安装filebeat_收集Nginx日志

1.下载解压

cd /data/soft
wget https://www.oaroad.com/files/filebeat-7.4.2-linux-x86_64.tar.gz
tar -xf filebeat-7.7.1-linux-x86_64.tar.gz
mv filebeat-7.7.1-linux-x86_64 /data/filebeat

2.修改配置文件

cd /data/filebeat
cp filebeat.yml filebeat.yml.bak
vim filebeat.yml
#修改filebeat.inputs
enabled: true
paths:
    - /www/wwwlogs/oaroad.com.log
json.keys_under_root: true
json.overwrite_keys: true
#修改output.elasticsearch
hosts: ["127.0.0.1:9200"]

3.启动filebeat

vim run.sh
#!/bin/bash
. /etc/init.d/functions
case $1 in
#启动脚本
start)
  PRO="ps -ef |grep [fi]lebeat"
  eval "$PRO" > /dev/null 2>&1
  if [ $? -eq 0 ];then
    action "Filebeat is Running!"
  else
    nohup /data/filebeat/filebeat -e -c filebeat.yml >> logs/filebeat.log 2>&1 &
    action "SUCCESS"
  fi
;;
#停止脚本
stop)
  Pid=$(ps -ef |grep [fi]lebeat |awk '{print $2}')
  if [ ${Pid} ]; then
    kill -9 $Pid
    action "SUCCESS"
  else
    action "Filebeat is Stoped!" /bin/false
  fi
;;
#服务状态
status)
  PRO="ps -ef |grep [fi]lebeat"
  eval "$PRO" > /dev/null 2>&1
  if [ $? -eq 0 ];then
    action "Filebeat is Running!"
  else
    action "Filebeat is Stoped!" /bin/false
  fi
;;
#重启脚本
restart)
  PRO="ps -ef |grep [fi]lebeat"
  eval "$PRO" > /dev/null 2>&1
  if [ $? -eq 0 ];then
    echo "服务正在停止......"
    sh $0 stop
    sleep 2
    echo "服务正在启动......"
    sh $0 start
  else
    echo "服务正在启动......"
    sh $0 start
  fi
;;
*)
  echo "请在脚本后边传入参数：start|stop|restart|status"
;;
esac
chmod +x run.sh && sh run.sh start

4.修改filebeat索引样式

vim filebeat.yml
#修改 Elasticsearch output
#在output.elasticsearch:上方顶格新增
setup.template.name: "oaroad_com"
setup.template.pattern: "oaroad_com_"
setup.ilm.enabled: false
#在host下方新增
index: "oaroad_com_%{+yyyy.MM.DD}"