526互联

filebeat docker 部署

发布时间 2023-10-07 18:56:46作者: lshan

官网:

https://www.elastic.co/guide/en/beats/filebeat/8.10/index.html

https://www.elastic.co/guide/en/beats/filebeat/8.10/running-on-docker.html

 

1. 拉取镜像

sudo docker pull elastic/filebeat:8.10.2

 

2. 准备配置文件

sudo mkdir -p  /opt/docker/filebeat
sudo chmod -R   777  /opt/docker/filebeat

vim /opt/docker/filebeat/filebeat.yml

filebeat.inputs:
- type: log
  enabled: true
  paths:
   - /opt/logs/*error.log
     # - /opt/docker/log/*.log
  fields:
   #添加新字段可发送至不同topic
   log_topic: sea_test_filebeat_log_topic
  multiline:
        # pattern for error log  多行日志合并,实际项目中一条完整日志可能包含多行信息
        pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
        negate:  true
        match:   after
    #合并最大条数,默认500
     mutiline.max_lines: 1000
      # 这个文件记录日志读取的位置,如果容器重启,可以从记录的位置开始取日志
    #registry_file默认存储在Filebeat的工作目录中,并且命名为".filebeat"。
        #registry_file: /usr/soft/filebeat/data/registry
output.kafka:
  enabled: true
  hosts: ["192.168.18.176:9092","192.168.18.54:9092","192.168.18.199:9092"]
  #根据上面添加字段发送不同topic
  topic: '%{[fields.kafka_topic]}'
  max_message_bytes: 1000000
  compression: gzip

processors:
 - drop_fields:
     fields: ["host","input","agent","ecs","log","@version","flags"]

logging.level: error
name: sea_app-server-ip

 

测试配置:

filebeat.inputs:
- type: log
  enabled: true
  paths:
   - /opt/logs/*error.log
     # - /wls/applogs/rtlog/*.log
  fields:
   log_topic: appName
  multiline:
         # pattern for error log, if start with space or cause by
        pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
        negate:  true
        match:   after
output.kafka:
  enabled: true
  hosts: ["192.168.18.176:9092","192.168.18.54:9092","192.168.18.199:9092"]
  topic: sea_test_filebeat_log1
  max_message_bytes: 1000000
  compression: gzip


processors:
 - drop_fields:
     fields: ["beat", "input", "source", "offset"]

logging.level: error
name: sea_app-server-ip
View Code

 

3. 添加对应的权限

sudo chown 0 filebeat.yml
sudo chmod go-w  filebeat.yml

 

4.启动服务:

sudo docker run -itd \
  --privileged=true \
  --user=root \
  --name=sea_filebeat \
  --restart=always \
  --network=host \
  -v /opt/docker/filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml:rw \
  -v /opt/docker/testlog/:/opt/logs/:rw \
  elastic/filebeat:8.10.2

 

 

 

配置说明:

 

多行日志合并

 

#多行合并规则,以时间开头的为一条完整日志,否则合并到上一行(java、python日志都以日期开头)
  multiline.type: pattern
  #中括号日期开头:[2015-08-24 11:49:14,389]
  #multiline.pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}'
  #日期开头:2015-08-24 11:49:14,389
  multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
  multiline.negate: true
  multiline.match: after
  #合并最大条数,默认500
  mutiline.max_lines: 1000
  # 这个文件记录日志读取的位置,如果容器重启,可以从记录的位置开始取日志
  #  registry_file: /usr/soft/filebeat/data/registry