logstash处理多个beats文件
2019-03-20 本文已影响0人
Sigers
多个beats文件
实战
cat /wj/zabbix/apitime.log
2019-03-20 00:44:33 0.25475
cat /wj/zabbix/err_api.log
2019-03-20 00:44:33 {"code":1,"message":"Token Expire","data":null}
filebeat设置
filebeat.inputs:
- input_type: log
paths:
- /wj/zabbix/apitime.log
type: "api_time"
fields:
#logsource: 192.168.0.87
logtype: api_time
- input_type: log
paths:
- /wj/zabbix/err_api.log
type: "err_api"
fields:
#logsource: 192.168.0.87
logtype: err_api
output.logstash:
hosts: ["192.168.0.87:5044"]
logstash设置
input {
beats {
port => "5044"
#host => "192.168.0.87"
}
}
filter {
if [fields][logtype] == "api_time" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:date1} %{WORD:time1}" }
}
}
if [fields][logtype] == "err_api" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:date2} %{GREEDYDATA:log_json}" }
}
json {
source => "log_json"
target => "log_json_content"
remove_field => ["log_json"]
}
}
}
output {
if [fields][logtype] == "api_time" {
elasticsearch {
hosts => "192.168.0.87:9200"
index => "api_time-%{+YYYY.MM.dd}"
}
}
if [fields][logtype] == "err_api" {
elasticsearch {
hosts => "192.168.0.87:9200"
index => "err_api-%{+YYYY.MM.dd}"
}
}
}
