官网:
https://www.elastic.co/guide/en/beats/filebeat/8.10/index.html
https://www.elastic.co/guide/en/beats/filebeat/8.10/running-on-docker.html
1. 拉取镜像
sudo docker pull elastic/filebeat:8.10.2
2. 准备配置文件
sudo mkdir -p /opt/docker/filebeat sudo chmod -R 777 /opt/docker/filebeat
vim /opt/docker/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /opt/logs/*error.log
# - /opt/docker/log/*.log
fields:
#添加新字段可发送至不同topic
log_topic: sea_test_filebeat_log_topic
multiline:
# pattern for error log 多行日志合并,实际项目中一条完整日志可能包含多行信息
pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
negate: true
match: after
#合并最大条数,默认500
mutiline.max_lines: 1000
# 这个文件记录日志读取的位置,如果容器重启,可以从记录的位置开始取日志
#registry_file默认存储在Filebeat的工作目录中,并且命名为".filebeat"。
#registry_file: /usr/soft/filebeat/data/registry
output.kafka:
enabled: true
hosts: ["192.168.18.176:9092","192.168.18.54:9092","192.168.18.199:9092"]
#根据上面添加字段发送不同topic
topic: '%{[fields.kafka_topic]}'
max_message_bytes: 1000000
compression: gzip
processors:
- drop_fields:
fields: ["host","input","agent","ecs","log","@version","flags"]
logging.level: error
name: sea_app-server-ip
测试配置:
filebeat.inputs:
- type: log
enabled: true
paths:
- /opt/logs/*error.log
# - /wls/applogs/rtlog/*.log
fields:
log_topic: appName
multiline:
# pattern for error log, if start with space or cause by
pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
negate: true
match: after
output.kafka:
enabled: true
hosts: ["192.168.18.176:9092","192.168.18.54:9092","192.168.18.199:9092"]
topic: sea_test_filebeat_log1
max_message_bytes: 1000000
compression: gzip
processors:
- drop_fields:
fields: ["beat", "input", "source", "offset"]
logging.level: error
name: sea_app-server-ip
View Code
3. 添加对应的权限
sudo chown 0 filebeat.yml sudo chmod go-w filebeat.yml
4.启动服务:
sudo docker run -itd \ --privileged=true \ --user=root \ --name=sea_filebeat \ --restart=always \ --network=host \ -v /opt/docker/filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml:rw \ -v /opt/docker/testlog/:/opt/logs/:rw \ elastic/filebeat:8.10.2
配置说明:
多行日志合并
#多行合并规则,以时间开头的为一条完整日志,否则合并到上一行(java、python日志都以日期开头)
multiline.type: pattern
#中括号日期开头:[2015-08-24 11:49:14,389]
#multiline.pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}'
#日期开头:2015-08-24 11:49:14,389
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
#合并最大条数,默认500
mutiline.max_lines: 1000
# 这个文件记录日志读取的位置,如果容器重启,可以从记录的位置开始取日志
# registry_file: /usr/soft/filebeat/data/registry
标签:opt,filebeat,log,部署,topic,docker,true From: https://www.cnblogs.com/lshan/p/17747195.html