原文地址:https://www.elastic.co/guide/en/beats/filebeat/current/_examples_of_multiline_configuration.html
一、多行配置示例
1、將Java堆棧跟蹤日誌組合成一個事件
2、將C風格的日誌組合成一個事件
3、結合時間戳處理多行事件
二、Java堆棧跟蹤
1、Java示例一
Java堆棧跟蹤由多行組成,每一行在初始行之後以空格開頭,如本例中所述:
Exception in thread "main" java.lang.NullPointerException
at com.example.myproject.Book.getTitle(Book.java:16)
at com.example.myproject.Author.getBookTitles(Author.java:25)
at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
要將這些行整合到Filebeat中的單個事件中,請使用以下多行配置:
multiline.pattern: '^[[:space:]]'
multiline.negate: false
multiline.match: after
此配置將以空格開頭的所有行合併到上一行。
2、Java示例二
下面是一個Java堆棧跟蹤日誌,稍微複雜的例子:
Exception in thread "main" java.lang.IllegalStateException: A book has a null property
at com.example.myproject.Author.getBookIds(Author.java:38)
at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
Caused by: java.lang.NullPointerException
at com.example.myproject.Book.getId(Book.java:22)
at com.example.myproject.Author.getBookIds(Author.java:35)
... 1 more
要將這些行整合到Filebeat中的單個事件中,請使用以下多行配置:
multiline.pattern: '^[[:space:]]+(at|\.{3})\b|^Caused by:'
multiline.negate: false
multiline.match: after
此配置解釋說明:
將以空格開頭的所有行合併到上一行
並把以Caused by開頭的也追加到上一行
三、C風格的日誌
一些編程語言在一行末尾使用反斜槓()字符,表示該行仍在繼續,如本例中所示:
printf ("%10.10ld \t %10.10ld \t %s\
%f", w, x, y, z );
要將這些行整合到Filebeat中的單個事件中,請使用以下多行配置:
multiline.pattern: '\\$'
multiline.negate: false
multiline.match: before
此配置將以""字符結尾的任何行與後面的行合併。
四、時間戳
來自Elasticsearch等服務的活動日誌通常以時間戳開始,然後是關於特定活動的信息,如下例所示:
[2015-08-24 11:49:14,389][INFO ][env ] [Letha] using [1] data paths, mounts [[/
(/dev/disk1)]], net usable_space [34.5gb], net total_space [118.9gb], types [hfs]
要將這些行整合到Filebeat中的單個事件中,請使用以下多行配置:
multiline.pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
此配置使用negate: true和match: after設置來指定任何不符合指定模式的行都屬於上一行。
五、應用程序事件
有時您的應用程序日誌包含以自定義標記開始和結束的事件,如以下示例:
[2015-08-24 11:49:14,389] Start new event
[2015-08-24 11:49:14,395] Content of processing something
[2015-08-24 11:49:14,399] End event
要在Filebeat中將其整合爲單個事件,請使用以下多行配置:
multiline.pattern: 'Start new event'
multiline.negate: true
multiline.match: after
multiline.flush_pattern: 'End event'
此配置把指定字符串開頭,指定字符串結尾的多行合併爲一個事件。
備註:
1、字段詳解參考
2、multiline.match中的after和logstash中的previous意思相同,before和logstash中的next意思相同
3、logstash多行匹配示例
input {
file {
path => "/var/log/message"
stat_interval => "10"
start_position => "beginning"
codec => multiline {
pattern => "^\[\d{2}-"
negate => true
what => "previous"
}
}
}
what確定合併屬於上一個事件還是下一個事件,可以爲next和previous
六、生產環境用的配置文件示例
1、filebeat收集模塊日誌配置文件
filebeat.inputs:
- input_type: log
paths:
- /data/logs/company/logs/*.log
exclude_files: ['.gz$','INFO']
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
tags: ["company"]
- input_type: log
paths:
- /data/logs/store/logs/*.log
exclude_files: ['.gz$','INFO']
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
tags: ["store"]
- input_type: log
paths:
- /data/logs/pos/logs/*.log
exclude_files: ['.gz$','INFO']
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
tags: ["pos"]
output.logstash:
hosts: ["192.168.0.144:5044"]
enabled: true
worker: 2
compression_level: 3
2、logstash獲取filebeat日誌,並讀到redis中
input {
beats {
port => "5044"
}
}
output {
if "company" in [tags] {
redis {
host => "192.168.0.112"
port => "6379"
db => "3"
key => "company"
data_type => "list"
password => "123456"
}
}
if "store" in [tags] {
redis {
host => "192.168.0.112"
port => "6379"
db => "3"
key => "store"
data_type => "list"
password => "123456"
}
}
if "pos" in [tags] {
redis {
host => "192.168.0.112"
port => "6379"
db => "3"
key => "pos"
data_type => "list"
password => "123456"
}
}
}
3、logstash從redis中讀取日誌寫入到ES
input {
redis {
host => "192.168.0.112"
port => "6379"
db => "3"
key => "company"
data_type => "list"
password => "123456"
type => "company"
}
redis {
host => "192.168.0.112"
port => "6379"
db => "3"
key => "store"
data_type => "list"
password => "123456"
type => "store"
}
redis {
host => "192.168.0.112"
port => "6379"
db => "3"
key => "pos"
data_type => "list"
password => "123456"
type => "pos"
}
}
output {
if [type] == "company" {
elasticsearch {
hosts => ["192.168.0.117:9200","192.168.0.118:9200","192.168.0.119:9200"]
index => "logstash-company-%{+YYYY.MM.dd}"
}
}
if [type] == "store" {
elasticsearch {
hosts => ["192.168.0.117:9200","192.168.0.118:9200","192.168.0.119:9200"]
index => "logstash-store-%{+YYYY.MM.dd}"
}
}
if [type] == "pos" {
elasticsearch {
hosts => ["192.168.0.117:9200","192.168.0.118:9200","192.168.0.119:9200"]
index => "logstash-pos-%{+YYYY.MM.dd}"
}
}
}
七、補充內容(filebeat收集json格式日誌)
cat > json-log.yml << END
#filebeat.prospectors:
filebeat.inputs:
- type: log
enabled: true
json.keys_under_root: true #json格式收集
json.overwrite_keys: true #json格式收集
paths:
- /var/log/nginx/access.log #需要收集的日誌文件路徑
exclude_lines: ['^DBG',"^$",".gz$"]
fields:
log_topics: nginx-access-log #設置日誌標題
output.logstash:
hosts: ["192.168.0.117:5044"] #輸出到logstash服務地址和端口
END
備註:
用processors中的decode_json_fields處理器進行處理,它類似logstash中的filter,具體格式如下:
processors:
- decode_json_fields:
fields: ['message'] #要進行解析的字段
target: "" #json內容解析到指定的字段,如果爲空(""),則解析到頂級結構下
overwrite_keys: false #如果解析出的json結構中某個字段在原始的event(在filebeat中傳輸的一條數據爲一個event)中也存在,是否覆蓋event中該字段的值,默認值:false
process_array: false #數組是否解碼,默認值:false
max_depth: 1 #解碼深度,默認值:1