跳转至

filebeat配置

filebeat 配置就很简单了,将需要的日志传输给logstash过滤即可

vim /etc/filebeat/filebeat.yml

系统日志传输配置

Bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/messages
  include_lines: ['COMMAND: RUN_TIME']
  fields:
    document_type: system-message-log
  ignore_older: 4h
  close_inactive: 3h
output.logstash:
  hosts: ["172.26.32.57:5046"]
logging:
  to_files: true
  to_syslog: false
  files:
    path: /var/log/
    name: filebeat.log
    permissions: 0644
    rotateeverybytes: 10485760
    keepfiles: 3

nginx日志配置

其他主机修改正确的日志路径及主机IP即可

Bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
filebeat.inputs:
- type: log
  enabled: true
  paths:
#    - /opt/nginx/logs/access.log*
    - /usr/local/openresty/nginx/logs/access.log*
  fields:  
    log_type: access
    document_type: nginx27-log
  ignore_older: 4h
  close_inactive: 3h

- type: log
  enabled: true
  paths:
    - /usr/local/openresty/nginx/logs/hack/*_sec.log
  fields:
    log_type: waf
    document_type: nginx27waf-log
  ignore_older: 4h
  close_inactive: 3h

output.logstash:
  hosts: ["172.26.32.57:5045"]

logging:
  to_files: true
  to_syslog: false
  files:
    path: /var/log/
    name: filebeat.log
    permissions: 0644
    rotateeverybytes: 10485760
    keepfiles: 3

mysql日志

从库修改对应IP地址即可

Bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /data/mysql/logs/3306/mysql-audit*
  exclude_lines: ['"msg-type":"header"']
  fields:
    document_type: mysql-audit-log
    localhost: 172.26.32.51
  ignore_older: 4h
  close_inactive: 3h
- type: log
  enabled: true
  paths:
    - /data/mysql/logs/3306/slow_query.txt*
  fields:
    document_type: mysql-slow-query
    localhost: 172.26.32.51
  multiline:
    pattern: '^# Time:'
    negate: true
    match: after
  ignore_older: 4h
  close_inactive: 3h
output.logstash:
  hosts: ["172.26.32.57:5044"]
logging:
  to_files: true
  to_syslog: false
  files:
    path: /var/log/
    name: filebeat.log
    permissions: 0644
    rotateeverybytes: 10485760
    keepfiles: 3

启动服务

开启这个日志需将启动文件里的日志选项删除$BEAT_LOG_OPTS

vim /usr/lib/systemd/system/filebeat.service

ExecStart=/usr/share/filebeat/bin/filebeat $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS

Bash
1
2
3
4
systemctl daemon-reload 
systemctl enable filebeat
systemctl start filebeat
systemctl status filebeat