Filebeat实例03-使用模块采集tomcat日志

ES集群地址

10.0.0.91:9200
10.0.0.92:9200
10.0.0.93:9200

启用模块

root@elk92:~# filebeat modules enable tomcat

修改模块配置文件

#启用
root@elk93:~# filebeat modules enable tomcat

#修改
root@elk93:~# vim /etc/filebeat/modules.d/tomcat.yml
- module: tomcat
  log:
    enabled: true
    var.input: file
    var.paths:
      - /usr/local/apache-tomcat-11.0.5/logs/*.json
    var.tz_offset: +08:00

更改Tomcat的日志格式

我是采用的二进制部署Tomcat的
更改配置文件,添加/修改host
root@elk93:~# vim /usr/local/apache-tomcat-11.0.5/conf/server.xml 
          <Host name="tomcat.dezyan.com"  appBase="webapps"
                unpackWARs="true" autoDeploy="true">

		<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
            prefix="tomcat.oldboyedu.com_access_log" suffix=".json"
pattern="{&quot;clientip&quot;:&quot;%h&quot;,&quot;ClientUser&quot;:&quot;%l&quot;,&quot;authenticated&quot;:&quot;%u&quot;,&quot;AccessTime&quot;:&quot;%t&quot;,&quot;request&quot;:&quot;%r&quot;,&quot;status&quot;:&quot;%s&quot;,&quot;SendBytes&quot;:&quot;%b&quot;,&quot;Query?string&quot;:&quot;%q&quot;,&quot;partner&quot;:&quot;%{Referer}i&quot;,&quot;http_user_agent&quot;:&quot;%{User-Agent}i&quot;}"/>

          </Host>

Filebeat实例

root@elk92:~# vim /etc/filebeat/config/03-modules-tomcat-to-es.yaml
filebeat.config.modules:
  path: ${path.config}/modules.d/tomcat.yml
  reload.enabled: true

output.elasticsearch:
  hosts:
  - 10.0.0.91:9200
  - 10.0.0.92:9200
  - 10.0.0.93:9200
  index: dezyan-modules-tomcat-%{+yyyy.MM.dd}

setup.ilm.enabled: false
setup.template.name: "dezyan"
setup.template.pattern: "dezyan-*"
setup.template.overwrite: true
setup.template.settings:
  index.number_of_shards: 5
  index.number_of_replicas: 0
  
root@elk92:~# filebeat -e -c /etc/filebeat/config/03-modules-tomcat-to-es.yaml