Filebeat+Logstash+Elasticsearch+Kibana

1、安装 Logstash+Elasticsearch+Kibana

2、修改 Logstash 配置

## java 启动配置
[root@dashangtest config]# cat /opt/logstash/config/jvm.options | grep -v '#\|^$'
-Xms512m
-Xmx512m
-XX:+UseConcMarkSweepGC
-XX:CMSInitiatingOccupancyFraction=75
-XX:+UseCMSInitiatingOccupancyOnly
-Djava.awt.headless=true
-Dfile.encoding=UTF-8
-Djruby.compile.invokedynamic=true
-Djruby.jit.threshold=0
-Djruby.regexp.interruptible=true
-XX:+HeapDumpOnOutOfMemoryError
-Djava.security.egd=file:/dev/urandom
-Dlog4j2.isThreadContextMapInheritable=true

## logstash 配置
[root@dashangtest config]# cat logstash.yml | grep -v '#\|^$'
http.host: 0.0.0.0
pipeline.ordered: auto

## logstash 配置文件修改
[root@dashangtest plm]# cat /opt/plm/plm.conf | grep -v '#\|^$'
input {
	beats {
		host => "10.22.86.3"
		port => 5044
	}
}

filter {
    grok {
        match => ["message","%{TIMESTAMP_ISO8601:log.date}"]
    }
    date {
        match => ["log.date", "yyyy-MM-dd HH:mm:ss,SSS"]
        target => "@timestamp"
    }
}


output {
	if [type] == "assets-api"{
	 elasticsearch {
		hosts => ["10.22.86.3:9200"]
		index => "plm-assets-api-log-%{+YYYY.MM.dd}"
	 }
	} 
	else if [type] == "fc-api"{
	 elasticsearch {
		hosts => ["10.22.86.3:9200"]
		index => "plm-fc-api-log-%{+YYYY.MM.dd}"
	 }	
	}	
}

3、启动 logstash

nohup /opt/logstash/bin/logstash -f /opt/plm/plm.conf --path.data=/data/logstash-data >/dev/null 2>&1 &

4、安装 filebeat

[root@dashangtest ~]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.10.0-linux-x86_64.tar.gz
[root@dashangtest ~]# tar -zxvf filebeat-7.10.0-linux-x86_64.tar.gz -C /data
[root@dashangtest ~]# mv /data/filebeat-7.10.0-linux-x86_64 /data/filebeat-7.10.0
[root@dashangtest ~]# cd /data/filebeat-7.10.0
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /data/app/plm/assets-api/logs/info.log
  fields:
    type: assets-api
  fields_under_root: true
- type: log
  backoff: "1s"
  enabled: true
  
  paths:
    - /data/app/plm/fc-api/logs/info.log
  fields:
    type: fc-api
  fields_under_root: true 
output.logstash:
  enabled: true
  hosts: ["10.22.86.3:5044"]

5、启动 filebeat

## 进入filebeat目录
[root@dashangtest ~]# cd /data/filebeat-7.10.0

## 后台启动
[root@dashangtest ~]# nohup ./filebeat -e -c filebeat.yml >/dev/null 2>&1 &

## 前台启动 可以观看日志  但是关闭窗口进程会关闭
[root@dashangtest ~]# ./filebeat run -e -c filebeat.yml -d "publish"

6、在 kibana 添加索引


posted @ 2022-03-03 10:44  Rocky_940120  阅读(94)  评论(0)    收藏  举报