1. Tomcat日志转为JSON格式

/etc/tomcat/server.xml

# 默认的配置
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log." suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />

# 修改为
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log." suffix=".txt"
               pattern="{&quot;clientip&quot;:&quot;%h&quot;,&quot;ClientUser&quot;:&quot;%l&quot;,&quot;authenticated&quot;:&quot;%u&quot;,&quot;AccessTime&quot;:&quot;%t&quot;,&quot;method&quot;:&quot;%r&quot;,&quot;status&quot;:&quot;%s&quot;,&quot;SendBytes&quot;:&quot;%b&quot;,&quot;Query?string&quot;:&quot;%q&quot;,&quot;partner&quot;:&quot;%{Referer}i&quot;,&quot;AgentVersion&quot;:&quot;%{User-Agent}i&quot;}"/>

重启Tomcat：

systemctl restart tomcat

2. filebeat配置文件

filebeat.inputs:
- type: log
  enabled: true 
  paths:
    -  /var/log/tomcat/localhost_access_log*
  json.keys_under_root: true
  json.overwrite_keys: true
setup.kibana:
  host: "192.168.47.175:5601"
output.elasticsearch:
  hosts: ["localhost:9200"]
  index: "tomcat-access-%{+yyyy.MM}"
setup.template.name: "tomcat"
setup.template.pattern: "tomcat-*"
setup.template.enabled: false
setup.template.overwrite: true

3. 测试

在Tomcat首页随便点几下：

GET _cat/indices

green open tomcat-access-2020.04 HvD0vJOkROa_etei9vA2KQ 5 1    1 0  33.5kb  16.7kb