使用高版本的filebeat时,inputs的类型支持filestream,此类型必须按照以下配置才可生效
filebeat.inputs:
- type: filestream
enabled: true
paths:
- /data/logs/error/*api.log.*
fields:
service_name: api
level: error
fields_under_root: true
parsers:
- ndjson:
keys_under_root: true
message_key: msg
# 合并行设置
- multiline:
type: pattern
pattern: '^20[0-9]{2}-[0-9]{2}-[0-9]{2}'
negate: true
match: afte
# Redis 数据流出配置
output.redis:
hosts: ["ip:port"]
password: "xxx"
db: 1
key: "api-log" # 与logstash中的数据流入配置一致
对于inputs.type为log类型的
filebeat.inputs:
- type: log`在这里插入代码片`
enabled: true
# 文件路径配置
paths:
- /data/logs/error/*api.log*
# 附加字段指定日志分类
fields:
service_name: api
level: info
fields_under_root: true
# 合并行设置
multiline.type: pattern
multiline.pattern: '^20[0-9]{2}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
tags: ["api"]
setup.template.name: "api"
setup.template.pattern: "api"
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
host: "ip:port"
output.elasticsearch:
hosts: ["ip:port"]
indices:
- index: "warning-%{[agent.version]}-%{+yyyy.MM.dd}"
when.contains:
message: "WARN"
- index: "error-%{[agent.version]}-%{+yyyy.MM.dd}"
when.contains:
message: "ERR"
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
