在web服务器
有就停止
root@long:~# systemctl stop logstash
监控单个日志配置:
上传deb包,安装
[root@es-web2 src]# dpkg -i filebeat-7.12.1-amd64.deb
先启动zookeeper
[root@mq1 ~]# /usr/local/zookeeper/bin/zkServer.sh restart [root@mq2 ~]# /usr/local/zookeeper/bin/zkServer.sh restart [root@mq3 ~]# /usr/local/zookeeper/bin/zkServer.sh restart
启动kafka
[root@mq1 ~]# /apps/kafka/bin/kafka-server-start.sh -daemon /apps/kafka/config/server.properties [root@mq2 ~]# /apps/kafka/bin/kafka-server-start.sh -daemon /apps/kafka/config/server.properties [root@mq3 ~]# /apps/kafka/bin/kafka-server-start.sh -daemon /apps/kafka/config/server.properties
filebeat改配置文件
root@long:~# grep -v "#" /etc/filebeat/filebeat.yml| grep -v "^$" filebeat.inputs: - type: log enabled: True paths: - /apps/nginx/logs/error.log fields: app: nginx-errorlog group: n223 - type: log enabled: True paths: - /var/log/nginx/access.log fields: app: nginx-accesslog group: n125 output.kafka: hosts: ["172.31.2.41:9092","172.31.2.42:9092","172.31.2.43:9092"] topic: "long-mm123-nginx" partition.round_robin: reachable_only: true required_acks: 1 compression: gzip max_message_bytes: 1000000
重启
root@long:~# systemctl restart filebeat
logstash配置文件
root@long:~# vim /etc/logstash/conf.d/filebeat-nginx-log-redis.conf input { kafka { bootstrap_servers => "172.31.2.41:9092,172.31.2.42:9092,172.31.2.43:9092" topics => "long-mm123-nginx" codec => "json" } } output { if [fields][app] == "nginx-errorlog" { elasticsearch { hosts => ["172.31.2.101:9200"] index => "filebeat-kafka-nginx-errorlog-%{+YYYY.MM.dd}" }} if [fields][app] == "nginx-accesslog" { elasticsearch { hosts => ["172.31.2.101:9200"] index => "filebeat-kafka-nginx-accesslog-%{+YYYY.MM.dd}" }} }
重启
root@long:~# systemctl restart logstash
kafka工具
加入kibana