elastic 的基本使用

1 .安装filebeat

wget https://mirrors.bfsu.edu.cn/elasticstack/7.x/apt/pool/main/f/filebeat/filebeat-7.7.1-amd64.deb

dpkg -i filebeat-7.7.1-amd64.deb

#=========================== Filebeat inputs =============================
filebeat.inputs:
- type: log
  enabled: true
  tail_files: false
  ignore_older: 3h
  close_inactive: 1h
  paths:
    - /opt/nginx/logs/json_log.20??-??-??
  exclude_lines: ['\.png\"','\.jpg\"','\.css\"']
  tags: ["access"]

- type: log
  enabled: true
  tail_files: false
  ignore_older: 24h
  close_inactive: 20h
  paths:
    - /opt/nginx/logs/error.20??-??-??
  tags: ["error"]
  include_lines: ['\[error\]']


processors:
 - decode_json_fields:
     when:
       contains:
         tags: "access"
     fields: ["message"]
     target: ""
     overwrite_keys: true
     add_error_key: true
 - convert:
     fields:
       - {from: "host.name", to: "hostname",type: "string"}
     mode: rename
     ignore_missing: true
     fail_on_error: true
 - drop_fields:
     fields: ["log","agent","ecs","input","host"]
     ignore_missing: false

#output.file:
#  path: "/tmp/"
#  filename: filebeat.log

output.logstash:
  # The Logstash hosts
  hosts: ["192.168.29.152:5044"]
  loadbalance: true
  compression_level: 5
  bulk_max_size: 8192

2. 修改配置文件

vim /etc/filebeat/filebeat.yml