# filebeat 和 logstash配合
https://www.elastic.co/guide/en/beats/filebeat/current/config-filebeat-logstash.html
https://www.elastic.co/guide/en/beats/libbeat/5.1/logstash-installation.html#logstash-setup

# filebeat带有index
https://discuss.elastic.co/t/specifying-index-name-from-filebeat-to-logstash/55704/9

按照messages里面有error 或者 critical进行区分

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  index: "logs-%{+yyyy.MM.dd}"
  indices:
    - index: "critical-%{+yyyy.MM.dd}"
      when.contains:
        message: "CRITICAL"
    - index: "error-%{+yyyy.MM.dd}"
      when.contains:
        message: "ERR"

实战

logstash配置

input {         
  #stdin {}
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
        hosts => ["192.168.126.17:9200"]
        #index=>"linux-varlog-%{+YYYY.MM.dd}"
        }
  stdout { codec => rubydebug }
}

filebeat配置

# filebeat.yml
filebeat.prospectors:
- input_type: log
  paths:
    - /var/log/*.log
  encoding: utf-8

output.logstash:
  hosts: ["192.168.126.17:5044"]

elasticsearch配置

# filename : config/elasticsearch.yml
node.name: t17
path.data: ./data
path.logs: ./logs
network.host: 192.168.126.17

http.cors.enabled: true
http.cors.allow-origin: "*"

mark

Copyright © opschina.org 2017 with zzlyzq@gmail.com all right reserved,powered by Gitbook该文件修订时间: 2017-07-11 11:32:48

results matching ""

    No results matching ""