1.配置收集日志到文件

[root@web01 ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
  enable: true
  paths:
    - /var/log/nginx/access.log
output.file:
  path: "/tmp"
  filename: "filebeat.log"

2.配置收集日志到ES

[root@web01 ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
  enable: true
  paths:
    - /var/log/nginx/access.log
output.elasticsearch:
  hosts: ["10.0.0.51:9200"]

3.配置收集日志为json格式

1）配置

#由于收集日志内容还是写到了message，没有办法作图
[root@web01 ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
  enable: true
  paths:
    - /var/log/nginx/access.log
  json.keys_under_root: true
  json.overwrite_keys: true
output.elasticsearch:
  hosts: ["10.0.0.51:9200"]

2）修改Nginx日志格式

#filebeat只支持某种json格式写法
[root@web01 ~]# vim /etc/nginx/nginx.conf
... ...
    log_format log_json ‘{ "time_local": "$time_local", ‘
                        ‘"remote_addr": "$remote_addr", ‘
                        ‘"referer": "$http_referer", ‘
                        ‘"request": "$request", ‘
                        ‘"status": $status, ‘
                        ‘"bytes": $body_bytes_sent, ‘
                        ‘"agent": "$http_user_agent", ‘
                        ‘"x_forwarded": "$http_x_forwarded_for", ‘
                        ‘"up_addr": "$upstream_addr",‘
                        ‘"up_host": "$upstream_http_host",‘
                        ‘"upstream_time": "$upstream_response_time",‘
                        ‘"request_time": "$request_time" }‘;
 ... ...

3）重启

1.重启Nginx
2.重启Filebeat
3.删除原来的索引
4.清空Nginx日志

Filebeat收集单个日志&json格式