1.1、怎么修改filebeat默認(rèn)索引格式
索引格式為:服務(wù)名稱-域名-日志格式-時(shí)間(按月)
1)vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
output.elasticsearch:
hosts: ["10.0.0.51:9200"]
index: "nginx-www-access-%{[beat.version]}-%{+yyyy.MM}"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true
2)systemctl restart filebeat.service
image
image
1.2裤翩、nginx修改多域名多日志
1)vim /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format json '{ "time_local": "$time_local", ' ##添加此項(xiàng)资盅,以json格式進(jìn)行刷寫日志
'"remote_addr": "$remote_addr", '
'"referer": "$http_referer", '
'"request": "$request", '
'"status": $status, '
'"bytes": $body_bytes_sent, '
'"agent": "$http_user_agent", '
'"x_forwarded": "$http_x_forwarded_for", '
'"up_addr": "$upstream_addr",'
'"up_host": "$upstream_http_host",'
'"upstream_time": "$upstream_response_time",'
'"request_time": "$request_time"'
' }';
access_log /var/log/nginx/access.log json;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
}
2) [root@db01 /etc/nginx/conf.d]# cat bbs.conf #配置子網(wǎng)頁(yè)
server {
listen 80;
server_name www.oldboy.com;
location / {
root /html/www;
index index.html;
}
access_log /var/log/nginx/www_access.log json;
}
3)[root@db01 /etc/nginx/conf.d]# cat bbs.conf
server {
listen 80;
server_name bbs.oldboy.com;
location / {
root /html/bbs;
index index.html;
}
access_log /var/log/nginx/bbs_access.log json;
}
4)[root@db01 /etc/nginx/conf.d]# cat blog.conf
server {
listen 80;
server_name blog.oldboy.com;
location / {
root /html/blog;
index index.html;
}
access_log /var/log/nginx/blog_access.log json;
}
5)mkdir /html/{www,blog,bbs} -p
echo "db01 www" > /html/www/index.html
echo "db01 bbs" > /html/bbs/index.html ##創(chuàng)建一個(gè)區(qū)別顯示的首頁(yè)文件
echo "db01 blog" > /html/blog/index.html
chown -R nginx:nginx /html/
nginx -t
systemctl restart nginx
6)filebeat配置文件
vim /etc/filebeak/filebeak.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/bbs_access.log
json.keys_under_root: true ##支持json格式的兩個(gè)參數(shù)
json.overwrite_keys: true ##json重寫索引
tags: ["bbs"] ##關(guān)鍵字
- type: log
enabled: true
paths:
- /var/log/nginx/blog_access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["blog"]
- type: log
enabled: true
paths:
- /var/log/nginx/www_access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["www"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
output.elasticsearch:
hosts: ["10.0.0.51:9200"]
indices:
- index: "nginx_www_access-%{[beat.version]}-%{+yyyy.MM}"
when.contains: ###索引名稱的重構(gòu)
tags: "www" ###當(dāng)匹配到www的時(shí)候索引名字為上
- index: "nginx_bbs_access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "bbs"
- index: "nginx_blog_access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "blog"
- index: "nginx_error-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "error"
setup.template.name: "nginx" ###重寫規(guī)則
setup.template.pattern: "nginx_*" ##
setup.template.enabled: false ###關(guān)閉默認(rèn)格式
setup.template.overwrite: true ###啟用上面的規(guī)則
systemctl restart filebeat.service
image
image
1.3、收集tomcat日志
1.安裝tomcat
yum install tomcat tomcat-webapps tomcat-admin-webapps tomcat-docs-webapp tomcat-javadoc -y
2.修改tomcat配置文件為json格式
vim /etc/tomcat/server.xml
第139行替換為:
pattern="{"clientip":"%h","ClientUser":"%l","authenticated":"%u","AccessTime":"%t","method":"%r","status":"%s","SendBytes":"%b","Query?string":"%q","partner":"%{Referer}i","AgentVersion":"%{User-Agent}i"}"/>
3.重啟tomcat
systemctl restart tomcat
4.修改filebeat配置文件
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/bbs_access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["bbs"]
- type: log
enabled: true
paths:
- /var/log/nginx/blog_access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["blog"]
- type: log
enabled: true
paths:
- /var/log/nginx/www_access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["www"]
- type: log
enabled: true
paths:
- /var/log/tomcat/localhost_access_log.*.txt
json.keys_under_root: true
json.overwrite_keys: true
tags: ["tomcat"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
output.elasticsearch:
hosts: ["10.0.0.51:9200"]
indices:
- index: "nginx_www_access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "www"
- index: "nginx_bbs_access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "bbs"
- index: "nginx_blog_access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "blog"
- index: "nginx_error-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "error"
- index: "tomcat_access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "tomcat"
setup.template.name: "nginx"
setup.template.pattern: "nginx_*"
setup.template.enabled: false
setup.template.overwrite: true
systemctl restart filebeat.service
image
image
1.4踊赠、收集elasticsearch日志
cat /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/bbs_access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["bbs"]
- type: log
enabled: true
paths:
- /var/log/nginx/blog_access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["blog"]
- type: log
enabled: true
paths:
- /var/log/nginx/www_access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["www"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
- type: log
enabled: true
paths:
- /var/log/tomcat/localhost_access_log.*.txt
tags: ["tomcat"]
- type: log
enabled: true
paths:
- /var/log/elasticsearch/linux58.log ##監(jiān)控ES日志的報(bào)錯(cuò)情況
tags: ["java"]
multiline.pattern: '^\[' ##通過(guò)此參數(shù)可以定義message行的范圍
multiline.negate: true ##規(guī)則可以百度了解到
multiline.match: after
output.elasticsearch:
hosts: ["10.0.0.51:9200"]
indices:
- index: "nginx_www_access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "www"
- index: "nginx_bbs_access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "bbs"
- index: "nginx_blog_access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "blog"
- index: "nginx_error-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "error"
- index: "tomcat_access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "tomcat"
- index: "es_access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "java"
setup.template.name: "nginx"
setup.template.pattern: "nginx_*"
setup.template.enabled: false
setup.template.overwrite: true
systemctl restart filebeat.service
image
image
制圖
)QP47@DMX9S556~U9K_%9W8.png
![]U6HC)78A~MVVO67V2BOV}F.png](https://upload-images.jianshu.io/upload_images/16832986-74884df895ef98ec.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
}9EB{PN3CN3OMYIXNNM(RTA.png
0OOZVGQQD}ZXDS_R%YI6OHJ.png
BNKK49CQ$2}_$AY)TGY)~M9.jpg
H}O66UBB5I4{[R$]OW9$]8G.png
OH1W$~4(B9TR0VHLSF76H%G.png
