#=========================== Filebeat prospectors=============================
filebeat.prospectors:
#指定檔案的輸入類型log(預設)或者stdin。
- input_type: log
# paths指定要監控的日志
paths:
- /var/log/*.log
#指定被監控的檔案的編碼類型使用plain和utf-8都是可以進行中文日志的。
# Some sample encodings:
# plain, utf-8, utf-16be-bom, utf-16be, utf-16le, big5, gb18030, gbk,
# hz-gb-2312, euc-kr, euc-jp, iso-2022-jp, shift-jis, ...
#encoding: plain
# 在輸入中排除符合正規表達式清單的那些行
# exclude_lines: ["^DBG"]
# 包含輸入中符合正規表達式清單的那些行預設包含所有行include_lines執行完畢之後會執行exclude_lines。
# include_lines: ["^ERR","^WARN"]
# 忽略掉符合正規表達式清單的檔案預設為每一個符合paths定義的檔案都建立一個harvester。
# exclude_files: [".gz$"]
# 向輸出的每一條日志添加額外的資訊比如“level:debug”友善後續對日志進行分組統計。預設情況下會在輸出資訊的fields子目錄下以指定的新增fields建立子目錄例如fields.level。
#fields:
# level: debug
# review: 1
# 如果該選項設定為true則新增fields成為頂級目錄而不是将其放在fields目錄下。自定義的field會覆寫filebeat預設的field。
#fields_under_root: false
# 可以指定Filebeat忽略指定時間段以外修改的日志内容比如2h兩個小時或者5m(5分鐘)。
#ignore_older: 0
# i設定Elasticsearch輸出時的document的type字段也可以用來給日志進行分類。Default: log
#document_type: log
# Filebeat以多快的頻率去prospector指定的目錄下面檢測檔案更新比如是否有新增檔案如果設定為0s則Filebeat會盡可能快地感覺更新占用的CPU會變高。預設是10s。
#scan_frequency: 10s
# 每個harvester監控檔案時使用的buffer的大小。
#harvester_buffer_size: 16384
# 日志檔案中增加一行算一個日志事件max_bytes限制在一次日志事件中最多上傳的位元組數多出的位元組會被丢棄。The default is 10MB.
#max_bytes: 10485760
# 适用于日志中每一條日志占據多行的情況比如各種語言的報錯資訊調用棧。這個配置的下面包含如下配置
# The regexp Pattern that has to bematched. The example pattern matches all lines starting with [
# multiline.pattern: ^\[
# Defines if the pattern set underpattern should be negated or not. Default is false.
# multiline.negate: false
# Match can be set to "after"or "before". It is used to define if lines should be append to apattern
# that was (not) matched before orafter or as long as a pattern is not matched based on negate.
# Note: After is the equivalent toprevious and before is the equivalent to to next in Logstash
# multiline.match: after
#The maximum number of lines that are combined to one event.
# In case there are more the max_linesthe additional lines are discarded.
# Default is 500
# multiline.max_lines: 500
# After the defined timeout, an multilineevent is sent even if no new pattern was found to start a new event
# Default is 5s.
# multiline.timeout: 5s
# 如果設定為trueFilebeat從檔案尾開始監控檔案新增内容把新增的每一行檔案作為一個事件依次發送而不是從檔案開始處重新發送所有内容。
#tail_files: false
# Experimental: If symlinks is enabled,symlinks are opened and harvested. The harvester is openening the
# original for harvesting but will reportthe symlink name as source.
#symlinks: false
# Filebeat檢測到某個檔案到了EOF之後每次等待多久再去檢測檔案是否有更新預設為1s。
#backoff: 1s
# Filebeat檢測到某個檔案到了EOF之後等待檢測檔案更新的最大時間預設是10秒。
#max_backoff: 10s
# 定義到達max_backoff的速度預設因子是2到達max_backoff後變成每次等待max_backoff那麼長的時間才backoff一次直到檔案有更新才會重置為backoff。
#backoff_factor: 2
# Experimental: Max number of harvestersthat are started in parallel.
# Default is 0 which means unlimited
#harvester_limit: 0
#----------------------------- Stdin prospector-------------------------------
# Configuration to use stdin input
#- input_type: stdin
#========================= Filebeat global options============================
# spooler的大小spooler中的事件數量超過這個門檻值的時候會清空發送出去不論是否到達逾時時間。
# filebeat.spool_size: 2048
# 是否采用異步發送模式(實驗!)
# filebeat.publish_async: false
# spooler的逾時時間如果到了逾時時間spooler也會清空發送出去不論是否到達容量的門檻值。
# filebeat.idle_timeout: 5s
# 記錄filebeat處理日志檔案的位置的檔案
# datapath.
# filebeat.registry_file: ${path.data}/registry
# 如果要在本配置檔案中引入其他位置的配置檔案可以寫在這裡需要寫完整路徑但是隻處理prospector的部分。
# filebeat.config_dir:
# filebeat等待多長時間後publisher關閉,預設0不等待
# filebeat.shutdown_timeout: 0
#================================ General======================================
# 用于釋出網絡資料的shipper名稱. 可以被應用于組
# 所有的事務通過一個shipper發送到web接口
# 預設使用主機名.
#name:
# shipper的标記包含在自己的field中發表事物,通過不同的tags很容易給伺服器邏輯分組
#tags: ["service-X","web-tier"]
# 可選字段,您可以指定額外的資訊添加到輸出。字段可以是标量值,數組,字典,或任何的嵌套組合
#fields:
# env: staging
# 如果将此選項設定為true,自定義字段作為頂級字段存儲在輸出文檔,而不是sub-dictionary分組在一個字段。預設是false。
#fields_under_root: false
# 針對單一事件處理管道内部隊列大小
#queue_size: 1000
# 大部分的内部隊列大小事件的處理管道。
# 不要修改這個值。
#bulk_queue_size: 0
# 設定最大數量的cpu可以同時執行。預設是邏輯系統中可用的cpu的數量。
#max_procs:
#================================ Processors===================================
# 處理器是用來減少字段導出的事件或提高外部中繼資料的事件。本節定義的清單應用處理器,一個接一個,第一個接收到最初
# event:
#
# event -> filter1 -> event1 ->filter2 ->event2 ...
#
# 支援的處理器drop_fields,drop_event, include_fields, and add_cloud_metadata.
#
# 例如,您可以使用以下處理器保持字段包含CPU負載百分比,但是删除字段包含CPU屬性
# values:
#
#processors:
#- include_fields:
# fields: ["cpu"]
#- drop_fields:
# fields: ["cpu.user","cpu.system"]
#
# The following example drops theevents that have the HTTP response code 200:
#
#processors:
#- drop_event:
# when:
# equals:
# http.code: 200
#
# 下面的示例豐富每個事件的雲提供商關于主機的中繼資料。它可以在EC2,GCE,DigitalOcean上運作。
#
#processors:
#- add_cloud_metadata:
#
############################# Output##########################################
# 輸出到資料配置.單個執行個體資料可以輸出到elasticsearch或者logstash選擇其中一種注釋掉另外一組輸出配置。
### 輸出資料到Elasticsearch
output.elasticsearch:
# IPv6 addresses should always be definedas: https://[2001:db8::1]:9200
hosts: ["localhost:9200"]
# Set gzip compression level.
#compression_level: 0
# 輸出認證.
#protocol: "https"
#username: "elastic"
#password: "changeme"
#字典中的HTTP參數通過url索引操作。
#parameters:
#param1: value1
#param2: value2
# 啟動程序數.
#worker: 1
# 輸出資料到指定index defaultis "filebeat" 可以使用變量[filebeat-]YYYY.MM.DDkeys.
#index: "filebeat-%{+yyyy.MM.dd}"
# 一個模闆用于設定在Elasticsearch映射預設模闆加載是禁用的,沒有加載模闆這些設定可以調整或者覆寫現有的加載自己的模闆
# Set to false to disable template loading.
#template.enabled: true
# Template name. By default the templatename is filebeat.
#template.name: "filebeat"
# Path to template file
#template.path:"${path.config}/filebeat.template.json"
# Overwrite existing template
#template.overwrite: false
# If set to true, filebeat checks theElasticsearch version at connect time, and if it
# is 2.x, it loads the file specified bythe template.versions.2x.path setting. The
# default is true.
#template.versions.2x.enabled: true
# Path to the Elasticsearch 2.x version ofthe template file.
#template.versions.2x.path:"${path.config}/filebeat.template-es2x.json"
# 發送重試的次數取決于max_retries的設定預設為3
#max_retries: 3
# 單個elasticsearch批量API索引請求的最大事件數。預設是50。
#bulk_max_size: 50
# elasticsearch請求逾時事件。預設90秒.
#timeout: 90
# 新事件兩個批量API索引請求之間需要等待的秒數。如果bulk_max_size在該值之前到達額外的批量索引請求生效。
#flush_interval: 1
# 使用https的SSL配置。預設true。
#Use SSL settings for HTTPS. Default is true.
#ssl.enabled: true
# Configure SSL verification mode. If`none` is configured, all server hosts
# and certificates will be accepted. In thismode, SSL based connections are
# susceptible to man-in-the-middle attacks.Use only for testing. Default is
# `full`.
#ssl.verification_mode: full
# List of supported/valid TLS versions. Bydefault all TLS versions 1.0 up to
# 1.2 are enabled.
#ssl.supported_protocols: [TLSv1.0,TLSv1.1, TLSv1.2]
# SSL configuration. By default is off.
# List of root certificates for HTTPSserver verifications
#ssl.certificate_authorities:["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate:"/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key:"/etc/pki/client/cert.key"
# Optional passphrase for decrypting theCertificate Key.
#ssl.key_passphrase: ''
# Configure cipher suites to beused for SSL connections
#ssl.cipher_suites: []
# Configure curve types for ECDHE basedcipher suites
#ssl.curve_types: []
#-----------------------------Logstash output ---------------------------------
### 發送資料到logstash單個執行個體資料可以輸出到elasticsearch或者logstash選擇其中一種注釋掉另外一組輸出配置。
# output.logstash:
# Logstash 主機位址
#hosts: ["localhost:5044"]
# 配置每個主機釋出事件的worker數量。在負載均衡模式下最好啟用。
#worker: 1
# #發送資料壓縮級别
#compression_level: 3
# 如果設定為TRUE和配置了多台logstash主機輸出插件将負載均衡的釋出事件到所有logstash主機。
#如果設定為false輸出插件發送所有事件到随機的一台主機上如果選擇的不可達将切換到另一台主機。預設是false。
#loadbalance: true
# 輸出資料到指定index defaultis "filebeat" 可以使用變量[filebeat-]YYYY.MM.DDkeys.
#index: filebeat
# Number of batches to be sendasynchronously to logstash while processing new batches.
#pipelining: 0
# SOCKS5 proxy server URL
#proxy_url: socks5://user:[email protected]:2233
# Resolve names locally when using a proxy server. Defaults to false.
#proxy_use_local_resolver: false
# Enable SSL support. SSL is automatically enabled, if any SSL settingis set.
#ssl.enabled: true
# Configure SSL verification mode. If `none` is configured, all serverhosts
# and certificates will be accepted. In this mode, SSL based connectionsare
# susceptible to man-in-the-middle attacks. Use only for testing.Default is
# `full`.
#ssl.verification_mode: full
# List of supported/valid TLS versions. By default all TLS versions 1.0up to
# 1.2 are enabled.
#ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
# Optional SSL configuration options. SSL is off by default.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
# Optional passphrase for decrypting the Certificate Key.
#ssl.key_passphrase: ''
# Configure cipher suites to be used for SSL connections
#ssl.cipher_suites: []
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []
### Console output 标準輸出JSON 格式。
# console:
#如果設定為TRUE事件将很友好的格式化标準輸出。預設false。
#pretty: false
#------------------------------- File output-----------------------------------
#output.file:
# Boolean flag to enable ordisable the output module.
#enabled: true
# Path to the directorywhere to save the generated files. The option is
# mandatory.
#path:"/tmp/filebeat"
# Name of the generatedfiles. The default is `filebeat` and it generates
# files: `filebeat`,`filebeat.1`, `filebeat.2`, etc.
#filename: filebeat
# Maximum size in kilobytesof each file. When this size is reached, and on
# every filebeat restart,the files are rotated. The default value is 10240
# kB.
#rotate_every_kb: 10000
# Maximum number of filesunder path. When this number of files is reached,
# the oldest file is deletedand the rest are shifted from last to first. The
# default is 7 files.
#number_of_files: 7
############################# Logging#########################################
# 配置beats日志。日志可以寫入到syslog也可以是輪滾日志檔案。預設是syslog。
# 設定日志級别,預設是info,可選:critical, error, warning, info, debug
#logging.level:info
# 為所選元件啟用調試輸出. 預設["*"]
# 其它可選selectors: "beat", "publish", "service"
#Multiple selectors can be chained.
#logging.selectors:[ ]
# 如果啟用發送所有日志到系統日志。
# logging. to_syslog: true
# 如果啟用,filebeat定期記錄其内部名額,改變了過去。對于每個名額改變,δ值的記錄的開始時期。同時,所有内部名額非零總值登入關閉。預設是true。
#logging.metrics.enabled:true
# 記錄内部名額的周期。The default is 30s.
#logging.metrics.period:30s
# 日志發送到輪滾檔案。
logging.to_files: true
logging.files:
# 日志檔案目錄。
#path: /var/log/filebeat
# 日志檔案名稱
#name: filebeat
# 日志檔案的最大大小。預設 10485760(10 MB)。
rotateeverybytes: 10485760 # = 10MB
# 保留日志周期。 預設 7。值範圍為2 到 1024。
#keepfiles: 7
![極易上手搭建自己日志采集伺服器分析日志(winlogbeat+Elasticsearch+Kibana)[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)