我这里只是做一个最基本的配置,确保能收集到需要收集的日志,然后进行同一条日志信息的多行合并(在filebeat介绍里说过了,收割机是一行一行的读取日志的),然后进行一个名称的标明(这个在配置kibana索引的时候可以用到)
安装
直接解压安装便可以了,路径随意,需要注意的是版本号要和es与logstach的一致,需要收集哪台服务器的日志就要在哪一台上面安装
配置
最基本的配置,我是把日志收集后传到logstaach里面而不是默认的es里面,还有需要注意的是每个冒号后面都要有空格,这是格式不然就会报错
filebeat.prospectors:
- type: log
paths:
/usr/local/tomcat-achievement-8082/logs/*.log
ignore_older: "24h"
fields_under_root: true
fields:
level: achive-8082-52
review: 1
multiline.pattern: '^[[:space:]]|^Caused'
multiline.negate: false
multiline.match: after
- type: log
paths:
/usr/local/tomcat-basicInfo-8081/logs/*.log
ignore_older: "24h"
fields_under_root: true
fields:
level: basic-8081-52
review: 1
multiline.pattern: '^[[:space:]]|^Caused'
multiline.negate: false
multiline.match: after
- type: log
paths:
/usr/local/tomcat-examinationEvaluation-8083/logs/*.log
ignore_older: "24h"
fields_under_root: true
fields:
level: exam-8083-52
review: 1
multiline.pattern: '^[[:space:]]|^Caused'
multiline.negate: false
multiline.match: after
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 3
setup.kibana:
#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
# Array of hosts to connect to.
# hosts: ["192.168.22.95:9200"]
#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["192.168.22.75:4560"]
#logging.level: debug
其中
- type: log
paths:
/usr/local/tomcat-basicInfo-8081/logs/*.log
ignore_older: "24h"
fields_under_root: true
fields:
level: basic-8081-52
review: 1
multiline.pattern: '^[[:space:]]|^Caused'
multiline.negate: false
multiline.match: after
这段配置是需要收集谁的日志就配谁的,我这里需要收集三个tomcat的日志就赔了三个tomcat