步骤1: 打开 filebeat.yml 文件
vi filebeat.yml
步骤2: 修改 Filebeat inputs
参数介绍:
(1)type:日志的存储类型
(2)enabled: ???
(3)paths:配置日志文件的存储路径
(4)tags:标签,若后期需要让logstash的过滤器针对不同路径执行不同的过滤筛选,可以使用此参数
步骤3: 如果需要Logstash针对Filebeat配置的不同日志路径执行不同的过滤操作,需要步骤3;否则不需要此步骤
修改 logstash.conf 文件
input {
beats {
type => "log"
port => "5044" #开始本机的5044端口,监听
}
}
filter{
if "interfaceauto" in [tags]{
mutate{
split=>["message","|"]
add_field => {
"log_task_name" => "%{[message][0]}"
}
add_field => {
"log_module" => "%{[message][1]}"
}
add_field => {
"log_rpid" => "%{[message][2]}"
}
add_field => {
"log_rname" => "%{[message][3]}"
}
add_field => {
"log_env" => "%{[message][4]}"
}
add_field => {
"log_result" => "%{[message][5]}"
}
add_field => {
"log_case" => "%{[message][6]}"
}
remove_field => ["message"]
}
}
if "umeapi" in [tags]{
mutate{
split=>["message","|"]
add_field => {
"log_operation_datetime" => "%{[message][0]}"
}
add_field => {
"log_operation_object" => "%{[message][1]}"
}
remove_field => ["message"]
}
}
}
output {
stdout { codec => rubydebug }
if "interfaceauto" in [tags]{
elasticsearch {
hosts => ["10.237.79.147:9200"]
index => "%{type}-%{+YYYY.MM.dd}"
}
}
if "umeapi" in [tags]{
elasticsearch {
hosts => ["10.237.79.147:9200"]
index => "umeapi-logstash"
}
}
}
根据不同的tags标签,实现了针对不同日志源的不同过滤条件,并设置不同的输出索引(es索引)