filebeat合并多行日志 |
您所在的位置:网站首页 › filebeat codec › filebeat合并多行日志 |
|
本文共 5497 字,大约阅读时间需要 18 分钟。 原文地址:https://www.elastic.co/guide/en/beats/filebeat/current/_examples_of_multiline_configuration.html 一、多行配置示例1、将Java堆栈跟踪日志组合成一个事件 2、将C风格的日志组合成一个事件 3、结合时间戳处理多行事件 二、Java堆栈跟踪1、Java示例一 Java堆栈跟踪由多行组成,每一行在初始行之后以空格开头,如本例中所述: Exception in thread "main" java.lang.NullPointerExceptionat com.example.myproject.Book.getTitle(Book.java:16)at com.example.myproject.Author.getBookTitles(Author.java:25)at com.example.myproject.Bootstrap.main(Bootstrap.java:14)要将这些行整合到Filebeat中的单个事件中,请使用以下多行配置: multiline.pattern: '^[[:space:]]'multiline.negate: falsemultiline.match: after此配置将以空格开头的所有行合并到上一行。 2、Java示例二 下面是一个Java堆栈跟踪日志,稍微复杂的例子: Exception in thread "main" java.lang.IllegalStateException: A book has a null property at com.example.myproject.Author.getBookIds(Author.java:38) at com.example.myproject.Bootstrap.main(Bootstrap.java:14)Caused by: java.lang.NullPointerException at com.example.myproject.Book.getId(Book.java:22) at com.example.myproject.Author.getBookIds(Author.java:35) ... 1 more要将这些行整合到Filebeat中的单个事件中,请使用以下多行配置: multiline.pattern: '^[[:space:]]+(at|\.{3})\b|^Caused by:'multiline.negate: falsemultiline.match: after此配置解释说明: 将以空格开头的所有行合并到上一行 并把以Caused by开头的也追加到上一行 三、C风格的日志一些编程语言在一行末尾使用反斜杠()字符,表示该行仍在继续,如本例中所示: printf ("%10.10ld \t %10.10ld \t %s\ %f", w, x, y, z );要将这些行整合到Filebeat中的单个事件中,请使用以下多行配置: multiline.pattern: '\\$'multiline.negate: falsemultiline.match: before此配置将以""字符结尾的任何行与后面的行合并。 四、时间戳来自Elasticsearch等服务的活动日志通常以时间戳开始,然后是关于特定活动的信息,如下例所示: [2015-08-24 11:49:14,389][INFO ][env ] [Letha] using [1] data paths, mounts [[/(/dev/disk1)]], net usable_space [34.5gb], net total_space [118.9gb], types [hfs]要将这些行整合到Filebeat中的单个事件中,请使用以下多行配置: multiline.pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}'multiline.negate: truemultiline.match: after此配置使用negate: true和match: after设置来指定任何不符合指定模式的行都属于上一行。 五、应用程序事件有时您的应用程序日志包含以自定义标记开始和结束的事件,如以下示例: [2015-08-24 11:49:14,389] Start new event[2015-08-24 11:49:14,395] Content of processing something[2015-08-24 11:49:14,399] End event要在Filebeat中将其整合为单个事件,请使用以下多行配置: multiline.pattern: 'Start new event'multiline.negate: truemultiline.match: aftermultiline.flush_pattern: 'End event'此配置把指定字符串开头,指定字符串结尾的多行合并为一个事件。 备注: 1、 2、multiline.match中的after和logstash中的previous意思相同,before和logstash中的next意思相同 3、logstash多行匹配示例 input {file {path => "/var/log/message"stat_interval => "10"start_position => "beginning"codec => multiline {pattern => "^\[\d{2}-"negate => truewhat => "previous"}}}what确定合并属于上一个事件还是下一个事件,可以为next和previous 六、生产环境用的配置文件示例1、filebeat收集模块日志配置文件 filebeat.inputs:- input_type: log paths:- /data/logs/company/logs/*.log exclude_files: ['.gz$','INFO'] multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}' multiline.negate: true multiline.match: after tags: ["company"]- input_type: log paths:- /data/logs/store/logs/*.log exclude_files: ['.gz$','INFO'] multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}' multiline.negate: true multiline.match: after tags: ["store"]- input_type: log paths:- /data/logs/pos/logs/*.log exclude_files: ['.gz$','INFO'] multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}' multiline.negate: true multiline.match: after tags: ["pos"]output.logstash: hosts: ["192.168.0.144:5044"] enabled: true worker: 2 compression_level: 32、logstash获取filebeat日志,并读到redis中 input { beats {port => "5044" }}output { if "company" in [tags] {redis { host => "192.168.0.112" port => "6379" db => "3" key => "company" data_type => "list" password => "123456"} } if "store" in [tags] {redis { host => "192.168.0.112" port => "6379" db => "3" key => "store" data_type => "list" password => "123456"} } if "pos" in [tags] {redis { host => "192.168.0.112" port => "6379" db => "3" key => "pos" data_type => "list" password => "123456"} }}3、logstash从redis中读取日志写入到ES input { redis {host => "192.168.0.112"port => "6379"db => "3"key => "company"data_type => "list"password => "123456"type => "company" } redis {host => "192.168.0.112"port => "6379"db => "3"key => "store"data_type => "list"password => "123456"type => "store" } redis {host => "192.168.0.112"port => "6379"db => "3"key => "pos"data_type => "list"password => "123456"type => "pos" }}output { if [type] == "company" {elasticsearch { hosts => ["192.168.0.117:9200","192.168.0.118:9200","192.168.0.119:9200"] index => "logstash-company-%{+YYYY.MM.dd}"} } if [type] == "store" {elasticsearch { hosts => ["192.168.0.117:9200","192.168.0.118:9200","192.168.0.119:9200"] index => "logstash-store-%{+YYYY.MM.dd}"} } if [type] == "pos" {elasticsearch { hosts => ["192.168.0.117:9200","192.168.0.118:9200","192.168.0.119:9200"] index => "logstash-pos-%{+YYYY.MM.dd}"} }} 七、补充内容(filebeat收集json格式日志) cat > json-log.yml |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |