一、配置filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /usr/local/nginx/logs/access.log
#此处加上fields和log_topics字段,log_topics=nginx和下面的log_topics=httpd主要用于区分两个日志,这两个字段的值可以自定义
fields:
log_topics: nginx
#最好在每个日志里都写上下面这三行JSON的配置,不然日志写到kafka,在输出到ES的时候,会以整条message的形式显示出来,不利于过滤,亲测过。
json.keys_under_root: true
json.overwrite_keys: true
json.add_error_key: true
- type: log
enabled: true
paths:
- /var/log/httpd/access_log.ls_json
fields:
log_topics: httpd
json.keys_under_root: true
json.overwrite_keys: true
json.add_error_key: true
#下面是output.kafka的配置
#=========================== Kafka Output=====================
output.kafka:
enabled: true
hosts: ["10.1.1.17:9092"]
#此处topic取值是上面新加的字段的值
topic: '%{[fields][log_topics]}'
配置完成后,重启filebeat服务,没有报错的话,可以在kafka中创建了nginx和httpd两个topic:
[root@elk kafka]# bin/kafka-topics.sh --zookeeper 10.1.1.17:2181 --list
__consumer_offsets
httpd
nginx
topic创建成功了,下面接着配置logstash:
二、配置Logstash
[root@elk kafka]# cat /etc/logstash/conf.d/kafka-es.conf
input {
kafka {
codec => "json"
#此处把两个topic的名称都写进去,用英文状态的逗号隔开
topics => ["nginx","httpd"]
bootstrap_servers => "10.1.1.17:9092"
auto_offset_reset => "latest"
}
}
filter {
#filter部分也要加个if判断,不同的topic采取不同的处理措施
#topic=nginx
if[fields][log_topics] == "nginx" {
date {
match => ["requesttime", "dd/MMM/yyyy:HH:mm:ss Z +08:00"]
target => "@timestamp"
}
ruby {
code => "event.set('timestamp', event.get('@timestamp').time.utc+8*60*60)"
}
mutate {
convert => ["timestamp", "string"]
gsub => ["timestamp", "T([\S\s]*?)Z", ""]
gsub => ["timestamp", "-", "."]
}
mutate {
remove_field => ["_index","_id","_type","_version","_score","host","log","referer","input","path","agent"]
}
}
#topic=httpd
if[fields][log_topics] == "httpd" {
date {
match => ["requesttime", "dd/MMM/yyyy:HH:mm:ss Z +08:00"]
target => "@timestamp"
}
ruby {
code => "event.set('timestamp', event.get('@timestamp').time.utc+8*60*60)"
}
mutate {
convert => ["timestamp", "string"]
gsub => ["timestamp", "T([\S\s]*?)Z", ""]
gsub => ["timestamp", "-", "."]
}
mutate {
remove_field => ["_index","_id","_type","_version","_score","host","log","referer","input","path","agent"]
}
}
}
output {
elasticsearch {
hosts => ["10.1.1.17:9200"]
#此处的索引名称,我们设定为引用filebeat中配置的字段,这样就会自动创建两个带日期的索引,
index => '%{[fields][log_topics]}+%{timestamp}'
}
}
三、Kibana查看索引
然后启动logstash,无报错的话,即可在kibana的管理界面-索引管理看到新建的nginx+2020.03.11和httpd+2020.03.11索引:我们据此创建索引模式,分别为nginx+2020.03.11和httpd+2020.03.11,然后分别查看日志情况:
可以看到http的日志,都在httpd索引下,nginx的日志,都在nginx索引下:
至此,配置完毕!
