下载
这里以6.4.0版本为例
$ wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.4.0-linux-x86_64.tar.gz
安装
$ tar zxf filebeat-6.4.0-linux-x86_64.tar.gz
$ cd filebeat-6.4.0-linux-x86_64
配置
$ vi filebeat.yml
filebeat.inputs:
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /tmp/logs/test.log
fields:
app_id: query_oalog_1
log_type: api-hub
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
# Defines if the pattern set under pattern should be negated or not. Default is false.
multiline.negate: true
# Match can be set to "after" or "before". It is used to define if lines should be append to a pattern
# that was (not) matched before or after or as long as a pattern is not matched based on negate.
# Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
multiline.match: after
#加载不同的模板
setup.template.name: "filebeat"
setup.template.pattern: "filebeat-*"
setup.template.settings:
index.number_of_shards: 3
#写入搜索引擎
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["10.10.10.10:9200"]
#默认情况下,Filebeat写事件到名为filebeat-6.4.0-yyyy.MM.dd的索引,其中yyyy.MM.dd是事件被索引的日期。为了用一个不同的名字,你可以在Elasticsearch输出中设置index选项。
index: "%{[fields.log_type]}-%{[beat.version]}-%{+yyyy.MM.dd}"
主要配置项说明:
-
enabled:true 代表开启这个配置节
-
paths: 监控指定目录下的文件,支持模糊搜索
-
fields: 增加fields额外字段,本例在fields下面增加了app_id、log_type字段
-
multiline 多行日志监控,下面配置的意思是:不以时间格式开头的行都合并到上一行的末尾(正则写的不好,忽略忽略)
-
pattern:正则表达式
-
negate:true 或 & false;默认是false,匹配pattern的行合并到上一行;true,不匹配pattern的行合并到上一行
-
match:after 或 before,合并到上一行的末尾或开头
-
-
output.elasticsearch 配置host指定搜索引擎地址
启动
$ nohup ./filebeat -e -c filebeat.yml > filebeat.log &
网友评论