filebeat:
1.可以在本机收集日志
2.也可以远程收集日志
3.轻量级的日志收集系统,可以在非Java环境运行
logstash是在jvm环境中运行,资源消耗很高,启动一个logstash需要消耗500M左右的内存
filebeat只消耗10M左右的内存
test3是装有logstash的主机,MySQL1是装有nginx,mysql,httpd的服务器
实现在test3上查看nginx,mysql,httpd的日志
bash
#nginx的系统日志格式,filebeat可以直接识别。
yum -y install nginx
systemctl start nginx
systemctl stop firewalld
setenforce 0
#解压缩
rz -E
filebeat-6.7.2-linux-x86_64.tar.gz
tar -xf filebeat-6.7.2-linux-x86_64.tar.gz
mv filebeat-6.7.2-linux-x86_64 /usr/local/filebeat
cd /usr/local/filebeat
ln -s /usr/local/filebeat/filebeat /usr/local/bin/filebeat
ln -s /usr/local/filebeat/filebeat /usr/local/sbin/filebeat
#进入配置文件
vim filebeat.yml
enable: true
path:
- /var/log/nginx/access.log
- /var/log/nginx/error.log
#开启日志收集,以及确定日志文本的路径,指定标签和发送到目标主机的logstash
tags: ["nginx"]
fields:
service_name: 192.168.233.90_nginx
log_type: nginx
from: 192.168.233.90
path:
- /usr/local/nginx/logs/access.log
- /usr/local/nginx/logs/error.log
tags: ["mysqld"]
fields:
service_name: 192.168.233.90_mysqld
log_type: mysqld
from: 192.168.233.90
path:
- /usr/local/nginx/logs/access.log
- /usr/local/nginx/logs/error.log
tags: ["httpd"]
fields:
service_name: 192.168.233.90_httpd
log_type: httpd
from: 192.168.233.90
#output.elasticsearch
#hosts: ["localhost:9200"]
output.logstash
hosts: [192.168.233.30:5045]
#在命令行输入,可以把运行的日志保存到指定文件
nohup ./filebeat -e -c filebeat.yml > filebeat.out &
在test3上接收,test3要有logshosts
bash
vim nginx_90.conf
input {
beats {post => "5045"}
}
output {
if "nginx" in [tags] {
elasticsearch {
hosts => ["192.168.233.10:9200","192.168.233.20:9200"]
index => "%{[fields][service_name]}-%{+YYYY.MM.dd}"
}
}
output {
if "mysqld" in [tags] {
elasticsearch {
hosts => ["192.168.233.10:9200","192.168.233.20:9200"]
index => "%{[fields][service_name]}-%{+YYYY.MM.dd}"
}
}
output {
if "httpd" in [tags] {
elasticsearch {
hosts => ["192.168.233.10:9200","192.168.233.20:9200"]
index => "%{[fields][service_name]}-%{+YYYY.MM.dd}"
}
}
}
#启动 Logstash 并指定其配置文件和数据存储路径的命令
logstash -f nginx_90.conf --path.data /opt/test3
