ELK框架Logstash配合Filebeats和kafka使用
本文目录
配置文件结构
配置文件为:logstash.yml
需要自己新建conf
文件,设置input
,filter
和output
,文件结构如下,自带的logstash-sample.conf
内容如下
input {
}
filter {
}
output {
}
![](https://img-blog.csdnimg.cn/6ccb524a52304a799f33e9f4ea2b86d6.png)
启动命令
bin/logstash -f config/logstash.conf
https://www.elastic.co/guide/en/logstash/current/input-plugins.html
input为标准输入,output为标准输出
![](https://img-blog.csdnimg.cn/8bc4d5e878544b889aa1c733d7335abc.png)
input {
stdin { }
}
output {
elasticsearch {
hosts => ["localhost:9200"]
}
stdout { }
}
![](https://img-blog.csdnimg.cn/92dd6f7b17424114871d3a73ee9041c6.jpeg)
input为log文件
output为标准输出
![](https://img-blog.csdnimg.cn/1ddb6578dfd549d1b809430d7a6cbb9f.png)
input {
# 从文件读取日志信息
file {
path => "/xxx/demolog/logs/myapp-info.log"
type => "ghn"
start_position => "beginning"
}
}
output {
stdout { codec => rubydebug }
}
![](https://img-blog.csdnimg.cn/14480da6a4904d2996c34011506ea0da.jpeg)
output为es
![](https://img-blog.csdnimg.cn/1ec4fe035e074ce49d62c512194817e4.png)
input {
# 从文件读取日志信息
file {
path => "/xxx/demolog/log/demolog-*.log"
type => "ghn"
start_position => "beginning"
}
}
output {
# 输出到 elasticsearch
elasticsearch {
hosts => ["localhost:9200"]
user => "elastic"
password => "xxxxxx"
ssl => "true"
cacert => "/xxx/elk/logstash-8.9.1/config/certs/http_ca.crt"
index => "ghn-%{+YYYY.MM.dd}"
}
stdout { }
}
![](https://img-blog.csdnimg.cn/e768492e313d4b6d8757f91a43665781.jpeg)
input为tcp
![](https://img-blog.csdnimg.cn/9a7d427110ed47e0b49d91cbd34280dd.png)
配合springboot/springcloud使用
springboot配置
官方github:https://github.com/logfellow/logstash-logback-encoder
在pom.xml添加依赖
<dependency>
<groupId>net.logstash.logback</groupId>
<artifactId>logstash-logback-encoder</artifactId>
<version>7.4</version>
</dependency>
在logback-spring.xml添加配置
<appender name="stash" class="net.logstash.logback.appender.LogstashTcpSocketAppender">
<destination>127.0.0.1:4560</destination>
<!-- encoder is required -->
<encoder class="net.logstash.logback.encoder.LogstashEncoder" />
</appender>
<root level="info">
<appender-ref ref="CONSOLE"/>
<appender-ref ref="stash" />
</root>
logstash配置
input {
# 从文件读取日志信息
tcp {
host => "0.0.0.0"
mode => "server"
port => 4560
codec => json_lines
}
}
output {
# 输出到 elasticsearch
elasticsearch {
hosts => ["localhost:9200"]
user => "elastic"
password => "xxxxxx"
ssl => "true"
cacert => "xxx/logstash-8.9.1/config/certs/http_ca.crt"
index => "ghn-%{+YYYY.MM.dd}"
}
stdout { }
# stdout { codec => rubydebug }
}
-
logstash终端查看
-
kibana查看
input为filebeats
![](https://img-blog.csdnimg.cn/53194849327f46178978786981f753ba.png)
filebeats配置
- 配置文件位置:
filebeat-8.9.1-darwin-aarch64/filebeat.yml
,修改如下部分,指定log位置为springboot的目录
filebeat.inputs:
- type: filestream
enabled: true
paths:
- /xxx/xxx/*.log
- 启动
./filebeat -e -c filebeat.yml -d "publish"
![](https://img-blog.csdnimg.cn/5a27d94380a54b36bc2c227fb265a3d2.jpeg)
与logstash建立了连接,启动成功
logstash配置
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
user => "elastic"
password => "xxxxxx"
ssl => "true"
cacert => "/xxxx/logstash-8.9.1/config/certs/http_ca.crt"
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
- 启动logstash
bin/logstash -f config/logstash-filebeat.conf
- 获取从filebeats发来的日志
kibana
-
kibana中数据视图已经能够看到
-
查看详情
input为kafka
![](https://img-blog.csdnimg.cn/fec89267a1484da391039e1653765a28.png)
官方文档:https://www.elastic.co/guide/en/logstash/current/use-filebeat-modules-kafka.html
filebeats设置
output.kafka:
hosts: ["localhost:9092"]
topic: "filebeat"
codec.json:
pretty: false
./filebeat -e -c filebeat.yml -d "publish"
logstash配置
input {
kafka {
bootstrap_servers => ["localhost:9092"]
topics => ["filebeat"]
codec => json
}
}
output {
# 输出到 elasticsearch
elasticsearch {
hosts => ["localhost:9200"]
user => "elastic"
password => "xxxxxx"
ssl => "true"
cacert => "/xxx/elk/logstash-8.9.1/config/certs/http_ca.crt"
index => "ghn-%{+YYYY.MM.dd}"
}
stdout { }
# stdout { codec => rubydebug }
}
-
kafka启动
-
logstash查看
-
kafka关闭
https://www.elastic.co/guide/en/logstash/current/plugins-inputs-kafka.html