ELK+Filebeat收集多台机器不同日志
采坑:在使用了6.0版本的ELK以后,使用如上配置,if [type]匹配不到在filebeat里面使用document_type定义的字符串。在多次调试和询问后,发现在6.0版本以上已经取消了document_type的定义。如果要实现以上的配置只能使用如下配置
Logstash 配置
[root@Kibana ~]# cat /usr/local/logstash/conf.d/beats.conf
input {
beats {
port => 5044
}
}
output {
if [fields][service] == 'Tomcat'{
elasticsearch {
hosts => ["192.168.1.202:9200"]
index => "tomcat-%{+YYYY.MM.dd}"
}
}
if [fields][service] == 'Auth'{
elasticsearch {
hosts => ["192.168.1.202:9200"]
index => "auth-%{+YYYY.MM.dd}"
}
}
if [fields][service] == 'App'{
elasticsearch {
hosts => ["192.168.1.202:9200"]
index => "app-%{+YYYY.MM.dd}"
}
}
if [fields][service] == 'microservice'{
elasticsearch {
hosts => ["192.168.1.202:9200"]
index => "microservice-%{+YYYY.MM.dd}"
}
}
}
Filebeat 配置
[root@mos-node1 filebeat]# cat filebeat.yml
filebeat.prospectors:
- input_type: log
paths:
- /var/log/uusafe/*/*/server.log
exclude_lines: ["^DBG","^$"]
fields:
service: microservice
output.logstash:
hosts: ["192.168.1.197:5044"]
enabled: true
worker: 1
compression_level: 3
loadbalance: true