Filebeat日志分割的常见场景与做法
一 概念澄清
二 对Filebeat自身日志进行分割
logging:
file:
enabled: true
path: /var/log/filebeat/filebeat
name: filebeat
keepfiles: 7
permissions: 640
三 对被采集日志进行分割(系统级轮转)
sudo vi /etc/logrotate.d/filebeat
/var/log/filebeat/*.log {
daily
missingok
rotate 7
compress
notifempty
create 640 root root
}
参数含义:daily(每天轮转)、rotate 7(保留 7 份)、compress(压缩旧日志)、create(轮转后重建文件并设定权限/属主)。 3) 手动测试与生效:
sudo logrotate -f /etc/logrotate.d/filebeat
sudo systemctl restart filebeat
四 将数据写入按时间或业务分割的索引
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true
output.elasticsearch:
hosts: ["localhost:9200"]
index: "nginx-access-%{[beat.version]}-%{+yyyy.MM}"
# Filebeat
filebeat.inputs:
- type: log
enabled: true
paths:
- /opt/logs/qfzs-*/log_info.log
fields:
project: "assistant"
- type: log
enabled: true
paths:
- /opt/logs/qfzs-*/log_info.log
fields:
project: "qfzs-shop"
output.logstash:
hosts: ["localhost:5044"]
# Logstash
input { beats { port => 5044 } }
filter {
if "assistant" in [fields][project] { mutate { add_field => { "index_prefix" => "filebeat-assistant" } } }
else if "qfzs-shop" in [fields][project] { mutate { add_field => { "index_prefix" => "filebeat-qfzs-shop" } } }
else { mutate { add_field => { "index_prefix" => "filebeat-default" } } }
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "%{[index_prefix]}-%{+YYYY.MM.dd}"
}
}