起因

业务需求,已经转成json格式的nginx日志直接通过filebeat传入了Elasticsearch中,而其他程序日志需要通过filebeat传入logstash进行二次过滤。就需要解决多output的问题。而根据官方文档:

You configure Filebeat to write to a specific output by setting options in the Outputs section of the filebeat.yml config file. Only a single output may be defined.

可知filebeat.yml中output有且只能有一个。当然你可以在filebeat.ymlinput模块中添加多个tags,并传递给logstash,并在logstash上通过不同的标签区分后传入不同的index中。

配置单机多实例

filebeat介绍

logstash 和filebeat都具有日志收集功能,因为filebeat由Golang编写相较于logstash更轻量,占用资源更少。所以决定在同一台机器上启动两个filebeat实例,分别用于拉取不同程序日志。

分析原版filebeat的systemd启动脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
cat /usr/lib/systemd/system/filebeat.service

[Unit]
Description=Filebeat sends log files to Logstash or directly to Elasticsearch.
Documentation=https://www.elastic.co/products/beats/filebeat
Wants=network-online.target
After=network-online.target

[Service]
Environment="BEAT_LOG_OPTS=-e"
Environment="BEAT_CONFIG_OPTS=-c /etc/filebeat/filebeat.yml"
Environment="BEAT_PATH_OPTS=-path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat"
ExecStart=/usr/share/filebeat/bin/filebeat $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS
Restart=always

[Install]
WantedBy=multi-user.target

结合filebeat.yml可知:

  • filebeat并不需要占用独立端口
  • 依赖/etc/filebeat/filebeat.yml作为程序配置文件
  • 依赖/var/lib/filebeat目录记录上次抓取指定日志的偏移量和时间戳
  • 其他目录:
    • /usr/share/filebeat #filebeat程序家目录
    • /var/log/filebeat #filebeat日志目录

分别创建以上文件/目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
mkdir -p /var/log/filebeat2
mkdir -p /var/lib/filebeat2
cat > /etc/filebeat/filebeat_logstash.yml <<'EOF'


filebeat.inputs:
- type: log
  enabled: true
    - /var/applogs/*/*.log

  multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
  multiline.negate: true
  multiline.match: after

filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
    reload.enabled: false

setup.template.settings:
  index.number_of_shards: 1

setup.kibana:

output.logstash:
  hosts: ["172.19.111.144:8080"]
  
processors:
  - add_host_metadata:
        netinfo.enabled: true
        cache.ttl: 5m

EOF

修改systemd启动脚本:
cat > /usr/lib/systemd/system/filebeat_logstash.service <<'EOF'
[Unit]
Description=Filebeat sends log files to Logstash or directly to Elasticsearch.
Documentation=https://www.elastic.co/products/beats/filebeat
Wants=network-online.target
After=network-online.target

[Service]
Environment="BEAT_LOG_OPTS=-e"
Environment="BEAT_CONFIG_OPTS=-c /etc/filebeat/filebeat_logstash.yml"
Environment="BEAT_PATH_OPTS=-path.home /usr/share/filebeat -path.logs /var/log/filebeat2 -path.data /var/lib/filebeat2"
ExecStart=/usr/share/filebeat/bin/filebeat $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS
Restart=always

[Install]
WantedBy=multi-user.target
EOF