# 安装es docker network create elastic docker pull docker.elastic.co/elasticsearch/elasticsearch:7.12.1 docker run -d --name es01-test --net elastic -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" docker.elastic.co/elasticsearch/elasticsearch:7.12.1 # 安装 kibana docker pull docker.elastic.co/kibana/kibana:7.12.1 docker run -d --name kib01-test --net elastic -p 5601:5601 -e "ELASTICSEARCH_HOSTS=http://es01-test:9200" docker.elastic.co/kibana/kibana:7.12.1 # 安装filebeat docker pull docker.elastic.co/beats/filebeat:7.12.1filebeat输出日志到es
# ============================== Filebeat inputs ===============================
filebeat.inputs:
- type: log
# 启动收集日志
enabled: true
paths:
# 日志路径
- /opt/tmp/*
# ============================== Filebeat modules ==============================
# 内置的一些日志模块存放位置
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
# 自动装载启用的模块
reload.enabled: false
# ================================== Outputs ===================================
# 关闭系统模版
setup.template.enabled: false
# 设定自己的模版名
setup.template.name: "server1"
# 模版
setup.template.pattern: "server1-*"
# 索引的生命周期,需要禁用,否则可能无法使用自定义的索引名字
setup.ilm.enabled: false
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["esIP:9200"]
# 输出到那个索引,因为我们这个地方自定义了索引的名字,所以需要上面配置的setup.template.[name|pattern]的配置
index: "server1-%{+yyyy.MM.dd}"
enable: true
# ================================= Processors =================================
processors:
# 处理字段
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
# 丢弃字段
- drop_fields:
fields: ["agent","host","path"]
kibana 页面使用 (7.12.1)
简单配置查询条件即可完成筛选
简单的查询语句# 查询所有索引
GET /_cat/indices?v
# 删除索引
DELETE /customer?pretty
# 查询索引为dome
GET /xtgk-code-2022.04.28/_search
{
# 查询条件
"query": {"match_all": {}},
# 排序
"sort": [
{
# 排序的字段
"@timestamp": {
# 规则
"order": "desc"
}
}
]
# 结果显示的内容
, "_source": ["@timestamp","message"]
}
GET /xtgk-code-2022.04.28/_search
{
# 增加筛选条件
"query": {"match": {"message": "130523301100000000000209"}},
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
, "_source": ["@timestamp","message"]
}
