需求是小日志量下,通过filebeat收集多套日志,发送到logstash的5044端口,通过logstash进行分离清洗,然后分别建立索引,好了上配置文件。
日志格式如下
2020-05-06 20:45:04.918 INFO 4857 --- [http-nio-8081-exec-4] c.s.s.controller.XytSysController : method=csoUserInfoSysDTOList=[{"action":"1","channel":"DM","idCard":"4130261024873111111","licensed":"41302619811111111","name":"张某","number":"30042711","organizationCode":"235","telephone":"13526811111"}]
2020-05-06 20:51:41.748 INFO 4857 --- [http-nio-8081-exec-2] c.s.s.controller.XytSysController : method=webAccountSys=[{"action":"1","name":"李某","organizationCode":"224","password":"00000000","role":"4","usercode":"CHN0022339"},{"action":"1","name":"李某","organizationCode":"224","password":"00000000","role":"5","usercode":"CHN0022339"}]
2020-05-06 20:55:05.130 INFO 4857 --- [http-nio-8081-exec-3] c.s.s.controller.XytSysController : method=csoUserInfoSysDTOList=[{"action":"1","channel":"DM","idCard":"413026198801111111","licensed":"41302619881111111","name":"张某","number":"30042711","organizationCode":"235","telephone":"135268711111"}]
fileteat的配置文件
- type: log
enabled: true
paths:
- /usr/local/seektruth/situ-microservice-citic/logs/*/info.*.log
multiline:
pattern: '^\d+'
negate: true
match: after
fields:
appname: online-microservice-citicpru-info-log
- type: log
enabled: true
paths:
- /usr/local/seektruth/situ-microservice-citic/logs/*/access.*.log
multiline:
pattern: '^\d+'
negate: true
match: after
fields:
appname: online-microservice-citicpru-access-log
- type: log
enabled: true
paths:
- /usr/local/seektruth/situ-microservice-citic/logs/*/error.*.log
multiline:
pattern: '^\d+'
negate: true
match: after
fields:
appname: online-microservice-citicpru-error-log
logstash的清洗配置
input {
beats {
port => 5044
}
}
###########################################################################################################################
filter {
if [fields][appname] =~ ".*info-log" {
grok {
match => { "message" => ["(%{TIMESTAMP_ISO8601:Request_time}) \|(%{DATA:TraceId})\|(%{DATA:SpanId})\|(%{DATA:ParentSpanId})\|(%{DATA:Level})\|(%{DATA:PID})\|(%{DATA:Threading})\|(%{DATA:Code_Line})\|(%{DATA:Class_Name})\|(%{GREEDYDATA:Message})"] }
}
if [message] == ";" {
drop {}
}
}
if [fields][appname] =~ ".*error-log" {
grok {
match => { "message" => ["(%{TIMESTAMP_ISO8601:Request_time}) \|(%{DATA:TraceId})\|(%{DATA:SpanId})\|(%{DATA:ParentSpanId})\|(%{DATA:Level})\|(%{DATA:PID})\|(%{DATA:Threading})\|(%{DATA:Code_Line})\|(%{DATA:Class_Name})\|(%{GREEDYDATA:Message})"] }
}
}
if [fields][appname] =~ ".*access-log" {
grok {
match => { "message" => ["(%{TIMESTAMP_ISO8601:Request_time}|-)\;(%{IPORHOST:Client_ip}|-)\;(%{DATA:User_name}|-)\;(%{DATA:Request_id}|-)\;(%{PATH:Request_uri}|-)\;(%{INT:Response_time}|-)\;(%{INT:Status_code}|-)\;(%{NOTSPACE:Message}|-)"] }
}
if [message] == ";" {
drop {}
}
}
date {
match => [ "Request_time" , "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ]
}
}
###########################################################################################################################
output {
if [fields][appname] == "online-microservice-citicpru-access-log" {
elasticsearch {
hosts => ["172.17.0.3:9200"]
user => "elastic"
password => "situ1234"
index => "online-microservice-citicpru-access-log-%{+YYYY.MM.dd}"
}
}
if [fields][appname] == "online-microservice-citicpru-info-log"{
elasticsearch {:
hosts => ["172.17.0.3:9200"]
user => "elastic"
password => "situ1234"
index => "online-microservice-citicpru-info-log-%{+YYYY.MM.dd}"
}
}
if [fields][appname] == "online-microservice-citicpru-error-log"{
elasticsearch {
hosts => ["172.17.0.3:9200"]
user => "elastic"
password => "situ1234"
index => "online-microservice-citicpru-error-log-%{+YYYY.MM.dd}"
}
}
}
效果图