使用filebeat 替代logstash 收集日志redis

在web服务器
有就停止

[root@es-web1 ~]# systemctl stop logstash

监控单个日志配置：
上传deb包，安装

[root@es-web1 src]# dpkg -i filebeat-7.12.1-amd64.deb

filebeat改配置文件

root@long:~# grep -v "#" /etc/filebeat/filebeat.yml| grep -v "^$"

filebeat.inputs:
- type: log
  enabled: True
  paths:
    - /apps/nginx/logs/*.log
  fields:
    app: nginx
    group: n124

output.redis:
  hosts: ["172.31.2.106:6379"]
  password: "123456"
  key: "filebeat-m44-log"
  db: 2
  timeout: 5

重启

[root@es-web1 ~]# systemctl restart filebeat

检查redis

root@long:~# redis-cli -h 172.31.2.106
172.31.2.106:6379> auth 123456
172.31.2.106:6379> select 2

172.31.2.106:6379[2]> keys *
1) "filebeat-m44-log"
172.31.2.106:6379[2]> LPOP filebeat-m44-log

logstash配置文件

root@long:~# vim /etc/logstash/conf.d/filebeat-nginx-log-redis.conf

input {
  redis {
    data_type => "list"
    key => "filebeat-m44-log"
    host => "172.31.2.106"
    port => "6379"
    db => "2"
    password => "123456"
  }
}

output {
  if [fields][app] == "nginx-log" {                     
    elasticsearch {
      hosts => ["172.31.2.101:9200"]
      index => "long-filebeat-nginx-errorlog-%{+YYYY.MM.dd}"
  }}
}

重启

root@long:~# systemctl restart logstash

加入kibana

多个的配置，在原来的基础上添加

root@long:~# vim /etc/filebeat/filebeat.yml

- type: log
  enabled: True
  paths:
    - /var/log/nginx/access.log
  fields:
    app: nginx-accesslog         
    group: n125

#=========== Filebeat modules ======================

重启

root@long:~# systemctl restart filebeat

停止

root@long:~# systemctl stop logstash

访问Nginx，
检查redis

root@long:~# redis-cli -h 172.31.2.106
172.31.2.106:6379> auth 123456
172.31.2.106:6379[2]> select 3
172.31.2.106:6379[3]> keys *
1) "m44-nginx-log"

172.31.2.106:6379[3]> LPOP m44-nginx-log

配置修改

root@long:~# vim /etc/logstash/conf.d/filebeat-nginx-log-redis.conf
                                                             
input {
  redis {
    data_type => "list"
    key => "m44-nginx-log"
    host => "172.31.2.106"
    port => "6379"
    db => "2"
    password => "123456"
  }
}

output {
  if [fields][app] == "nginx-errorlog" {
    elasticsearch {
      hosts => ["172.31.2.101:9200"]
      index => "filebeat-nginx-errorlog-%{+YYYY.MM.dd}"
  }}

  if [fields][app] == "nginx-accesslog" {
    elasticsearch {
      hosts => ["172.31.2.101:9200"]
      index => "filebeat-nginx-accesslog-%{+YYYY.MM.dd}"
  }}
}

访问Nginx，还有给Nginx写入错误信息到错误日志文件里
访问

[root@es-web1 ~]# curl 172.31.2.107

写入错误信息

[root@es-web1 ~]# echo "error web 1111" >> /apps/nginx/logs/error.log

[root@es-web1 ~]# echo "error web 2222" >> /apps/nginx/logs/error.log

写入kibana

略