filebeat收集日志直接输出到elasticsearch
配置/etc/filebeat/filebeat.yml
# configuration file.
# ============================== Filebeat inputs ===============================
filebeat.inputs:
- type: log
enabled: true
paths:
- /mnt/logfile-nas/crs-center-service-*/*.log
fields:
app_name: appname
profiles_active: pro
app_node: hostname
# 表示字段加在根节点下
fields_under_root: true
multiline.type: pattern
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
# ============================== Filebeat modules ==============================
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
# ======================= Elasticsearch template setting =======================
setup.template.name: "template"
setup.template.pattern: "appname-*"
setup.template.settings.index.number_of_shards: 3
setup.template.settings.index.number_of_replicas: 1
#禁用索引生命周期管理,如果开启的话则会忽略我们自定义的索引
setup.ilm.enabled: false
setup.kibana:
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
hosts: ["es1:9200", "es2:9200", "es3:9200"]
index: "%{[app_name]}-%{[profiles_active]}-%{+YYYY.MM.dd}"
username: "username"
password: "password"
# ================================= Processors =================================
processors:
- drop_fields:
fields: ["ecs","host","agent","log","input"]