JDK要求:JDK8, JDK11, JDK14
Filebeat是一个轻量的日志收集和转发工具,它在日志主机端运行一个很轻量的client读取日志数据并发送到日志收集中心Logstash去。Logstash上运行有一个Beats input 插件,可以接收来自Beats的数据。
一个有效的Logstash管道的最简要素是一个input和一个output,此外还有一个filter可选。input消费从数据源过来的数据,产生事件;filter对这些事件进行修改;output将它们发到想要输送的地方去。
1.安装Filebeat和Logsatsh。
2.修改Filebeat配置文件filebeat.yml,替换为如下的内容:
filebeat.inputs:
- type: log
# Change to true to enable this input configuration.
enabled: true
paths:
- /path/to/file/logstash-tutorial.log
output.logstash:
hosts: ["localhost:5044"]
enabled要设置为true.
paths的配置要到具体的日志文件名,或者改为/path/to/file/*。
- 运行Filebeat
./filebeat -e -c filebeat.yml -d "publish"
4.配置Logstash为Filebeat输入.
在根目录下创建有如下内容的first-pipeline.conf文件
input {
beats {
host => "127.0.0.1"
port => 5044
type => "log4j"
}
}
# The filter part of this file is commented out to indicate that it is
# optional.
filter {
}
output {
stdout { codec => rubydebug }
}
- 启动Logstash
bin/logstash -f first-pipeline.conf --config.reload.automatic
--config.reload.automatic选项是当配置文件被修改后不需要重启Logstash,会自动重新加载配置文件.
- 若是配置成功的话就会出现类似下面的内容:
{
"@timestamp" => 2017-11-09T01:44:20.071Z,
"offset" => 325,
"@version" => "1",
"beat" => {
"name" => "My-MacBook-Pro.local",
"hostname" => "My-MacBook-Pro.local",
"version" => "6.0.0"
},
"host" => "My-MacBook-Pro.local",
"prospector" => {
"type" => "log"
},
"input" => {
"type" => "log"
},
"source" => "/path/to/file/logstash-tutorial.log",
"message" => "83.149.9.216 - - [04/Jan/2015:05:13:42 +0000] \"GET /presentations/logstash-monitorama-2013/images/kibana-search.png HTTP/1.1\" 200 203023 \"http://semicomplete.com/presentations/logstash-monitorama-2013/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
"tags" => [
[0] "beats_input_codec_plain_applied"
]
}
...
此后,只要指定的日志文件发生变化,Filebeat就会把数据转发给Logstash.
参考:https://www.elastic.co/guide/en/logstash/7.9/advanced-pipeline.html
