[toc]
Filebeat介绍及部署
Filebeat介绍
Filebeat附带预构建的模块,这些模块包含收集、解析、充实和可视化各种日志文件格式数据所需的配置,每个Filebeat模块由一个或多个文件集组成,这些文件集包含摄取节点管道、Elasticsearch模板、Filebeat勘探者配置和Kibana仪表盘。
Filebeat模块很好的入门,它是轻量级单用途的日志收集工具,用于在没有安装java的服务器上专门收集日志,可以将日志转发到logstash、elasticsearch或redis等场景中进行下一步处理。
Filebeat和Logstash使用内存对比
Logstash内存占用
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| ps -ef | grep -v grep | grep logstash | awk '{print $2}'
12628
cat /proc/12628/status | grep -i vm
VmPeak: 6252788 kB
VmSize: 6189252 kB
VmLck: 0 kB
VmHWM: 661168 kB
VmRSS: 661168 kB
VmData: 6027136 kB
VmStk: 88 kB
VmExe: 4 kB
VmLib: 16648 kB
VmPTE: 1888 kB
VmSwap: 0 kB
|
Filebeat内存占用
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| cat /proc/12750/status /proc/12751/status | grep -i vm
VmPeak: 11388 kB
VmSize: 11388 kB
VmLck: 0 kB
VmHWM: 232 kB
VmRSS: 232 kB
VmData: 10424 kB
VmStk: 88 kB
VmExe: 864 kB
VmLib: 0 kB
VmPTE: 16 kB
VmSwap: 0 kB
VmPeak: 25124 kB
VmSize: 25124 kB
VmLck: 0 kB
VmHWM: 15144 kB
VmRSS: 15144 kB
VmData: 15496 kB
VmStk: 88 kB
VmExe: 4796 kB
VmLib: 0 kB
VmPTE: 68 kB
VmSwap: 0 kB
|
Filebeat部署
官方文档:https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-configuration-details.html
官网下载地址:https://www.elastic.co/downloads/beats/filebeat
1
2
3
4
5
|
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.3.2-x86_64.rpm
yum localinstall -y filebeat-5.3.2-x86_64.rpm
|
Filebeat收集单类型日志到本地文件
配置Filebeat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
vim /etc/filebeat/filebeat.yml
filebeat.prospectors:
- input_type: log
paths:
- /var/log/nginx/www.xxx.com_access_json.log
- /var/log/nginx/xxx.xxx.com_access_json.log
exclude_lines: ["^DBG","^$"]
document_type: ngx_log
output.file:
path: "/tmp"
filename: "filebeat.txt"
/etc/init.d/filebeat start
systemctl start filebeat
ps -ef|grep filebeat
root 10881 1 0 01:06 pts/1 00:00:00 /usr/share/filebeat/bin/filebeat-god -r / -n -p /var/run/filebeat.pid -- /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
root 10882 10881 0 01:06 pts/1 00:00:00 /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
ll /tmp
|
Filebeat收集单类型多个日志到Logstash
配置Filebeat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
vim /etc/filebeat/filebeat.yml
filebeat.prospectors:
- input_type: log
paths:
- /var/log/nginx/www.xxx.com_access_json.log
- /var/log/nginx/xxx.xxx.com_access_json.log
exclude_lines: ["^DBG","^$"]
document_type: ngx_log
output.logstash:
hosts: ["10.0.0.83:6666"]
enabled: true
worker: 1
compression_level: 3
/etc/init.d/filebeat stop
rm -f /var/lib/filebeat/registry
/etc/init.d/filebeat start
|
配置Logstash输出到ES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
cd /etc/logstash/conf.d/
vim beats.conf
input {
beats {
port => 6666
codec => "json"
}
}
output {
elasticsearch {
hosts => ["10.0.0.81:9200"]
index => "%{type}-%{+YYYY.MM.dd}"
}
}
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/beats.conf &
|
验证数据
打开浏览器,访问:http://10.0.0.81:9100/
Filebeat收集单类型多个日志到Redis
配置Filebeat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
vim /etc/filebeat/filebeat.yml
filebeat.prospectors:
- input_type: log
paths:
- /var/log/nginx/www.xxx.com_access_json.log
exclude_lines: ["^DBG","^$"]
document_type: ngx_www_log
output.redis:
hosts: ["10.0.0.52:6379"]
key: "nginx_log"
db: 0
timeout: 5
password: hcl
/etc/init.d/filebeat stop
rm -f /var/lib/filebeat/registry
/etc/init.d/filebeat start
|
Filebeat收集多类型日志到Redis
配置Filebeat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
vim /etc/filebeat/filebeat.yml
filebeat.prospectors:
- input_type: log
paths:
- /var/log/nginx/www.xxx.com_access_json.log
exclude_lines: ["^DBG","^$"]
document_type: ngx_log
- input_type: log
paths:
- /var/log/nginx/xxx.xxx.com_access_json.log
exclude_lines: ["^DBG","^$"]
document_type: tc_log
output.redis:
hosts: ["10.0.0.52:6379"]
key: "nginx_www_xxx_log"
db: 1
timeout: 5
password: hcl
/etc/init.d/filebeat stop
rm -f /var/lib/filebeat/registry
/etc/init.d/filebeat start
|
两个日志放入redis同一个key中会混乱,但是输出到ES时可以根据type区分成两个分片,
使用Logstash将filebeat放入redis的数据输出到ES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
vim /etc/logstash/conf.d/filebeat_redis_to_es.conf
input {
redis {
host => "10.0.0.52"
port => "6379"
db => "1"
key => "nginx_www_xxx_log"
data_type => "list"
password => "hcl"
codec => "json"
}
}
output {
elasticsearch {
hosts => ["10.0.0.81:9200"]
index => "%{type}-%{+YYYY.MM.dd}"
}
}
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/beats_redis_es.conf &
|
验证数据
打开浏览器,访问:http://10.0.0.81:9100/
Filebeat收集多类型日志输出到多个目标
配置Filebeat
我们将nginx日志 tomcat日志同时输出到Redis和本地文件中
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
vim /etc/filebeat/filebeat.yml
filebeat.prospectors:
- input_type: log
paths:
- /var/log/nginx/www.xxx.com_access_json.log
exclude_lines: ["^DBG","^$"]
document_type: ngx_log
- input_type: log
paths:
- /var/log/nginx/xxx.xxx.com_access_json.log
exclude_lines: ["^DBG","^$"]
document_type: tc_log
output.redis:
hosts: ["10.0.0.52:6379"]
key: "tn"
db: 2
timeout: 5
password: zls
output.file:
path: "/tmp"
filename: "hcl.txt"
worker: 1
compression_level: 3
loadbalance: true
/etc/init.d/filebeat stop
rm -f /var/lib/filebeat/registry
/etc/init.d/filebeat start
|
wechat
alipay
