ELK之LogStash接收Filebeat的数据
修改filebeat的配置文件filebeat.yml, 将output输出到logstash,由于filebeat只能output到一个位置,故需要注释掉output.console相关配置。
filebeat.inputs:
- type: filestream
id: nginx-access-log
enabled: true
paths:
# 表示去/tmp下读取所有.log文件
- /tmp/*.log
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
# 注释掉output.console相关配置
# output to console
#output.console:
# codec.format:
# string: '%{[@timestamp]} %{[log]} %{[agent]} %{[service]} %{[message]}'
# pretty: true
# 打开output.logstash配置并添加logstash地址
output.logstash:
# The Logstash hosts:你Logstash的地址:端口,多个用英文逗号隔开
hosts: ["172.x.x.x:5044"]
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
# 暂时注释掉原来默认打开的elasticsearch的配置
#output.elasticsearch:
# hosts: ["localhost:9200"]
input{
#stdin{type => stdin}
#file {
# path => ["/tmp/access.log"]
# start_position => "beginning"
#}
# 输入方式改为beats方式,监听5044端口
beats{
port => 5044
}
}
filter{
grok{
match => {
"message" => "%{COMBINEDAPACHELOG}" }
}
mutate{
# 重命名字段
rename => {
"clientip" => "cip"}
}
mutate{
# 移出特定字段
remove_field =>