Добавляем репу от Яндекса.
echo "deb [trusted=yes] https://mirror.yandex.ru/mirrors/elastic/7/ stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.listСтавим
sudo apt update & apt install filebeat -yПравим конфиг (Пример)
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
fields:
type: nginx_access
fields_under_root: true
scan_frequency: 5s
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
fields:
type: nginx_error
fields_under_root: true
scan_frequency: 5s
- type: log
enabled: true
paths:
- /var/lib/docker/containers/*/*.log
fields:
type: docker_api
fields_under_root: true
scan_frequency: 5s
output.logstash:
hosts: ["10.220.0.3:5044"]
Стартуем
sudo systemctl filebeat startТак же не забываем поправить конфиг Logstash (Конфиги только пример)
input {
beats {
port => 5044
}
}
filter {
if [type] == "nginx_access" {
grok {
match => { "message" => "%{IPORHOST:remote_ip} - %{DATA:user} \[%{HTTPDATE:access_time}\] \"%{WORD:http_method} %{DATA:url} HTTP/%{NUMBER:http_version}\" %{NUMBER:response_code} %{NUMBER:body_sent_bytes} \"%{DATA:referrer}\" \"%{DATA:Browser}\""}
}
}
date {
match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss" ]
}
geoip {
source => "remote_ip"
target => "geoip"
add_tag => [ "nginx-geoip" ]
}
}
## Add your filters / logstash plugins configuration here
output {
if [type] == "nginx_access" or [type] == "nginx_error" {
elasticsearch {
hosts => "elasticsearch:9200"
index => "nginx-%{+YYYY.MM.dd}"
user => 'logstash_internal'
password => 'password'
}
}
if [type] == "docker_api" {
elasticsearch {
hosts => "elasticsearch:9200"
index => "docker_api-%{+YYYY.MM.dd}"
user => 'logstash_internal'
password => 'password'
}
}
# stdout { codec => rubydebug }
}