filebeat配置
#表示的是会把 service作为fields的二级字段
filebeat.inputs: - type: log enabled: true paths: - /var/log/aa.log fields: service: aa - type: log enabled: true paths: - /var/log/messages* fields: service: message
fields_under_root:如果该选项设置为true,则新增fields成为顶级目录,而不是将其放在fields目录下。自定义的field会覆盖filebeat默认的field。例如添加如下配置:
#表示的是会把 service作为fields顶级字段
fields: service: message fields_under_root: true
logstash配置
#表示的是会把 service作为fields的二级字段logstash配置
output { stdout { codec => json } elasticsearch { hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"] ssl => true cacert => "/home/logstash/logstash-7.5.1/config/certs/ca.crt" index => "logstash-%{[fields][service]}-%{+YYYY.MM.dd}" user => "logstash_writer" password => "logstash" } }
#表示的是会把 service作为fields的顶级字段logstash配置
output {
stdout {
codec => json
}
elasticsearch {
hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"]
ssl => true
cacert => "/home/logstash/logstash-7.5.1/config/certs/ca.crt"
index => "logstash-%{
也可以这样写
if [fields][service] == 'aa' { elasticsearch {
hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"]
index => "logstash-aa-%{+YYYY.MM.dd}"
user => "logstash_writer"
password => "logstash"
}
}
if [fields][service] == "messages" {
elasticsearch {
hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"]
index => "logstash-messages-%{+YYYY.MM.dd}"
user => "logstash_writer"
password => "logstash"
}
}