ELK收集java错误日志

java在服务器上的错误日志

image.png

1. filebeat 收集错误日志

filebeat.yml

filebeat.inputs:
- type: log
  paths:
    - /data/logs/ttpark/*/*_error.log
  fields:
    type: error
  fields_under_root: true
#将所有不以 [ 开始的行与之前的行进行合并multiline:
    pattern: '^\['
    negate: true
    match: after
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 1
tags: ["测试"]

output.logstash:
  hosts: ["192.168.2.25:5044"]

上面配置的意思是：不以[开头的行都合并到上一行的末尾
pattern：正则表达式
negate：true 或 false；默认是false，匹配pattern的行合并到上一行；true，不匹配pattern的行合并到上一行
match： after 或 before，合并到上一行的末尾或开头

2. logstash 处理日志

logstash_filebeat.conf

input {
        beats {
                port=> "5044"
        }
}
filter {
         mutate {
                remove_field => ["ecs","host","agent","doc"]
        
    }
}
output {
        elasticsearch { 
                        hosts => ["localhost:9200", "localhost:9201"]
                        index => "%{type}-error-%{+YYYY.MM.dd}"                            
                }
        stdout {
                codec => rubydebug
        }
}

3. es查看索引

[root@test_es logstash-7.2.0]# curl localhost:9200/_cat/indices?v
health status index                             uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   error-error-2021.08.23            Gxg23CvyS8SJZXX6jdebBw   1   1          4            0     47.8kb         19.7kb

# es查看和删除索引

查看索引
`curl localhost:9200/_cat/indices?v`

删除索引,通配符形式
`curl -XDELETE localhost:9200/索引*`

索引起别名
`curl -XPUT localhost:9200/索引/_alias/别名`

查看别名
`curl -XPUT localhost:9200/_cat/aliases?v`

4. kibana 展示

image.png