filebeat+logstash日志收集

本方法仅适用于收集日志，未对接elasticsearch等在线搜索功能。
Filebeat安装配置

1.安装

CENTOS

sudo rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
echo -e "[elastic-8.x]\nname=Elastic repository for 8.x packages\nbaseurl=https://artifacts.elastic.co/packages/8.x/yum\ngpgcheck=1\ngpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch\nenabled=1\nautorefresh=1\ntype=rpm-md" | sudo tee /etc/yum.repos.d/elastic.repo
sudo yum install filebeat
sudo systemctl enable filebeat

UBUNTU

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list
sudo apt-get update && sudo apt-get install filebeat
sudo systemctl enable filebeat

2.配置

修改配置文件/etc/filebeat/filebeat.yml

- type: filestream
  id: nginx-access
  enabled: true
  paths:
    - /var/log/nginx/access.log
  fields: # 添加附加字段，在logstash中可进行使用
    group: nginx
    name: test
    level: access
- type: filestream
  id: nginx-error
  enabled: true
  paths:
    - /var/log/nginx/error.log
  fields:
    group: nginx
    name: test
    level: error

此处将elasticsearch注释掉。

#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]

配置logstash

  output.logstash:
  hosts: ["localhost:5044"] # 此处写具体的logstash服务器地址加端口号

添加日志配置项

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0640

配置完成重启即可，参考文档https://www.elastic.co/guide/en/beats/libbeat/current/index.html