需求是小日志量下,通过filebeat收集多套日志,发送到logstash的5044端口,通过logstash进行分离清洗,然后分别建立索引,好了上配置文件。
    日志格式如下

    1. 2020-05-06 20:45:04.918 INFO 4857 --- [http-nio-8081-exec-4] c.s.s.controller.XytSysController : method=csoUserInfoSysDTOList=[{"action":"1","channel":"DM","idCard":"4130261024873111111","licensed":"41302619811111111","name":"张某","number":"30042711","organizationCode":"235","telephone":"13526811111"}]
    2. 2020-05-06 20:51:41.748 INFO 4857 --- [http-nio-8081-exec-2] c.s.s.controller.XytSysController : method=webAccountSys=[{"action":"1","name":"李某","organizationCode":"224","password":"00000000","role":"4","usercode":"CHN0022339"},{"action":"1","name":"李某","organizationCode":"224","password":"00000000","role":"5","usercode":"CHN0022339"}]
    3. 2020-05-06 20:55:05.130 INFO 4857 --- [http-nio-8081-exec-3] c.s.s.controller.XytSysController : method=csoUserInfoSysDTOList=[{"action":"1","channel":"DM","idCard":"413026198801111111","licensed":"41302619881111111","name":"张某","number":"30042711","organizationCode":"235","telephone":"135268711111"}]

    fileteat的配置文件

    1. - type: log
    2. enabled: true
    3. paths:
    4. - /usr/local/seektruth/situ-microservice-citic/logs/*/info.*.log
    5. multiline:
    6. pattern: '^\d+'
    7. negate: true
    8. match: after
    9. fields:
    10. appname: online-microservice-citicpru-info-log
    11. - type: log
    12. enabled: true
    13. paths:
    14. - /usr/local/seektruth/situ-microservice-citic/logs/*/access.*.log
    15. multiline:
    16. pattern: '^\d+'
    17. negate: true
    18. match: after
    19. fields:
    20. appname: online-microservice-citicpru-access-log
    21. - type: log
    22. enabled: true
    23. paths:
    24. - /usr/local/seektruth/situ-microservice-citic/logs/*/error.*.log
    25. multiline:
    26. pattern: '^\d+'
    27. negate: true
    28. match: after
    29. fields:
    30. appname: online-microservice-citicpru-error-log

    logstash的清洗配置

    1. input {
    2. beats {
    3. port => 5044
    4. }
    5. }
    6. ###########################################################################################################################
    7. filter {
    8. if [fields][appname] =~ ".*info-log" {
    9. grok {
    10. match => { "message" => ["(%{TIMESTAMP_ISO8601:Request_time}) \|(%{DATA:TraceId})\|(%{DATA:SpanId})\|(%{DATA:ParentSpanId})\|(%{DATA:Level})\|(%{DATA:PID})\|(%{DATA:Threading})\|(%{DATA:Code_Line})\|(%{DATA:Class_Name})\|(%{GREEDYDATA:Message})"] }
    11. }
    12. if [message] == ";" {
    13. drop {}
    14. }
    15. }
    16. if [fields][appname] =~ ".*error-log" {
    17. grok {
    18. match => { "message" => ["(%{TIMESTAMP_ISO8601:Request_time}) \|(%{DATA:TraceId})\|(%{DATA:SpanId})\|(%{DATA:ParentSpanId})\|(%{DATA:Level})\|(%{DATA:PID})\|(%{DATA:Threading})\|(%{DATA:Code_Line})\|(%{DATA:Class_Name})\|(%{GREEDYDATA:Message})"] }
    19. }
    20. }
    21. if [fields][appname] =~ ".*access-log" {
    22. grok {
    23. match => { "message" => ["(%{TIMESTAMP_ISO8601:Request_time}|-)\;(%{IPORHOST:Client_ip}|-)\;(%{DATA:User_name}|-)\;(%{DATA:Request_id}|-)\;(%{PATH:Request_uri}|-)\;(%{INT:Response_time}|-)\;(%{INT:Status_code}|-)\;(%{NOTSPACE:Message}|-)"] }
    24. }
    25. if [message] == ";" {
    26. drop {}
    27. }
    28. }
    29. date {
    30. match => [ "Request_time" , "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ]
    31. }
    32. }
    33. ###########################################################################################################################
    34. output {
    35. if [fields][appname] == "online-microservice-citicpru-access-log" {
    36. elasticsearch {
    37. hosts => ["172.17.0.3:9200"]
    38. user => "elastic"
    39. password => "situ1234"
    40. index => "online-microservice-citicpru-access-log-%{+YYYY.MM.dd}"
    41. }
    42. }
    43. if [fields][appname] == "online-microservice-citicpru-info-log"{
    44. elasticsearch {:
    45. hosts => ["172.17.0.3:9200"]
    46. user => "elastic"
    47. password => "situ1234"
    48. index => "online-microservice-citicpru-info-log-%{+YYYY.MM.dd}"
    49. }
    50. }
    51. if [fields][appname] == "online-microservice-citicpru-error-log"{
    52. elasticsearch {
    53. hosts => ["172.17.0.3:9200"]
    54. user => "elastic"
    55. password => "situ1234"
    56. index => "online-microservice-citicpru-error-log-%{+YYYY.MM.dd}"
    57. }
    58. }
    59. }

    效果图
    image.png