美文网首页ELK文集ELK
用Docker搭建logstash、filebeat集群

用Docker搭建logstash、filebeat集群

作者: GoGooGooo | 来源:发表于2018-05-14 11:36 被阅读2次

    docker-logstash.yml

    version: '3.2'

services:
  logstash:
    image: logstash:latest
    networks:
      - net
    volumes:
      - /app/elk/logstash/logstash.conf:/some/config-dir/logstash.conf
      - /app/elk/filebeat/filebeat_logstash_out.conf:/some/config-dir/filebeat_logstash_out.conf
      - /app/elk/city/GeoLite2-City.mmdb:/GeoLite2-City.mmdb
#      - /etc/timezone:/etc/timezone:ro
#      - /etc/localtime:/etc/localtime:ro
    ports:
      - target: 5044
        published: 5044
        protocol: tcp
        mode: host
    command: -f /some/config-dir/
    deploy:
      mode: global

networks:
  net:
    driver: overlay
    internal: false
    ipam:
      driver: default
      config:
        - subnet: 10.0.66.0/24

    logstash.conf

    input {
  kafka{  
    codec => "json"
    bootstrap_servers=> "192.168.31.146:9092,192.168.31.147:9092,192.168.31.167:9092"
    #topics => ["backstage_logs","logstash-.*"]
    topics_pattern => "backstage_.*"
    group_id => "logstash"
    auto_offset_reset => "latest"
    type => "logs"  
  }
}

#filter {
#    if "nginx-accesslog" in [tags] {
#        grok {
#            match => { "message" => "%{IPORHOST:http_host} %{IPORHOST:clientip} - %{USERNAME:remote_user} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:http_verb} %{NOTSPACE:http_request}(?: HTTP/%{NUMBER:http_version})?|%{DATA:raw_http_request})\" %{NUMBER:response} (?:%{NUMBER:bytes_read}|-) %{QS:referrer} %{QS:agent} %{QS:xforwardedfor} %{NUMBER:request_time:float} %{GREEDYDATA:traceID}"}
#        }
#        mutate {
#            convert => ["status","integer"]
#            convert => ["body_bytes_sent","integer"]
#            convert => ["request_time","float"]
#        }
#        geoip {
#            source=>"remote_addr"
#        }
#        date {
#            match => [ "timestamp","dd/MMM/YYYY:HH:mm:ss Z"]
#        }
#        useragent {
#            source=>"http_user_agent"
#        }
#    }
#
#    if "tomcat-accesslog"  in [tags] {
#        grok {
#           match => { "message" => "%{IPORHOST:clientip} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:http_verb} %{NOTSPACE:http_request}(?: HTTP/%{NUMBER:http_version})?|%{DATA:raw_http_request})\" %{NUMBER:response} (?:%{NUMBER:bytes_read}|-) %{QS:referrer} %{NUMBER:request_time:float} %{GREEDYDATA:traceID}"}
#            }
#        date {
#            match => [ "timestamp","dd/MMM/YYYY:HH:mm:ss Z"]
#        }
#    }
#}

output {
    if [type] == "logs" {
        elasticsearch {
            hosts => ["192.168.31.146:9200","192.168.31.147:9200","192.168.31.167:9200"]
            index  => "backstage_%{type}-%{+YYYY.MM.dd}"
            manage_template => true
            document_type => "%{type}"
        }
    }
}

    filebeat_logstash_out.conf

    input {
    beats {
      port => 5044
      codec => json     # 直接将filebeat保存在message中的json字串解析出来
      type => "logs"
    }
}

filter {
    if [type] == "nginxaccess" {
        mutate {
            remove_field => ["tags", "beat"]    
            #删除filebeat自动添加的字段
            ## 测试发现:如果换成drop {  remove_field =>
            ## 无输出
        }
    }
}

output {
    if [type] == "nginxaccess" {
        elasticsearch {
             hosts => ["192.168.31.146:9200","192.168.31.147:9200","192.168.31.167:9200"]
             index  => "filebeat-%{type}-%{+YYYY.MM.dd}"
             manage_template => true
             document_type => "%{type}"
        }
        stdout{
            codec=>rubydebug
        }
    }
}

    上面是配置logstash的消费者,如果需要filebeat去采集其他机器的日志文件,请往下接着配

    docker-filebeat.yml

    version: '3.2'

services:
  filebeat:
    image: prima/filebeat:latest
    networks:
      - net
    volumes:
      - /docker-swarm/ELK/prod/filebeat.yml:/filebeat.yml
      - /nginx/logs/:/nginx/logs/
#      - /etc/timezone:/etc/timezone:ro
#      - /etc/localtime:/etc/localtime:ro
    deploy:
      mode: global

networks:
  net:
    driver: overlay
    internal: false
    ipam:
      driver: default
      config:
        - subnet: 10.0.66.0/24

    filebeat.yml

    filebeat.prospectors:
- input_type: log
  paths:
    - /nginx/logs/*.log
  tags: ["nginx-accesslog"]
  document_type: nginxaccess
#output.kafka:
#   enabled: true
#   hosts: ["192.168.31.163:9092"]
# #  topic: logstash-%{[type]}
#   topic: backstage_%{[type]}
output:
  logstash:
    hosts: ["192.168.31.146:5044","192.168.31.147:5044","192.168.31.167:5044"]
#    worker: 1
#    loadbalance: true
#    index: filebeat

    相关文章

      网友评论

        本文标题:用Docker搭建logstash、filebeat集群

        本文链接:https://www.haomeiwen.com/subject/wlpddftx.html

        延伸阅读

        深度阅读

        • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

        栏目导航

        热点阅读

        ELK文集

        ELK

        关于我们|服务条款|联系我们|用Docker搭建logstash、filebeat集群|投稿指南|网站地图|RSS订阅|排版工具|手机版

        提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

        Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

        备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

        本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

        所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!