If you have high requirements for log collection, it is best to use filebeat.
Overall architecture diagram:
In ELK study notes (2) [original] , we introduced the file input using logstash, which is very similar to filebeat. It's just that logstash is written in java, which consumes more resources. filebeat is lighter, has better performance, and is easier to install. Beats include:
Packetbeat (collects network traffic data);
Topbeat (collects data such as CPU and memory usage at the system, process and file system level);
Filebeat (collects file data);
Winlogbeat (collects Windows event log data).
Here only focus on filebeat.
1. Download and install
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.1.1-x86_64.rpm sudo rpm -vi filebeat-6.1.1-x86_64.rpm
2. Modify the configuration
#/etc/filebeat/filebeat.yml
filebeat.prospectors:
-
paths:
- /var/log/logstash/*.log
input_type: log
exclude_lines: ['DEBUG']
multiline:
pattern: '^\['
negate: true
match: after
output.logstash:
hosts: ["logstash.zjportdns.gov.cn:5000"]
3. Start
sudo service filebeat start
4. Set up self-start
vi /etc/rc.local
sudo service filebeat start
5. logstash configuration
input{
beats {
type => "beat"
port => 5000
}
}
For the complete configuration, see the attachment (for compatibility with log4j, some conversions have been made to the filter)