部署logstash
1. 编写logstash配置文件logstasgh.conf
输入是从filebeat中获取的,输出配置的是一个http端
input {
beats {
port => ""
}
}
# The filter part of this file is commented out to indicate that it is
# optional.
# filter {
#
# }
output {
http {
http_method => "post"
url => "http://127.0.0.1/log"
format => "json"
}
stdout { codec => rubydebug }
}2. 获取logstash的docker镜像
docker pull docker.elastic.co/logstash/logstash:7.1.
3. 通过dokcer启动logstash
docker run -p : --name logstash -d \
-v /path/to/logstash.conf:/usr/share/logstash/pipeline/logstash.conf \
docker.elastic.co/logstash/logstash:7.1.
部署filebeat
1. 编写filebeat的配置文件filebeat.yml
filebeat.inputs:
- type: log
paths:
# 容器内的路径,可以不用修改,映射到这个路径就可以
- /val/log/ fields:
# 额外添加的字段
project-name: your_project_name # 需要排除和包括的行(正则表达式)
exclude_lines: ['INFO'] include_lines: ['ERROR'] # 这个是用来处理异常产生多行数据时,将多行数据当作一条日志处理,根据自己的异常日志的格式做修改
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after ignore_older: 168h tail_files: true output.logstash:
hosts: ["127.0.0.1:5044"]
2. 获取filebeat的docker镜像
docker pull docker.elastic.co/beats/filebeat:7.1.
3. 通过dokcer启动filebeat
docker run --name filebeat -d \
-v /path/to/:/var/log/:ro \
-v /path/to/filebeat.yml:/usr/share/filebeat/filebeat.yml \
docker.elastic.co/beats/filebeat:7.1.