六、filebeat安装配置
# 下载安装包 wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.9.2-x86_64.rpm # 安装 yum install -y filebeat-7.9.2-x86_64.rpm # 创建多配置文件保存目录 mkdir /etc/filebeat/conf.d/ # 启动 systemctl enable filebeat.service systemctl start filebeat.service
基础配置
vim /etc/filebeat/filebeat.yml filebeat.config.inputs: enabled: true # 配置多配置文件路径 path: /etc/filebeat/conf.d/*.yml processors: - drop_fields: fields: ["source","input","beat","prospector","offset"] # 区分日志来自哪台主机 name: 10.10.8.166 # 本地测试使用是否能获取到日志 #output.file: # path: "/tmp/filebeat" # filename: filebeat output: # 输出到kafka kafka: hosts: ["10.10.8.164:9092", "10.10.8.165:9092", "10.10.8.166:9092"] topic: elktest
1、mysql日志抓取
vim /etc/filebeat/conf.d/mysql.yml # mysql 慢日志推送 - type: log tail_files: true backoff: "1s" paths: # 多实例推送 - /var/log/mariadb/mysql-slow.log - /var/log/mariadb/mysql3307-slow.log tags: ["mysql-slow-logs"] # 排除列 exclude_lines: ['^\# Time'] fields: # 配置logstash区分 type: "mysql-slow-logs" fields_under_root: true multiline: # 多行匹配 pattern: '^\# Time|^\# User' negate: true match: after # mysql 错误日志推送 - type: log tail_files: true backoff: "1s" paths: # 多实例推送 - /var/log/mariadb/mariadb3307.log - /var/log/mariadb/mariadb.log tags: ["mysql-err-logs"] fields: # 配置logstash区分 type: "mysql-err-logs" fields_under_root: true # 重启filebeat systemctl restart filebeat.service
2、系统日志抓取
vim /etc/filebeat/conf.d/system.yml # 系统messages日志推送 - type: log tail_files: true backoff: "1s" paths: - /var/log/messages tags: ["system-messages-logs"] fields: # 配置logstash区分 type: "system-messages-logs" fields_under_root: true # 系统secure日志推送 - type: log tail_files: true backoff: "1s" paths: - /var/log/secure tags: ["system-secure-logs"] fields: # 配置logstash区分 type: "system-secure-logs" fields_under_root: true
3、nginx 日志抓取
vim /etc/filebeat/conf.d/nginx.yml # nginx access 日志推送 - type: log tail_files: true backoff: "1s" paths: - /var/log/nginx/access.log tags: ["nginx-access-logs"] fields: # 配置logstash区分 type: "nginx-access-logs" fields_under_root: true # nginx error 日志推送 - type: log tail_files: true backoff: "1s" paths: - /var/log/nginx/error.log tags: ["nginx-error-logs"] fields: # 配置logstash区分 type: "nginx-error-logs" fields_under_root: true
4、httpd 日志抓取
vim /etc/filebeat/conf.d/httpd.yml # httpd access 日志推送 - type: log tail_files: true backoff: "1s" paths: - /var/log/httpd/access_log tags: ["httpd-access-logs"] fields: # 配置logstash区分 type: "httpd-access-logs" fields_under_root: true # httpd error 日志推送 - type: log tail_files: true backoff: "1s" paths: - /var/log/httpd/error_log tags: ["httpd-error-logs"] fields: # 配置logstash区分 type: "httpd-error-logs" fields_under_root: true
5、php 日志抓取
vim /etc/filebeat/conf.d/php.yml # php error 日志推送 - type: log tail_files: true backoff: "1s" paths: - /var/log/php-fpm/error.log tags: ["php-error-logs"] fields: # 配置logstash区分 type: "php-error-logs" fields_under_root: true
6、redis日志抓取
vim /etc/filebeat/conf.d/redis.yml # redis error 日志推送 - type: log tail_files: true backoff: "1s" paths: - /var/log/redis/redis.log tags: ["redis-error-logs"] fields: # 配置logstash区分 type: "redis-error-logs" fields_under_root: true
