filebeat安装与配置

1.　　修改filebeat.yml

#=========================== Filebeat prospectors =============================

filebeat:
  prospectors:
    -
      paths:
        - /usr/local/tomcat-adapter/logs/apilog/common-all.log
        - /usr/local/tomcat-backend/logs/apilog/common-all.log
        - /usr/local/tomcat-finance/logs/apilog/common-all.log
        - /usr/local/tomcat-stock/logs/apilog/common-all.log
      fields:
        input_type: log
        tag: common-all
 
    -
      paths:
        - /usr/local/tomcat-adapter/logs/apilog/common-error.log
        - /usr/local/tomcat-backend/logs/apilog/common-error.log
        - /usr/local/tomcat-finance/logs/apilog/common-error.log
        - /usr/local/tomcat-stock/logs/apilog/common-error.log 
      fields:
        tag: common-error

#================================ General =====================================

#name: 

#tags: ["tomcat-adapter","tomcat-backend","tomcat-finance","tomcat-stock"]

#fields:
#  env: staging

#================================ Outputs =====================================


#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["192.168.1.100:5046"]

  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  #ssl.certificate: "/etc/pki/client/cert.pem"

  #ssl.key: "/etc/pki/client/cert.key"

#================================ Logging =====================================

#logging.level: debug

# "publish", "service".
#logging.selectors: ["*"]

2.　　修改logstash配置文件

input {
  beats {
    port => 5046
  }
}



filter {
      multiline {
            pattern => "^\d{4}-\d{1,2}-\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}"
            negate => true
            what => "previous"
      }
      grok {
        #patterns_dir => "/usr/share/logstash/patterns"
        match =>{
                #"message", "%{TIMESTAMP_ISO8601:logdate}\s*%{NOTSPACE:level}\s*%{NOTSPACE:classfile}\s*%{NOTSPACE:other}\s*%{DATA:info}$"
                "message" => "%{NOTSPACE:date}\s*%{NOTSPACE:time}\s*%{NOTSPACE:level}\s*%{NOTSPACE:classfile}\s*%{NOTSPACE:other}\s*%{NOTSPACE:info}\s*"
                 }
       }
      #date {

       # match => ["logdate", "yyyy-MM-dd HH:mm:ss,SSS"]


      #}

      #mutate {
       # remove_field => ["logdate"]
      #}
       
}





output {
  #elasticsearch {
   # hosts => "127.0.0.1:9200"
   # manage_template => false
   # index => "mly-tomcat%{[@metadata][beat]}-%{+YYYY.MM.dd}"
   # document_type => "%{[@metadata][type]}"
 # }
  if [fields][tag] == "common-all"{
      elasticsearch {
          hosts => "127.0.0.1:9200"
          index => "common-all-%{+YYYY.mm.dd}"
      }
  }
  if [fields][tag] == "common-error"{
      elasticsearch {
          hosts => "127.0.0.1:9200"
          index => "common-error-%{+YYYY.mm.dd}"
      }
  }
}

3.　　重新加载logstash

　　　　sudo ./logstash -f /etc/logstash/conf.d/mly-tomcat.conf --path.data=/usr/share/logstash/data3/ &

4.　　filebeat的安装。

　　　　/usr/bin/wget -P /tmp https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.6.9-x86_64.rpm

　　　　/bin/rpm -ivh /tmp/filebeat-5.6.9-x86_64.rpm

5.　　filebeat开机启动

　　　　cd /lib/systemd/system，创建一个文件filebeat.service　　

[Unit]
Description=filebeat
Documentation=https://www.elastic.co/guide/en/beats/filebeat/current/index.html
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
Restart=always

[Install]
WantedBy=multi-user.target