一、安装
[root@jumpserver tools]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.4.0-x86_64.rpm [root@jumpserver tools]# rpm -ivh filebeat-6.4.0-x86_64.rpm
#查看安装内容 [root@jumpserver tools]# rpm -ql filebeat-6.4.0 /etc/filebeat/fields.yml /etc/filebeat/filebeat.reference.yml /etc/filebeat/filebeat.yml => 配置文件 /etc/init.d/filebeat => 启动脚本 /lib/systemd/system/filebeat.service => systemctl也可以启动 /usr/bin/filebeat => filebeat命令
....
二、配置
配置文件默认是/etc/filebeat/filebeat.yml,可以参考filebeat.reference.yml 和/etc/filebeat/filebeat.yml ,配置文件支持正则表达式,官方文档(https://www.elastic.co/guide/en/beats/filebeat/6.2/regexp-support.html)
配置格式为:
#global filebeat configuration options tags: ["10.0.3.199"] max-procs: 1 #Configure inputs filebeat.inputs: - type: log paths: => 日志路径,支持正则 - /var/log/httpd/*log fields: => 输出日志中添加额外的字段,用于日志过滤 service: httpd_log => httpd_log 为自定义字段, logstash的输出可以看到 fields_under_root: true => 自定义字段在第一行,不会被覆盖 #Configure the output output.logstash: => 这里输出到logstash hosts: ["10.0.3.60:5044"] => logstash主机 IP + Port compression_level: 0 => 0表示不进行压缩,压缩级别有0-9
官网下载地址
https://www.elastic.co/cn/downloads/beats/filebeat
官方文档:
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-getting-started.html#filebeat-getting-started