#=========================== Filebeat prospectors=============================
filebeat.prospectors:
#指定文件的輸入類型log(默認)或者stdin。
- input_type: log
# paths指定要監控的日誌
paths:
- /var/log/*.log
#指定被監控的文件的編碼類型使用plain和utf-8都是可以處理中文日誌的。
# Some sample encodings:
# plain, utf-8, utf-16be-bom, utf-16be, utf-16le, big5, gb18030, gbk,
# hz-gb-2312, euc-kr, euc-jp, iso-2022-jp, shift-jis, ...
#encoding: plain
# 在輸入中排除符合正則表達式列表的那些行
# exclude_lines: ["^DBG"]
# 包含輸入中符合正則表達式列表的那些行默認包含所有行include_lines執行完畢之後會執行exclude_lines。
# include_lines: ["^ERR","^WARN"]
# 忽略掉符合正則表達式列表的文件默認爲每一個符合paths定義的文件都創建一個harvester。
# exclude_files: [".gz$"]
# 向輸出的每一條日誌添加額外的信息比如“level:debug”方便後續對日誌進行分組統計。默認情況下會在輸出信息的fields子目錄下以指定的新增fields建立子目錄例如fields.level。
#fields:
# level: debug
# review: 1
# 如果該選項設置爲true則新增fields成爲頂級目錄而不是將其放在fields目錄下。自定義的field會覆蓋filebeat默認的field。
#fields_under_root: false
# 可以指定Filebeat忽略指定時間段以外修改的日誌內容比如2h兩個小時或者5m(5分鐘)。
#ignore_older: 0
# i設定Elasticsearch輸出時的document的type字段也可以用來給日誌進行分類。Default: log
#document_type: log
# Filebeat以多快的頻率去prospector指定的目錄下面檢測文件更新比如是否有新增文件如果設置爲0s則Filebeat會盡可能快地感知更新佔用的CPU會變高。默認是10s。
#scan_frequency: 10s
# 每個harvester監控文件時使用的buffer的大小。
#harvester_buffer_size: 16384
# 日誌文件中增加一行算一個日誌事件max_bytes限制在一次日誌事件中最多上傳的字節數多出的字節會被丟棄。The default is 10MB.
#max_bytes: 10485760
# 適用於日誌中每一條日誌佔據多行的情況比如各種語言的報錯信息調用棧。這個配置的下面包含如下配置
# The regexp Pattern that has to bematched. The example pattern matches all lines starting with [
# multiline.pattern: ^\[
# Defines if the pattern set underpattern should be negated or not. Default is false.
# multiline.negate: false
# Match can be set to "after"or "before". It is used to define if lines should be append to apattern
# that was (not) matched before orafter or as long as a pattern is not matched based on negate.
# Note: After is the equivalent toprevious and before is the equivalent to to next in Logstash
# multiline.match: after
#The maximum number of lines that are combined to one event.
# In case there are more the max_linesthe additional lines are discarded.
# Default is 500
# multiline.max_lines: 500
# After the defined timeout, an multilineevent is sent even if no new pattern was found to start a new event
# Default is 5s.
# multiline.timeout: 5s
# 如果設置爲trueFilebeat從文件尾開始監控文件新增內容把新增的每一行文件作爲一個事件依次發送而不是從文件開始處重新發送所有內容。
#tail_files: false
# Experimental: If symlinks is enabled,symlinks are opened and harvested. The harvester is openening the
# original for harvesting but will reportthe symlink name as source.
#symlinks: false
# Filebeat檢測到某個文件到了EOF之後每次等待多久再去檢測文件是否有更新默認爲1s。
#backoff: 1s
# Filebeat檢測到某個文件到了EOF之後等待檢測文件更新的最大時間默認是10秒。
#max_backoff: 10s
# 定義到達max_backoff的速度默認因子是2到達max_backoff後變成每次等待max_backoff那麼長的時間才backoff一次直到文件有更新纔會重置爲backoff。
#backoff_factor: 2
# Experimental: Max number of harvestersthat are started in parallel.
# Default is 0 which means unlimited
#harvester_limit: 0
#----------------------------- Stdin prospector-------------------------------
# Configuration to use stdin input
#- input_type: stdin
#========================= Filebeat global options============================
# spooler的大小spooler中的事件數量超過這個閾值的時候會清空發送出去不論是否到達超時時間。
# filebeat.spool_size: 2048
# 是否採用異步發送模式(實驗!)
# filebeat.publish_async: false
# spooler的超時時間如果到了超時時間spooler也會清空發送出去不論是否到達容量的閾值。
# filebeat.idle_timeout: 5s
# 記錄filebeat處理日誌文件的位置的文件
# datapath.
# filebeat.registry_file: ${path.data}/registry
# 如果要在本配置文件中引入其他位置的配置文件可以寫在這裏需要寫完整路徑但是隻處理prospector的部分。
# filebeat.config_dir:
# filebeat等待多長時間後publisher關閉,默認0不等待
# filebeat.shutdown_timeout: 0
#================================ General======================================
# 用於發佈網絡數據的shipper名稱. 可以被應用於組
# 所有的事務通過一個shipper發送到web接口
# 默認使用主機名.
#name:
# shipper的標記包含在自己的field中發表事物,通過不同的tags很容易給服務器邏輯分組
#tags: ["service-X","web-tier"]
# 可選字段,您可以指定額外的信息添加到輸出。字段可以是標量值,數組,字典,或任何的嵌套組合
#fields:
# env: staging
# 如果將此選項設置爲true,自定義字段作爲頂級字段存儲在輸出文檔,而不是sub-dictionary分組在一個字段。默認是false。
#fields_under_root: false
# 針對單一事件處理管道內部隊列大小
#queue_size: 1000
# 大部分的內部隊列大小事件的處理管道。
# 不要修改這個值。
#bulk_queue_size: 0
# 設置最大數量的cpu可以同時執行。默認是邏輯系統中可用的cpu的數量。
#max_procs:
#================================ Processors===================================
# 處理器是用來減少字段導出的事件或提高外部元數據的事件。本節定義的列表應用處理器,一個接一個,第一個接收到最初
# event:
#
# event -> filter1 -> event1 ->filter2 ->event2 ...
#
# 支持的處理器drop_fields,drop_event, include_fields, and add_cloud_metadata.
#
# 例如,您可以使用以下處理器保持字段包含CPU負載百分比,但是刪除字段包含CPU屬性
# values:
#
#processors:
#- include_fields:
# fields: ["cpu"]
#- drop_fields:
# fields: ["cpu.user","cpu.system"]
#
# The following example drops theevents that have the HTTP response code 200:
#
#processors:
#- drop_event:
# when:
# equals:
# http.code: 200
#
# 下面的示例豐富每個事件的雲提供商關於主機的元數據。它可以在EC2,GCE,DigitalOcean上運行。
#
#processors:
#- add_cloud_metadata:
#
############################# Output##########################################
# 輸出到數據配置.單個實例數據可以輸出到elasticsearch或者logstash選擇其中一種註釋掉另外一組輸出配置。
### 輸出數據到Elasticsearch
output.elasticsearch:
# IPv6 addresses should always be definedas: https://[2001:db8::1]:9200
hosts: ["localhost:9200"]
# Set gzip compression level.
#compression_level: 0
# 輸出認證.
#protocol: "https"
#username: "elastic"
#password: "changeme"
#字典中的HTTP參數通過url索引操作。
#parameters:
#param1: value1
#param2: value2
# 啓動進程數.
#worker: 1
# 輸出數據到指定index defaultis "filebeat" 可以使用變量[filebeat-]YYYY.MM.DDkeys.
#index: "filebeat-%{+yyyy.MM.dd}"
# 一個模板用於設置在Elasticsearch映射默認模板加載是禁用的,沒有加載模板這些設置可以調整或者覆蓋現有的加載自己的模板
# Set to false to disable template loading.
#template.enabled: true
# Template name. By default the templatename is filebeat.
#template.name: "filebeat"
# Path to template file
#template.path:"${path.config}/filebeat.template.json"
# Overwrite existing template
#template.overwrite: false
# If set to true, filebeat checks theElasticsearch version at connect time, and if it
# is 2.x, it loads the file specified bythe template.versions.2x.path setting. The
# default is true.
#template.versions.2x.enabled: true
# Path to the Elasticsearch 2.x version ofthe template file.
#template.versions.2x.path:"${path.config}/filebeat.template-es2x.json"
# 發送重試的次數取決於max_retries的設置默認爲3
#max_retries: 3
# 單個elasticsearch批量API索引請求的最大事件數。默認是50。
#bulk_max_size: 50
# elasticsearch請求超時事件。默認90秒.
#timeout: 90
# 新事件兩個批量API索引請求之間需要等待的秒數。如果bulk_max_size在該值之前到達額外的批量索引請求生效。
#flush_interval: 1
# 使用https的SSL配置。默認true。
#Use SSL settings for HTTPS. Default is true.
#ssl.enabled: true
# Configure SSL verification mode. If`none` is configured, all server hosts
# and certificates will be accepted. In thismode, SSL based connections are
# susceptible to man-in-the-middle attacks.Use only for testing. Default is
# `full`.
#ssl.verification_mode: full
# List of supported/valid TLS versions. Bydefault all TLS versions 1.0 up to
# 1.2 are enabled.
#ssl.supported_protocols: [TLSv1.0,TLSv1.1, TLSv1.2]
# SSL configuration. By default is off.
# List of root certificates for HTTPSserver verifications
#ssl.certificate_authorities:["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate:"/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key:"/etc/pki/client/cert.key"
# Optional passphrase for decrypting theCertificate Key.
#ssl.key_passphrase: ''
# Configure cipher suites to beused for SSL connections
#ssl.cipher_suites: []
# Configure curve types for ECDHE basedcipher suites
#ssl.curve_types: []
#-----------------------------Logstash output ---------------------------------
### 發送數據到logstash單個實例數據可以輸出到elasticsearch或者logstash選擇其中一種註釋掉另外一組輸出配置。
# output.logstash:
# Logstash 主機地址
#hosts: ["localhost:5044"]
# 配置每個主機發布事件的worker數量。在負載均衡模式下最好啓用。
#worker: 1
# #發送數據壓縮級別
#compression_level: 3
# 如果設置爲TRUE和配置了多臺logstash主機輸出插件將負載均衡的發佈事件到所有logstash主機。
#如果設置爲false輸出插件發送所有事件到隨機的一臺主機上如果選擇的不可達將切換到另一臺主機。默認是false。
#loadbalance: true
# 輸出數據到指定index defaultis "filebeat" 可以使用變量[filebeat-]YYYY.MM.DDkeys.
#index: filebeat
# Number of batches to be sendasynchronously to logstash while processing new batches.
#pipelining: 0
# SOCKS5 proxy server URL
#proxy_url: socks5://user:password@socks5-server:2233
# Resolve names locally when using a proxy server. Defaults to false.
#proxy_use_local_resolver: false
# Enable SSL support. SSL is automatically enabled, if any SSL settingis set.
#ssl.enabled: true
# Configure SSL verification mode. If `none` is configured, all serverhosts
# and certificates will be accepted. In this mode, SSL based connectionsare
# susceptible to man-in-the-middle attacks. Use only for testing.Default is
# `full`.
#ssl.verification_mode: full
# List of supported/valid TLS versions. By default all TLS versions 1.0up to
# 1.2 are enabled.
#ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
# Optional SSL configuration options. SSL is off by default.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
# Optional passphrase for decrypting the Certificate Key.
#ssl.key_passphrase: ''
# Configure cipher suites to be used for SSL connections
#ssl.cipher_suites: []
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []
### Console output 標準輸出JSON 格式。
# console:
#如果設置爲TRUE事件將很友好的格式化標準輸出。默認false。
#pretty: false
#------------------------------- File output-----------------------------------
#output.file:
# Boolean flag to enable ordisable the output module.
#enabled: true
# Path to the directorywhere to save the generated files. The option is
# mandatory.
#path:"/tmp/filebeat"
# Name of the generatedfiles. The default is `filebeat` and it generates
# files: `filebeat`,`filebeat.1`, `filebeat.2`, etc.
#filename: filebeat
# Maximum size in kilobytesof each file. When this size is reached, and on
# every filebeat restart,the files are rotated. The default value is 10240
# kB.
#rotate_every_kb: 10000
# Maximum number of filesunder path. When this number of files is reached,
# the oldest file is deletedand the rest are shifted from last to first. The
# default is 7 files.
#number_of_files: 7
############################# Logging#########################################
# 配置beats日誌。日誌可以寫入到syslog也可以是輪滾日誌文件。默認是syslog。
# 設置日誌級別,默認是info,可選:critical, error, warning, info, debug
#logging.level:info
# 爲所選組件啓用調試輸出. 默認["*"]
# 其它可選selectors: "beat", "publish", "service"
#Multiple selectors can be chained.
#logging.selectors:[ ]
# 如果啓用發送所有日誌到系統日誌。
# logging. to_syslog: true
# 如果啓用,filebeat定期記錄其內部指標,改變了過去。對於每個指標改變,δ值的記錄的開始時期。同時,所有內部指標非零總值登錄關閉。默認是true。
#logging.metrics.enabled:true
# 記錄內部指標的週期。The default is 30s.
#logging.metrics.period:30s
# 日誌發送到輪滾文件。
logging.to_files: true
logging.files:
# 日誌文件目錄。
#path: /var/log/filebeat
# 日誌文件名稱
#name: filebeat
# 日誌文件的最大大小。默認 10485760(10 MB)。
rotateeverybytes: 10485760 # = 10MB
# 保留日誌週期。 默認 7。值範圍爲2 到 1024。
#keepfiles: 7