Option One : Recommended
[root@elk-node-1 filebeat]# cat filebeat.yml|egrep -v "^$|^#|#"
filebeat.inputs:
- type: log
enabled: true
paths:
- /opt/app/nginx/logs/elk.log
fields:
service: nginx
- type: log
enabled: true
paths:
- / var / log / cron
fields:
service: cron
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
output.logstash:
hosts: ["10.0.0.61:5044"]
[root@elk-node-1 filebeat]#
[root@elk-node-1 config]# cat logstash.conf
input {
beats {
port => "5044"
}
}
output {
When the output #; if the output is equal to nginx "nginx -% {+ YYYY.MM.dd}"
if [fields][service] == "nginx" {
elasticsearch {
hosts => ["10.0.0.61:9200"]
index => "test-yunshi-ht-ngin-%{+YYYY.MM.dd}"
}
}
else if [fields][service] == "cron" {
elasticsearch {
hosts => ["10.0.0.61:9200"]
index => "test-yunshi-ht-cron-%{+YYYY.MM.dd}"
}
}
}
Option II is not recommended settings will continue to work, but plans to delete from logstash in the future. In ElasticSearch 6.0, the document type is deprecated and completely removed in 7.0
filebeat was added document_type configuration, defines an identification number - input_type: log
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/logs/xx.log
document_type: xx
paths:
- /data/logs/aa.log
document_type: aa
Then logstash configuration corresponding in type
output {
if [type] =="xx"{
elasticsearch {
hosts => ["*.*.*.*:9200"]
index => "xx-%{+YYYY.MM.dd}"
document_type => "log"
}
}
if [type] =="aa"{
elasticsearch {
hosts => ["*.*.*.*:9200"]
index => "aa-%{+YYYY.MM.dd}"
document_type => "log"
}
}
}