第二篇：filebeat

EFK架构采集tomcat日志

部署tomcat

[root@elk91 ~]# mkdir -p /app/tools
[root@elk91 ~]# tar xf apache-tomcat-10.1.48.tar.gz -C /app/tools/
[root@elk91 ~]# ln -s /app/tools/apache-tomcat-10.1.48/ /app/tools/tomcat
[root@elk91 ~]# /app/tools/tomcat/bin/version.sh 
Neither the JAVA_HOME nor the JRE_HOME environment variable is defined
At least one of these environment variable is needed to run this program

# 配置tomcat环境变量
[root@elk91 ~]# cat /etc/profile.d/tomcat.sh 
#!/bin/bash
export JAVA_HOME=/usr/share/elasticsearch/jdk
export TOMCAT_HOME=/app/tools/tomcat
export PATH=$PATH:$JAVA_HOME/bin:$TOMCAT_HOME/bin
[root@elk91 ~]# source /etc/profile.d/tomcat.sh 

[root@elk91 ~]# catalina.sh start
Using CATALINA_BASE:   /app/tools/tomcat
Using CATALINA_HOME:   /app/tools/tomcat
Using CATALINA_TMPDIR: /app/tools/tomcat/temp
Using JRE_HOME:        /usr/share/elasticsearch/jdk
Using CLASSPATH:       /app/tools/tomcat/bin/bootstrap.jar:/app/tools/tomcat/bin/tomcat-juli.jar
Using CATALINA_OPTS:   
Server version: Apache Tomcat/10.1.48
Server built:   Oct 10 2025 14:33:56 UTC
Server number:  10.1.48.0
OS Name:        Linux
OS Version:     3.10.0-1160.71.1.el7.x86_64
Architecture:   amd64
JVM Version:    22.0.2+9-70
JVM Vendor:     Oracle Corporation

 

[root@elk91 ~]# ss -lntup |grep java
tcp LISTEN 0 100 [::]:8080 [::]:* users:(("java",pid=2486,fd=44))

 

自定义tomcat日志格式

# 自定义日志格式（添加如下内容）
[root@elk91 ~]# vim /app/tools/tomcat/conf/server.xml 
(大概在143 左右)
     <Host name="tomcat.yuan.com"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
            prefix="tomcat.yuan.com_access_log" suffix=".json"
pattern="{&quot;clientip&quot;:&quot;%h&quot;,&quot;ClientUser&quot;:&quot;%l&quot;,&quot;authenticated&quot;:&quot;%u&quot;,&quot;AccessTime&quot;:&quot;%t&quot;,&quot;request&quot;:&quot;%r&quot;,&quot;status&quot;:&quot;%s&quot;,&quot;SendBytes&quot;:&quot;%b&quot;,&quot;Query?string&quot;:&quot;%q&quot;,&quot;partner&quot;:&quot;%{Referer}i&quot;,&quot;http_user_agent&quot;:&quot;%{User-Agent}i&quot;}"/>
      </Host>

# 重启tomcat服务
[root@elk91 ~]# catalina.sh stop
[root@elk91 ~]# catalina.sh start

# 使用curl命令测试
[root@elk93 ~]# curl -H 'HOST: tomcat.yuan.com' 10.0.0.91:8080

# 查看日志
[root@elk91 ~]# tali -f /app/tools/tomcat/logs/tomcat.yuan.com_access_log.2025-10-15.json

filebeat采集tomcat日志

[root@elk91 ~]# cat /etc/filebeat/myconfig/tomcat-json-logs.yaml 
filebeat.inputs:
- type: log
  paths:
    - /app/tools/tomcat/logs/tomcat.yuan.com_access_log.2025-10-15.json
  json.keys_under_root: true
output.elasticsearch:
  hosts:
  - "http://10.0.0.91:9200"
  - "http://10.0.0.92:9200"
  - "http://10.0.0.93:9200"
  index: "yuanxiaojiang-tomcatjson-log-%{+yyyy.MM.dd}"

setup.ilm.enabled: false
setup.template.name: "yuanxiaojiang-tomcatjson"
setup.template.pattern: "yuanxiaojiang-tomcatjson-log-*"
setup.template.overwrite: false
setup.template.settings:
  index.number_of_shards: 3
  index.number_of_replicas: 0

[root@elk91 ~]# filebeat -e -c /etc/filebeat/myconfig/tomcat-json-logs.yaml

 

filebeat多行匹配采集tomcat启动日志

 

 参考链接: https://www.elastic.co/guide/en/beats/filebeat/7.17/multiline-examples.html

 

[root@elk91 ~]# cat /etc/filebeat/myconfig/multiline-tomcat-error.yaml
filebeat.inputs:
- type: log
  paths:
    - /app/tools/tomcat/logs/catalina.out
  multiline:
    # 指定多行匹配模式，支持pattern/count模式
      type: pattern
      pattern: '^\d{2}'
      negate: true
      match: after
output.elasticsearch:
  hosts:
  - "http://10.0.0.91:9200"
  - "http://10.0.0.92:9200"
  - "http://10.0.0.93:9200"
  index: "yuanxiaojiang-multiline-errorlog"
setup.ilm.enabled: false
setup.template.name: "yuanxiaojiang-multiline"
setup.template.pattern: "yuanxiaojiang-multiline-*"
setup.template.overwrite: false
setup.template.settings:
  index.number_of_shards: 3
  index.number_of_replicas: 0


[root@elk91 ~]# filebeat -e -c /etc/filebeat/myconfig/multiline-tomcat-error.yaml 

 

filebeat配置多个input写入到不同的ES索引

[root@elk91 ~]# cat /etc/filebeat/myconfig/input_multiple.yaml 
filebeat.inputs:
- type: log
  paths:
    - /tmp/yuan01.log
  tags: "yuan01"
  multiline:
    type: count
    count_lines:4
- type: tcp
  host: "0.0.0.0:9000"
  tags: "yuan02"

output.elasticsearch:
  hosts:
  - "http://10.0.0.91:9200"
  - "http://10.0.0.92:9200"
  - "http://10.0.0.93:9200"
  # 根据tags字段判断将events事件写入到不同的索引
  indices:
  - index: "multipleyuan-01-log"
    when.contains:
      tags: "yuan01"
  - index: "multipleyuan-02-log"
    when.contains:
      tags: "yuan02"

setup.ilm.enabled: false
setup.template.name: "multipleyuan"
setup.template.pattern: "multipleyuan-*"
setup.template.overwrite: false
setup.template.settings:
  index.number_of_shards: 3
  index.number_of_replicas: 0


[root@elk91 ~]# filebeat -e -c /etc/filebeat/myconfig/input_multiple.yaml

[root@elk91 ~]# cat /tmp/yuan01.log 
{
  "name":"yuan",
  "hobby":["打球","游戏"]
}
{
  "name":"xiao",
  "hobby":["抽烟","喝酒","烫头"]

}

[root@elk92 ~]# echo "https://yuan.com" | nc 10.0.0.91 9000

 

filebeat多实例

# 还没启动该任何filebeat前
[root@elk91 ~]# ll /var/lib/filebeat/
-rw------- 1 root root 100 Oct 14 15:41 meta.json
drwxr-x--- 3 root root  22 Oct 14 15:41 registry

# 同一个节点启动第一个filebeat
[root@elk91 ~]# filebeat -e -c /etc/filebeat/myconfig/input_multiple.yaml 
[root@elk91 ~]# ll /var/lib/filebeat/
-rw------- 1 root root   0 Oct 15 11:34 filebeat.lock
-rw------- 1 root root 100 Oct 14 15:41 meta.json
drwxr-x--- 3 root root  22 Oct 14 15:41 registry

# 同一个节点启动第二个filebeat
[root@elk91 ~]# filebeat -e -c /etc/filebeat/myconfig/multiline-tomcat-error.yam --path.data /tmp/haha
[root@elk91 ~]# ll /tmp/haha/
total 4
-rw------- 1 root root   0 Oct 15 11:36 filebeat.lock
-rw------- 1 root root 100 Oct 15 11:36 meta.json
drwxr-x--- 3 root root  22 Oct 15 11:36 registry

[root@elk91 ~]# ps -ef | grep filebeat
root       5948   1871  2 11:34 pts/0    00:00:03 /usr/share/filebeat/bin/filebeat --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat -e -c /etc/filebeat/myconfig/input_multiple.yaml
root       5971   4428  7 11:35 pts/1    00:00:02 /usr/share/filebeat/bin/filebeat --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat -e -c /etc/filebeat/myconfig/multiline-tomcat-error.yaml --path.data /tmp/haha

温馨提示:
1.filebeat多实例可以使用不同的数据目录;
2.如果工作中真的需要多实例，建议数据目录放在一个你规定好的目录，不要经常变更;
3.使用dpkg安装的包，启动filebeat会自动携带参数，如果我们定义了相同的参数会直接覆盖原来的配置

  filestream

filestream解析json格式日志

[root@elk91 ~]# cat /etc/filebeat/myconfig/filestream-nginx-json.yaml 
filebeat.inputs:
- type: filestream
  paths:
    - /var/log/nginx/access.log-20251015
  parsers:  # 配置解析
    - ndjson:  # 解析json格式数据
      target: ""  # 将解析的数据存放哪个字段（若为""代表存放在顶级字段中）
      message_key: message
        # 表示对哪个字段进行解析，若不指定，默认对message字段进行解析，并删除该字段
output.elasticsearch:
  hosts:
  - "http://10.0.0.91:9200"
  - "http://10.0.0.92:9200"
  - "http://10.0.0.93:9200"
  index: "yuanxiaojiang-filestream-json"

setup.ilm.enabled: false
setup.template.name: "yuanxiaojiang-filestream"
setup.template.pattern: "yuanxiaojiang-filestream-*"
setup.template.overwrite: false
setup.template.settings:
  index.number_of_shards: 3
  index.number_of_replicas: 0

# 如果启动一次filebeat后修改filebeat配置文件再启动filebeat
[root@elk91 ~]# rm -rf /var/lib/filebeat/registry/filebeat  # 或者修改offset（不推荐）
[root@elk91 ~]# filebeat -e -c /etc/filebeat/myconfig/filestream-nginx-json.yaml

 

 

 

filestream实现多行匹配

filebeat.inputs:
- type: filestream
  paths:
    - /app/tools/tomcat/logs/catalina.out
  parsers:
    - multiline:
        type: pattern
        pattern: '^\d{2}'
        negate: true
        match: after
output.elasticsearch:
  hosts:
  - "http://10.0.0.91:9200"
  - "http://10.0.0.92:9200"
  - "http://10.0.0.93:9200"
  index: "yuanxiaojiang-filestream-multiple"

setup.ilm.enabled: false
setup.template.name: "yuanxiaojiang-filestream"
setup.template.pattern: "yuanxiaojiang-filestream-*"
setup.template.overwrite: false
setup.template.settings:
  index.number_of_shards: 3
  index.number_of_replicas: 0

[root@elk91 ~]# filebeat -e -c /etc/filebeat/myconfig/filestream-multiple-tomcat-error.yaml 

 

 

 

面试题

面试题01：EFK架构数据流走向
  1.1 EFK的含义;
  1.2 filebeat采集源数据并写入到ES集群：
  1.3 Kibana从ES集群查询数据并出图展示;

面试题02：kibana分析了哪些指标
  2.1 IP：对客户端的IP字段进行去重，统计IP的数量
  2.2 PV(页面浏览量)：将nginx的访问日志的信息条数做计数统计
  2.3 UV(独立访问)
    http是无状态服务，因此可以服务端存储session，客户端存储cookie，统计的session的总数，日活量
  2.4 带宽：通过nginx的访问日志每个记录的代码大小总和
  2.5 用户分布图：分析nginx的访问日志，通过公网IP地址判断用户所属的城市，国家，经纬度等

 

仪表盘-dashboard

ansible一键部署EFK架构，并使用kibana分析tomcat，nginx

Loki+Grafana（扩展）

参考文档：https://cloud.tencent.com/developer/article/2516108

 

 

 

filebeat模块

Filebeat模块是预配置的日志收集解决方案，为常见服务（如Nginx、MySQL等）提供开箱即用的采集、解析和可视化配置

# 还原nginx的访问日志格式
[root@elk91 ~]# vim /etc/nginx/nginx.conf
    access_log  /var/log/nginx/access.log  main;
    #access_log /var/log/nginx/access.log nginx_return_json;

# 清空nginx访问日志记录并启动
[root@elk91 ~]# echo "" > /var/log/nginx/access.log
[root@elk91 ~]# nginx -t
[root@elk91 ~]# systemctl start nginx

# 启用、禁用、查看模块
[root@elk91 ~]# ll /etc/filebeat/modules.d/ |egrep "tomcat|nginx"
-rw-r--r-- 1 root root   784 Feb 14  2025 nginx.yml.disabled
-rw-r--r-- 1 root root   623 Feb 14  2025 tomcat.yml.disabled
[root@elk91 ~]# filebeat modules enable nginx tomcat
Enabled nginx
Enabled tomcat
[root@elk91 ~]# ll /etc/filebeat/modules.d/ |egrep "tomcat|nginx"
-rw-r--r-- 1 root root   784 Feb 14  2025 nginx.yml
-rw-r--r-- 1 root root   623 Feb 14  2025 tomcat.yml
[root@elk91 ~]# filebeat modules list  # 查看启用和未启动的列表
Enabled:
nginx
tomcat

Disabled:
activemq
[root@elk91 ~]# filebeat modules disable nginx tomcat
Disabled nginx
Disabled tomcat

所谓的启用模块，本质上是将"/etc/filebeat/modules.d/"目录下的"*.yml.disabled"文件更名为"*.yml"

 

使用模块采集nginx日志

# 启用nginx模块并修改配置文件
[root@elk91 ~]# filebeat modules enable nginx
[root@elk91 ~]# egrep -v '^[ ]+#|^#|^$' /etc/filebeat/modules.d/nginx.yml
- module: nginx
  access:
    enabled: true
    var.paths: ["/var/log/nginx/access.log*"]
  error:
    enabled: true
    var.paths: ["/var/log/nginx/error.log"]
  ingress_controller:
    enabled: false

 

编写filebeat配置文件

[root@elk91 ~]# egrep -v '^#|^$' /etc/filebeat/filebeat.yml 
filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml
  # Set to true to enable config reloading
  reload.enabled: false
  # Period on which files under path should be checked for changes
  #reload.period: 10s

[root@elk91 ~]# cat /etc/filebeat/myconfig/modules_nginx.yaml 
filebeat.config.modules:
  # 此处的"${path.config}"对应的路径是/etc/filebeat目录
  path: ${path.config}/modules.d/*.yml
  reload.enabled: true  # 支持热加载
  # 指定每间隔多长时间检测一次“${path.config}/modules.d/*.yml
  reload.period: 10s
output.elasticsearch:
  hosts:
  - "http://10.0.0.91:9200"
  - "http://10.0.0.92:9200"
  - "http://10.0.0.93:9200"
  index: "modules-nginx"
setup.ilm.enabled: false
setup.template.name: "modules"
setup.template.pattern: "modules-*"
setup.template.overwrite: false
setup.template.settings:
  index.number_of_shards: 3
  index.number_of_replicas: 0

 

 

 

kibana不出数据的几种情况：
    1.未删除filebeat的数据路径，由于数据已经采集过，就不会再重复采集;
        --path.data /var/lib/filebeat/
    2.索引模式冲突;
    3.未添加映射
"source.geo.location":  ---> "geo_point"
    4.discover
未看到数据，source.geo.location
    5.map
字段选错。
    6.时间范围选错，导致数据少。    
    7.数据源采集过多，采集时用到了通配符。
    8.配置错误
yaml格式写错。
        解决方案：
[root@elk91 filebeat]# filebeat test config -c config/14-modules_nginx-to-es.yaml
Config OK
[root@elk91 filebeat]#