ELK学习笔记之配置logstash消费kafka多个topic并分别生成索引
ELK学习笔记之配置logstash消费kafka多个topic并分别生成索引
Jetpropelledsnake21
发布于 2019-05-19 14:45:22
发布于 2019-05-19 14:45:22
0x00 filebeat配置多个topic
filebeat.prospectors:
- input_type: log
encoding: GB2312
# fields_under_root: true
fields: ##添加字段
serverip: 192.168.1.10
logtopic: wap
enabled: True
paths:
- /app/wap/logs/catalina.out
multiline.pattern: '^\[' #java报错过滤
multiline.negate: true
multiline.match: after
tail_files: false
- input_type: log
encoding: GB2312
# fields_under_root: true
fields: ##添加字段
serverip: 192.168.1.10
logtopic: api
enabled: True
paths:
- /app/api/logs/catalina.out
multiline.pattern: '^\[' #java报错过滤
multiline.negate: true
multiline.match: after
tail_files: false
#----------------------------- Logstash output --------------------------------
output.kafka:
enabled: true
hosts: ["192.168.16.222:9092","192.168.16.237:9092","192.168.16.238:9092"]
topic: 'elk-%{[fields.logtopic]}' ##匹配fileds字段下的logtopic
partition.hash:
reachable_only: true
compression: gzip
max_message_bytes: 1000000
required_acks: 1
logging.to_files: true0x01 查看是否输出到kafka
$ bin/kafka-topics.sh --list --zookeeper kafka-01:2181, kafka-02:2181,kafka-03:2181
elk-wap
elk-api0x02 配置logstash集群
input{
kafka{
bootstrap_servers => "kafka-01:9092,kafka-02:9092,kafka-03:9092"
topics_pattern => "elk-.*"
consumer_threads => 5
decorate_events => true
codec => "json"
auto_offset_reset => "latest"
group_id => "logstash1"##logstash 集群需相同
}
}
filter {
ruby {
code => "event.timestamp.time.localtime"
}
mutate {
remove_field => ["beat"]
}
grok {
match => {"message" => "\[(?<time>\d+-\d+-\d+\s\d+:\d+:\d+)\] \[(?<level>\w+)\] (?<thread>[\w|-]+) (?<class>[\w|\.]+) (?<lineNum>\d+):(?<msg>.+)"
}
}
}
output {
elasticsearch {
hosts => ["192.168.16.221:9200","192.168.16.251:9200","192.168.16.252:9200"]
# index => "%{[fields][logtopic}" ##直接在日志中匹配,索引会去掉elk
index => "%{[@metadata][topic]}-%{+YYYY-MM-dd}"
}
stdout {
codec => rubydebug
}0x03 Es查看是否创建索引
0x04 logstash集群配置
# 一机多实例,同一个配置文件,启动时只需更改数据路径
./bin/logstash -f test.conf --path.data=/usr/local/logdata/
# 多台机器 logstash配置文件group_id 相同即可本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2019-05-17 ,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
相关产品与服务
Elasticsearch Service
腾讯云 Elasticsearch Service(ES)是云端全托管海量数据检索分析服务,拥有高性能自研内核,集成X-Pack。ES 支持通过自治索引、存算分离、集群巡检等特性轻松管理集群,也支持免运维、自动弹性、按需使用的 Serverless 模式。使用 ES 您可以高效构建信息检索、日志分析、运维监控等服务,它独特的向量检索还可助您构建基于语义、图像的AI深度应用。