Docker7530
62 lines
1.8 KiB
Markdown
62 lines
1.8 KiB
Markdown
# filebeat 验证版本
|
|
|
|
> 整个 ELK 均采用 8.* 版本自测。
|
|
|
|
```
|
|
filebeat version 8.7.1 (amd64)
|
|
```
|
|
|
|
# 关键设置
|
|
|
|
paths 需改为实际日志存放位置。fields 是为了方便后见进行日志索引名称定义和日志切割。
|
|
|
|
```yaml
|
|
- type: filestream
|
|
id: nginx-portal-input
|
|
enabled: true
|
|
paths:
|
|
- /opt/portalaccess5.log
|
|
|
|
# 添加一个自定义字段,用于在后面处理时区分日志类型
|
|
fields:
|
|
log_type: nginx_portal
|
|
fields_under_root: true
|
|
```
|
|
|
|
indices 实现索引名称定义。
|
|
|
|
```yaml
|
|
output.elasticsearch:
|
|
# Array of hosts to connect to.
|
|
hosts: ["localhost:9200"]
|
|
indices:
|
|
- index: "nginx_portal-%{+yyyy.MM.dd}"
|
|
when.equals:
|
|
log_type: "nginx_portal"
|
|
```
|
|
|
|
> dissect 用于按固定分隔符(|)快速拆分日志字段。
|
|
|
|
```yaml
|
|
- dissect:
|
|
when:
|
|
equals:
|
|
log_type: "nginx_portal"
|
|
|
|
field: "message"
|
|
|
|
# 切割出来的字段都会自动加上 nginx. 前缀
|
|
target_prefix: "nginx"
|
|
|
|
# 切割模板:对应 ng 的 log_format
|
|
# %{?ignore} 代表对应位置的 "-" 符号,不要了
|
|
tokenizer: "%{record_end_time_utc}|%{upstream_addr}|%{remote_addr}|%{server_addr}|%{request_method}|%{server_protocol}|%{host}|%{request_uri}|%{http_user_agent}|%{http_referer}|%{sent_http_content_type}|%{status}|%{?ignore}|%{server_port}|%{bytes_sent}|%{request_start_time_utc}|%{request_end_time_utc}|%{header_response_time_utc}|%{?ignore}|%{?ignore}|%{upstream_status}|%{hostnamex}|%{http_CMCDN_Auth_Token}|%{cp_id}|%{sub_action_type}|%{action_type}|%{request_time}|%{upstream_response_time}"
|
|
|
|
- timestamp:
|
|
field: "nginx.record_end_time_utc"
|
|
target_field: "@timestamp"
|
|
layouts:
|
|
- "20060102T150405Z"
|
|
timezone: "UTC"
|
|
```
|