Ming-der Wang
ming@log4analytics.com
TurboTeam 集先鋒科技
filebeat
redis
logstash
elasticsearch
kibana
<- 點選黃色箭頭下載 Linux, Mac, Windows
Config 檔在 /etc/filebeat/filebeat.yml
$ sudo service filebeat start
<- 點選黃色箭頭下載 Linux, Mac, (no Windows)
$ redis-server
$ redis-cli redis> set foo bar OK redis> get foo "bar"
啟動 server 測試 client
點擊它 ->
filebat (192.168.1.5), redis + ELK (192.168.1.6) (假設 IP)
output:
redis:
host: "192.168.1.6"
port: 6379
index: "filebeat_test”
input {
redis {
data_type => "list"
key => "filebeat_test”
batch_count => 100
}
}
on host: 192.168.1.5 on host: 192.168.1.6
filebeat:
prospectors:
-
paths:
- "/var/log/authd.log"
- "/tmp/test.log*"
document_type: authd_test
filter {
if [type] == “authd_test” {
...
}
}
E Mon May 24 01:00:49 2016 AXA-83 am:19941 am_utils.c(148):6355 2:AXA-83:atp_cgh_loader:1991:10690864:63:74744563:2:root.0.0.0.1:::
AM AM->SM input flist: opcode=PDM_OP_PUBLISH_GEN_PAYLOAD, flags=0x80, errno=PIN_ERR_AM_CONNECT_FAILED:2628
0 PIN_FLD_NAME STR [0] "Account logout"
E Mon May 24 01:00:59 2016 AXA-83 am:19931 am_utils.c(149):6355 2:AXA-83
E Mon May 24 01:01:19 2016 AXA-83 am:19921 am_utils.c(110):6349 2:AXA-83
filebeat:
prospectors:
-
paths:
- "/var/log/authd.log"
document_type: authd_test
multiline:
pattern: "^[MWDE]"
negate: true
match: after
input {
file {
...
codec => multiline {
pattern => "^[MWDE]"
negate => true
what => previous
}
}
multiline:
pattern: "^[MWDE]"
negate: true
match: after
fields:
host: 172.16.4.125
level: debug
review: 1
shipper:
name: staging
tags: ["staging"]
logging:
level: warning
to_files: true
files:
path: /var/log/filebeat
name: authd_filebeat.log
keepfiles: 7
// 假設你的 logstash.conf 已經做好
$ sudo service logstash restart
output { stdout { codec => rubydebug } }
TurboTeam 集先鋒科技