filebeat收集tomcat日志
1、部署tomcat
1、上传需要安装软件包
cd /opt/es-software
2、安装jdk和tomcatl
rpm -ivh jdk-8u102-linux-x64.rpm
java -version
tar xf apache-tomcat-8.5.49.tar.gz -C /opt
ln -s /opt/apache-tomcat-8.5.49 /opt/tomcat
3、启动tomcat服务
cd /opt/tomcat/bin
./startup.sh
4、在浏览当中访问tomcat首页
10.0.0.13:8080
5、此时产生的日志不是json格式,不便于日志分析,需要修改tomcat的日志格式
vim /opt/tomcat/conf/server.xml
在162行替换掉pattern的内容
pattern="{"clientip":"%h","ClientUser":"%l","authenticated":"%u","AccessTime":"%t","method":"%r","status":"%s","SendBytes":"%b","Query?string":"%q","partner":"%{Referer}i","AgentVersion":"%{User-Agent}i"}"/>
6、重启tomcat服务
cd /opt/tomcat/bin
./shutdown.sh
./startup.sh
7、把之前老的访问清除
cat /dev/null >/opt/tomcat/logs/localhost_access_log.2020-04-10.txt
8、重新生产新访问日志
9、验证新的访问日志是否符合json格式
2、修改filebeat配置文件
1、修改filebeat配置文件
vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /opt/tomcat/logs/localhost_access_log.*.txt
json.keys_under_root: true
overwrite_keys: true
tags: ["tomcat"]
output.elasticsearch:
hosts: ["10.0.0.10:9200","10.0.0.11:9200"]
indices:
- index: "tomcat-access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "tomcat"
setup.template.name: "tomcat"
setup.template.pattern: "tomcat-*"
2、重启filebeat服务
systemctl restart filebeat