Filebeat Logstash elasticsearch Kibana 日志收集展示分析

filebeat读取nginx日志》输出到logstash中》 logstash创建索引输入到elasticsearch，最后由kibana展示出来

此配置文件以上述服务安装在同一台为例，如果logstash或者elasticsearch服务在其他机器，配置文件中ip要记得修改

nginx 配置文件修改日志格式为json格式

 # 注释掉默认的日志格式 记得配置log文件后面格式加上json
 
    log_format json '{"created_at":"$time_iso8601",'
                       '"remote_addr":"$remote_addr",'
                       '"method":"$request_method",'
                       '"request":"$request",'
                       '"status":"$status",'
                       '"size":$body_bytes_sent,'
                       '"referer": "$http_referer",'
                       '"http_host":"$http_host",'
                       '"response_time":$request_time,'
                       '"http_x_forwarded_for":"$http_x_forwarded_for",'
                       '"user_agent": "$http_user_agent"'
 
    '}';

filebeat 配置文件

 # *.log 目录下所有log结尾的文件，也可以指定文件名称
 
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /data/logs/nginx/*.log
  tags: ["nginx"]
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: true
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
output.logstash:
  hosts: ["192.168.10.10:5044"]
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

logstash 配置文件

 # Beats -> Logstash -> Elasticsearch pipeline.
# elasticsearch如果有密码，下面的要输入es的用户和密码
 
input {
  beats {
    port => 5044
    codec => "json"
  }
}
 
output {
 
  if "nginx" in [tags] {
    elasticsearch {
      hosts => ["http://192.168.10.10:9200"]
      index => "nginx-%{+YYYY.MM.dd}"
      user => "elastic"
      password => "password"
    }
  }
 
  elasticsearch {
    hosts => ["http://192.168.10.10:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    user => "elastic"
    password => "password"
  }
}

kibana 配置文件

 # elasticsearch如果有密码，下面的要输入es的用户和密码
 
server.port: 5601
server.host: "192.168.10.10"
server.name: "kib"
elasticsearch.hosts: ["http://192.168.10.10:9200"]
kibana.index: ".kibana"
elasticsearch.username: "elastic"
elasticsearch.password: "password"
elasticsearch.requestTimeout: 30000
logging.dest: /data/elk/kibana-7.9.3/logs/kibana.log
i18n.locale: "zh-CN"

kibana 日志展示统计图例

Filebeat Logstash elasticsearch Kibana 日志收集展示分析

本文最后记录时间 2024-03-30
文章链接地址：https://me.jinchuang.org/archives/1123.html
本站文章除注明[转载|引用|来源],均为本站原创内容,转载前请注明出处

	# 注释掉默认的日志格式记得配置log文件后面格式加上json

	log_format json '{"created_at":"$time_iso8601",'
	'"remote_addr":"$remote_addr",'
	'"method":"$request_method",'
	'"request":"$request",'
	'"status":"$status",'
	'"size":$body_bytes_sent,'
	'"referer": "$http_referer",'
	'"http_host":"$http_host",'
	'"response_time":$request_time,'
	'"http_x_forwarded_for":"$http_x_forwarded_for",'
	'"user_agent": "$http_user_agent"'

	'}';

	# *.log 目录下所有log结尾的文件，也可以指定文件名称

	filebeat.inputs:
	- type: log
	enabled: true
	paths:
	- /data/logs/nginx/*.log
	tags: ["nginx"]
	filebeat.config.modules:
	path: ${path.config}/modules.d/*.yml
	reload.enabled: true
	setup.template.settings:
	index.number_of_shards: 1
	setup.kibana:
	output.logstash:
	hosts: ["192.168.10.10:5044"]
	processors:
	- add_host_metadata:
	when.not.contains.tags: forwarded
	- add_cloud_metadata: ~
	- add_docker_metadata: ~
	- add_kubernetes_metadata: ~

	# Beats -> Logstash -> Elasticsearch pipeline.
	# elasticsearch如果有密码，下面的要输入es的用户和密码

	input {
	beats {
	port => 5044
	codec => "json"
	}
	}

	output {

	if "nginx" in [tags] {
	elasticsearch {
	hosts => ["http://192.168.10.10:9200"]
	index => "nginx-%{+YYYY.MM.dd}"
	user => "elastic"
	password => "password"
	}
	}

	elasticsearch {
	hosts => ["http://192.168.10.10:9200"]
	index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
	user => "elastic"
	password => "password"
	}
	}

	# elasticsearch如果有密码，下面的要输入es的用户和密码

	server.port: 5601
	server.host: "192.168.10.10"
	server.name: "kib"
	elasticsearch.hosts: ["http://192.168.10.10:9200"]
	kibana.index: ".kibana"
	elasticsearch.username: "elastic"
	elasticsearch.password: "password"
	elasticsearch.requestTimeout: 30000
	logging.dest: /data/elk/kibana-7.9.3/logs/kibana.log
	i18n.locale: "zh-CN"

留言