2023年7月17日发(作者：)

ELK之使⽤filebeat收集java运⾏⽇志　　安装filebeat修改配置⽂件/etc/filebeat/ctors:- type: log enabled: true#⽇志路径 paths: - /home/ekp/linux64/tomcat/logs/#⽇志tags tags: [ekp-tomcat]#排除空⾏ exclude_lines: ['^$']#java多⾏⽇志合并 multiline: pattern: '^d{4}-d{1,2}-d{1,2}sd{1,2}:d{1,2}:d{1,2}' negate: true match: after

s: path: ${}/modules.d/*.yml d: gs: _of_shards: :#输出⾄sh: hosts: ["10.1.4.242:5044"]　　传输⽤logstash配置/etc/logstash/conf.d/ 如下input{ beats{ port => 5044 }}output{ if "nginx-ekp-log" in [tags]{ redis { host => "10.1.4.243" port => "6379" password => "123456" db => "1" data_type => 'list' key => "nginx-ekp-log" } } if "ekp-tomcat" in [tags]{ redis { host => "10.1.4.243" port => "6379" password => "123456" db => "2" data_type => 'list' key => "ekp-tomcat" } #stdout{ # codec => rubydebug #} }}　　　　过滤分析logstash配置/etc/logstash/conf.d/如下input{ redis { host => "10.1.4.243" port => "6379" password => "123456" db => "1" data_type => "list" key => "nginx-ekp-log" } redis { host => "10.1.4.243" port => "6379" password => "123456" db => "2" data_type => "list" key => "ekp-tomcat" }}filter{ if "nginx-ekp-log" in [tags] { json { source => "message" } } if [user_ua] != "-" { useragent { target => "agent" source => "user_ua" } } if [lan_ip] != "-" { geoip { source => "lan_ip" target => "geoip" # database => "/usr/share/GeoIP/" add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ] } mutate { convert => [ "[geoip][coordinates]", "float"] } }}output{ if "nginx-ekp-log" in [tags] { elasticsearch{ hosts => ["10.1.4.244:9200"] index => "nginx-ekp-log-%{+}" } } if "ekp-tomcat" in [tags] { elasticsearch{ hosts => ["10.1.4.244:9200"] index => "ekp-tomcat-%{+}" } } # stdout{ # codec => rubydebug # }}　　启动filebeat，logstash即可把java⽇志多⾏合并进⾏收集