闭ILM,2 ?4 X5 n/ o! C8 D5 N* y
/ C/ |0 V1 E$ @8 D' g7 F; C
setup.ilm.enabled: false
k; I' I3 u' F# Y0 ?8 s8 K下一步要配置setup.template.name和setup.template.pattern
- V. l4 r7 x3 y4 ?- b, K( y9 a+ X* g S9 G& D8 }
setup.template.name: "filebeat"* `/ t8 r% u4 K8 C& T# v
setup.template.pattern: "filebeat-*"
/ ]' U: G2 A" N x8 asetup.template.overwrite: false4 U" q7 q! Z5 ~5 J& I1 E
在output.elasticsearch指定index! r' ~9 t( G8 C8 e' k, T0 D
: J" K4 i. V; M2 _7 i4 b" Vindex: "spring-%{[agent.version]}-%{+yyyy.MM.dd}"* F; o7 c6 A# [/ W# f5 t
运行就会自动生成索引spring-7.12.1-2023.05.16。index定义可以使用上下文定义变量。可以在input里自定义field
! o* G. G/ {& q1 U
" U# J3 d$ ^* v. f3 ?& ?+ dfields:
+ S; }/ H& m' o6 ~/ A8 p level: system
. Q( u7 x9 X3 m$ H region: A10 l# m& C [$ H$ d8 |+ g! f( c
自定义的fields会一并push到索引中,index中使用自定义的fields
9 J# C- u0 `0 w
* W( b4 I C" u1 \/ O( dindex: "spring-%{[fields.region]}-%{[agent.version]}-%{+yyyy.MM.dd}"
# V, J, z5 F4 J& G0 k7 ^! B会生成索引:spring-a1-7.12.1-2023.05.16。这里A1自动转成小写了。& y- Y& {9 w9 ~4 J
0 `& M0 D. U* j3 V7 P5 d! J日志多行合并
/ m0 x, ]9 H- u. N6 @+ z1 J& `- W
9 u) B/ g. [4 S+ a& k/ F; Q默认情况下收集日志一行一条记录,有些情况下比如格式化输出,异常栈。一条完整的日志会包含多行数据。这时候就需要配置多行匹配。配置项在filebeat.inputs里. g' M0 P+ S" u8 b8 I6 @
( `) N4 b* X' x% i* Rmultiline.pattern: '^\['% z* U7 j0 R8 a
multiline.negate: true
+ _6 H# g; F' f0 }( Amultiline.match: after. s" Y% H1 o0 O J2 g$ k! j( o
multiline.pattern指定日志匹配正则,这里'^['就是匹配以 [ 开头的行。这个地方的具体格式就要合实际输出的日志格式相匹配了。
- A% r7 q+ u4 }4 }& O
$ }8 y$ ?0 ?) |, V* znegate和match两个参数结合使用,没太看懂,理解其来感觉有点绕,自己看官方演示例子吧https://www.elastic.co/guide/en/ ... iline-examples.html,有个表格图例。大体意思就是遇到不匹配的是向上合并还是向下合并,归属于那一条。这里配置true和after就是不匹配的格式行归属到上一个匹配的结果行。# c) K; d- s: `4 W& ?
0 ~2 D7 l2 `, K/ ~! G% J根据条件写入不同索引
4 l5 x6 ?1 b8 w/ j: S( S. `) A. g8 M5 y2 r
output.elasticsearch:" H1 X m5 j! H- m
hosts: ["http://localhost:9200"]
* @0 @" [5 i; S7 l; L% N' O5 H! o indices:" W- V }( `8 x. V$ q! s
- index: "warning-%{[agent.version]}-%{+yyyy.MM.dd}"% s0 Y$ ]+ m& j- Y6 H
when.contains:
8 v7 t8 F6 }1 l+ O; u message: "WARN"& ?2 q7 D8 G: K" [
- index: "error-%{[agent.version]}-%{+yyyy.MM.dd}"
. }9 _1 d; S, x: B3 V when.contains:5 {5 t' k4 L% G! M$ ]" I
message: "ERR". T! g' I1 v4 h" l
# X$ A F+ n9 \9 v4 [4 u1 a2 c- }+ _. t判断message内容,是否包含某些内容。不做演示。
' C& _; `. V' o
0 P3 S# W- F; O* Q* t" d: T9 N收集到的日志可在kibana 日志功能界面化查看检索。需要配置日志索引匹配模式,例如上面的我们就需要新增匹配日志模式spring-*。% Z1 `- K- V0 C* \: J
, C, q1 ]! N0 o3 E& b7 K
最后filebeat.yml有效配置大概这样6 t/ l( j$ p0 C4 i
+ i+ P, Y+ N4 ]% o' B
filebeat.inputs:# p% n+ V; j# D8 l# }- @' z2 ^6 z
- type: log& c P+ h1 ~- R2 N4 B$ V2 e
enabled: true
8 D* }# X1 H9 g; r$ h- b4 K paths:# @) Y8 G2 O7 o4 S
- /data/logs/*/*.log9 p+ T* ^7 S: H1 ]8 a
9 P0 p# ]/ T- X) R fields:: D- r0 i6 s* x" e* x8 Q1 L
level: system. k0 e" n0 P5 `" t
region: A1
. ^4 b& }7 ^. _7 Q
$ A' _, ?! P+ F& r: B- u multiline.pattern: '^#\['& r8 U; ?' D- v( y3 x1 z
multiline.negate: true0 A! ]1 c: Y( d1 d7 @% Z7 X
multiline.match: after
! r+ c! \$ _% a s( ~7 T8 b: F3 `3 i: W2 {0 [; D* y
output.elasticsearch:2 Z3 D% f" b6 H3 q
hosts: ["localhost:9200"]/ ^! }! C8 D& r1 ?+ A7 x/ d7 V |
protocol: "http"; w- t6 d! P) Z% [
username: "elastic"+ h0 J$ \+ K0 i& T1 Q2 g: U
password: "888888"
* i$ ~% }# y9 c3 W index: "spring-%{[fields.region]}-%{[agent.version]}-%{+yyyy.MM.dd}"
1 w4 |3 y# K. [2 X2 [% W o" G4 L# N& _. t+ X* h1 w9 D
setup.ilm.enabled: false
5 i) A% m1 r. A" fsetup.template.name: "filebeat"9 B' Z$ h. I: Z8 Z1 S/ j2 X
setup.template.pattern: "filebeat-*"
7 Y; R- p4 W2 @6 s; Z7 c2 C0 bsetup.template.overwrite: false0 l+ a7 e9 r% p$ g' F! B
& v* C. s3 t, V( S) c
; F2 D0 s# Q+ U) L |
|
/4 
|返回首页|Archiver|小黑屋|易陆发现技术论坛
( 蜀ICP备2026014127号-1 )
窥视卡
雷达卡
发表于 2024-11-8 10:18:15
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
楼主