前言
后续开发项目要用到 Filebeat 对日志做收集和处理。本文介绍了 ELK 技术中的 Filebeat,用于轻量级的日志收集和分析
参考资料:
官方文档:Filebeat overview | Filebeat Reference [8.14] | Elastic
一、安装部署
环境:
shell
root@Andrew:~# cat /proc/version
Linux version 5.15.153.1-microsoft-standard-WSL2 (root@941d701f84f1) (gcc (GCC) 11.2.0, GNU ld (GNU Binutils) 2.37) #1 SMP Fri Mar 29 23:14:13 UTC 2024Linux环境下安装命令:
shell
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.14.3-linux-x86_64.tar.gz
tar xzvf filebeat-8.14.3-linux-x86_64.tar.gz解压后将文件夹重命名,进入目录:
shell
mv filebeat-8.14.3-linux-x86_64 filebeat
cd filebeat/压缩包解压安装的filebeat文件结构与deb/rpm等安装方式不同,详见:Directory layout | Filebeat Reference [8.14] | Elastic
二、启动示例
在解压后的根目录下新建测试的配置文件:
shell
vi test.yml从控制台输入的配置如下:
yml
filebeat.inputs:
- type: stdin
enable: true # default true
# include_lines/exclude_lines support regular expresions
include_lines: ["^andrew"] # starts with "andrew"
exclude_lines: ["www"] # exclude which contains "www"
tags: ["stdin"] # define tags in output
fields: # define specific fields in output
author: andrew
date: 2024-7-26
fields_in_root: false # default false
output.console:
enable: true # default true
pretty: true # default false上述配置文件表示:
从标准输入读取输入
读取包括开头为"andrew",且不包括"www"的行
为输出的数据添加tags 为"stdin"
为输出的数据添加fields 字段 author为"andrew" date为"2024-7-26"
fields添加的字段不位于根路径下,
输出到控制台,开启pretty美化输出
输出以下命令启动filebeat
shell
./filebeat -e -c test.yml-e 参数指定输出到stderr而不是配置文件指定的输出(仍然需要配置,否则无法启动)
-c 指定启动的配置文件,未指定时默认为filebeat.yml
在标准输入中输入,"andrew"、"andreww"、"andrewww",观察输出情况
json
andrew
andreww
andrewww
{
"@timestamp": "2024-07-26T03:15:21.470Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "8.14.3"
},
"log": {
"file": {
"path": ""
},
"offset": 0
},
"message": "andrew",
"tags": [
"stdin"
],
"input": {
"type": "stdin"
},
"fields": {
"author": "andrew",
"date": "2024-7-26"
},
"ecs": {
"version": "8.0.0"
},
"host": {
"name": "Andrew"
},
"agent": {
"id": "57b956ef-540a-45a4-bc04-dc192b75c801",
"name": "Andrew",
"type": "filebeat",
"version": "8.14.3",
"ephemeral_id": "b4c352d9-1ed1-4369-95ec-47455c21e272"
}
}
{
"@timestamp": "2024-07-26T03:15:22.628Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "8.14.3"
},
"log": {
"offset": 0,
"file": {
"path": ""
}
},
"message": "andreww",
"tags": [
"stdin"
],
"input": {
"type": "stdin"
},
"fields": {
"author": "andrew",
"date": "2024-7-26"
},
"ecs": {
"version": "8.0.0"
},
"host": {
"name": "Andrew"
},
"agent": {
"ephemeral_id": "b4c352d9-1ed1-4369-95ec-47455c21e272",
"id": "57b956ef-540a-45a4-bc04-dc192b75c801",
"name": "Andrew",
"type": "filebeat",
"version": "8.14.3"
}
}观察到filebeat只输出了两个json,message分别为"andrew"、"andreww",说明include_lines和exclude_lines生效,看到tags存在"stdin",以及fields下有两个字段"author: "andrew", "date": "2024-7-26"
从日志文件输入的配置如下:
yml
filebeat.inputs:
- type: log
paths:
- /root/filebeat/logs/*.log
include_lines: ['^andrew']
exclude_lines: ['ww']
encoding: utf-8
tags: ['log']
fields:
author: andrew
fields_under_root: true
output.console:
pretty: true
enable: true测试结果
shell
root@Andrew:~/filebeat/logs# echo andrew >> a.log
root@Andrew:~/filebeat/logs# echo andreww >> a.log
root@Andrew:~/filebeat/logs# echo andrewww >> a.log
json
{
"@timestamp": "2024-07-27T08:02:55.742Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "8.14.3"
},
"host": {
"name": "Andrew"
},
"agent": {
"id": "57b956ef-540a-45a4-bc04-dc192b75c801",
"name": "Andrew",
"type": "filebeat",
"version": "8.14.3",
"ephemeral_id": "428921c4-3a41-4225-80b5-3d2a3c6aa4bb"
},
"log": {
"offset": 31,
"file": {
"path": "/root/filebeat/logs/a.log"
}
},
"message": "andrew",
"tags": [
"log"
],
"input": {
"type": "log"
},
"author": "andrew",
"ecs": {
"version": "8.0.0"
}
}指定输出的配置(如Kafka、Elasticsearch等)参考官方文档
三、使用modules
通过 filebeat modules 命令操作模块化的配置
shell
filebeat modules list # 查看所有modules
filebeat modules enable nginx # 启动nginx模块
filebeat modules disable nginx # 关闭nginx模块编辑 modules.d 目录下的文件更改配置:
yml
- module: nginx
# Access logs
access:
enabled: false
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Error logs
error:
enabled: false
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Ingress-nginx controller logs. This is disabled by default. It could be used in Kubernetes environments to parse ingress-nginx logs
ingress_controller:
enabled: false
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths: