filebeat.yml配置和logstash.conf-chengxuyonghu-ChinaUnix博客

chengxuyonghu

首页　| 　博文目录　| 　关于我

chengxuyonghu

博客访问： 1785447
博文数量： 636
博客积分： 0
博客等级：民兵
技术积分： 3950
用户组：普通用户
注册时间： 2014-08-06 21:58

个人简介

博客是我工作的好帮手，遇到困难就来博客找资料

文章分类

全部博文（636）

运维（20）
法务（11）
未分配的博文（605）

文章存档

2024年（5）

2022年（2）

2021年（4）

2020年（40）

2019年（4）

2018年（78）

2017年（213）

2016年（41）

2015年（183）

2014年（66）

我的朋友

相关博文

filebeat.yml配置和logstash.conf

分类：系统运维

2017-02-08 15:15:35

#!/bin/bash

/home/haoren/data/logstash-5.0.2/bin/logstash -f afactivityserver.conf &

(1)

filebeat.prospectors:

- input_type: log

paths:

- /log/abcbillserver.log

#- /home/haoren/data/filebeat-5.0.2-linux-x86_64/test.log

encoding: gbk

symlinks: true

include_lines: ['\[.*?统计\]','\[.*?结算\]']

document_type: billbijiesuan

fields_under_root: true

fields:

host: 192.168.10.7

processors:

- drop_fields:

#fields: ["beat.hostname", "beat.name", "beat.version", "input_type", "beat"]

fields: ["input_type", "beat", "offset", "source"]

output.redis:

enabled: true

hosts: ["192.168.10.8"]

password: "A8841c09BAD52E63067C4DA"

port: 6379

datatype: list

key: "filebeat"

db: 0

output.file:

enabled: false

path: "/tmp/filebeat"

output.console:

enabled: false

(2)

filebeat.prospectors:

- input_type: log

paths:

- /log/cactivityserver.log

#- /home/haoren/data/filebeat-5.0.2-linux-x86_64/test.log

encoding: gbk

symlinks: true

include_lines: ['\[.*?统计\]','\[.*?结算\]']

document_type: activityserver

fields_under_root: true

fields:

host: 192.168.10.13

- input_type: log

paths:

- /log/fvchannelserver.log

#- /home/haoren/data/filebeat-5.0.2-linux-x86_64/test.log

encoding: gbk

symlinks: true

include_lines: ['\[.*?统计\]','\[.*?结算\]']

document_type: vchannelserver

fields_under_root: true

fields:

host: 192.168.10.13

processors:

- drop_fields:

#fields: ["beat.hostname", "beat.name", "beat.version", "input_type", "beat"]

fields: ["input_type", "beat", "offset", "source"]

output.redis:

enabled: true

hosts: ["192.168.10.8"]

password: "A8841c09BAD52E63067C4DA"

port: 6379

datatype: list

key: "filebeat"

db: 0

output.file:

enabled: false

path: "/tmp/filebeat"

output.console:

enabled: false

#数据从Redis写入到ES中

192.168.10.8中的

cd /home/haoren/data/logstash-5.0.2

[haoren@IM-SJ01-Server18 logstash-5.0.2]$ ll
总用量 276
drwxrwxr-x 2 haoren haoren 4096 11月 30 15:34 bin
-rw-rw-r-- 1 haoren haoren 111731 11月 24 18:22 CHANGELOG.md
drwxrwxr-x 2 haoren haoren 4096 12月 1 22:25 config
-rw-rw-r-- 1 haoren haoren 2249 11月 24 18:22 CONTRIBUTORS
drwxrwxr-x 2 haoren haoren 4096 11月 24 18:22 data
-rwxrwxr-x 1 haoren haoren 1125 4月 7 18:06 Del-logstash-log.sh
-rw-r--r-- 1 haoren haoren 7385 1月 12 11:57 filebeat.20170112
-rw-rw-r-- 1 haoren haoren 2636 1月 12 11:47 filebeat20170112.txt
-rw-r--r-- 1 haoren haoren 2534 12月 9 21:06 filebeat.bak
-rw-r--r-- 1 haoren haoren 9011 2月 8 20:16 filebeat.conf
-rw-r--r-- 1 haoren haoren 5130 1月 11 16:20 filebeat.conf.20170111.bak
-rw-r--r-- 1 haoren haoren 6163 1月 11 16:20 filebeat.conf.20170112.bak
-rw-r--r-- 1 haoren haoren 7853 2月 8 20:16 filebeat.conf.20170208.bak
-rw-r--r-- 1 haoren haoren 7390 1月 18 10:31 filebeat.conf.2070118.bak
-rw-r--r-- 1 haoren haoren 3457 12月 20 16:28 filebeat.conf.bak
-rw-rw-r-- 1 haoren haoren 2636 1月 12 11:47 filebeat.json
-rwxrwxr-x 1 haoren haoren 78 12月 6 18:33 filebeat.sh
-rw-r--r-- 1 haoren haoren 292 1月 11 21:31 filebeat.txt
-rw-rw-r-- 1 haoren haoren 3686 11月 24 18:26 Gemfile
-rw-rw-r-- 1 haoren haoren 20837 11月 24 18:22 Gemfile.jruby-1.9.lock
drwxrwxr-x 5 haoren haoren 4096 11月 30 15:34 lib
-rw-rw-r-- 1 haoren haoren 589 11月 24 18:22 LICENSE
drwxrwxr-x 2 haoren haoren 4096 4月 20 08:47 logs
-rw-rw-r-- 1 haoren haoren 555 12月 20 16:27 logstash.conf
drwxrwxr-x 5 haoren haoren 4096 11月 30 15:34 logstash-core
drwxrwxr-x 3 haoren haoren 4096 11月 30 15:34 logstash-core-event-java
drwxrwxr-x 3 haoren haoren 4096 11月 30 15:34 logstash-core-plugin-api
-rwxrwxr-x 1 haoren haoren 78 11月 30 17:40 logstash.sh
-rw-rw-r-- 1 haoren haoren 149 11月 24 18:22 NOTICE.TXT
drwxrwxr-x 4 haoren haoren 4096 11月 30 15:34 vendor

[haoren@IM-SJ01-Server18 logstash-5.0.2]$ cat logstash.sh
#!/bin/bash
/home/haoren/data/logstash-5.0.2/bin/logstash -f logstash.conf &

[haoren@IM-SJ01-Server18 logstash-5.0.2]$ cat logstash.conf
input {

redis {

host => ["192.168.10.8"]

port => 6379

password => "A8841c09BAD52E63067C4DA"

data_type => "list"

key => "logstash"

codec => json {

charset => "UTF-8"

}

filter {

ruby {

code=>"event.set('daytag',event.timestamp.time.localtime.strftime('%Y.%m.%d'))"

}

output {

elasticsearch {

hosts => ["127.0.0.1:19200"]

index => "%{type}-%{daytag}"

#index => "%{type}-%{+yyyy.MM.dd}"

user => "logstashserver"

password => "A950C0FB2D833E42C1AC59210CD5CDF8"

}

[haoren@IM-SJ01-Server18 logstash-5.0.2]$ cat filebeat.sh
#!/bin/bash

/home/haoren/data/logstash-5.0.2/bin/logstash -f filebeat.conf &

[haoren@IM-SJ01-Server18 logstash-5.0.2]$ cat filebeat.conf
input {
redis {
host => ["192.168.10.8"]
port => 6379
password => "A8841c09BAD52E63067C4DA"
data_type => "list"
key => "filebeat"
codec => json {
charset => "UTF-8"
}
}
#file {
# path => "/home/haoren/data/logstash-5.0.2/filebeat.txt"
# codec => plain {
# charset => "GBK"
# }
# start_position => "beginning"
# sincedb_path => "/dev/null"
# type => "pchannelserver"
#}
#file {
# path => "/home/haoren/data/logstash-5.0.2/filebeat.json"
# codec => json {
# charset => "UTF-8"
# }
# start_position => "beginning"
# sincedb_path => "/dev/null"
# type => "pchannelserver"
#}
}

filter {
if( [type] == "sessionserver" ){
if( [message] =~ "登陆统计"){
mutate {replace => { "type" => "userlogin" }}
grok {
#161206-16:00:00 SS[4306] TRACE: [登陆统计]收到角色(82559870)登陆(PC)IP(124.239.95.209)MAC(52229449286)机器ID(454070640)渠道(0)gameid(6)端口(3889)登陆类型(1)
match => [ "message", "(?(?>\d{6}-\d\d:\d\d:\d\d)) SS\[\d+\].*?TRACE: \[登陆统计\]收到角色$%{NUMBER:userid:int}$登陆$%{DATA:sclient}$IP$%{DATA:sip}$MAC$%{DATA:smac}$机器ID$%{NUMBER:mid:int}$渠道$%{NUMBER:apkid:int}$gameid$%{NUMBER:gameid:int}$端口$%{NUMBER:port:int}$登陆类型$%{NUMBER:logintype:int}$"]
}
}
else if ([message] =~ "注册统计"){
mutate {replace => { "type" => "userreg" }}
grok{
#161205-15:33:22 SS[4306] TRACE: [注册统计]用户(87475178)注册(Android)渠道(8)账号(_wx_omj_avq_nz8obsk6yy5dsmfrlfmk)
match => [ "message", "(?(?>\d{6}-\d\d:\d\d:\d\d)) SS\[\d+\].*?TRACE: \[注册统计\]用户$%{NUMBER:userid:int}$注册$%{DATA:sclient}$渠道$%{NUMBER:apkid:int}$账号$%{DATA:saccount}$" ]
}
}
#else{
# drop{}
#}
}
else if( [type] == "activityserver" ){
if( [message] =~ "用户注册渠道奖励统计"){
mutate {replace => { "type" => "actvityregreward" }}
grok {
#161212-10:17:29 ActivityServer[17702] INFO: [UserRegisterReward.cpp:90] [用户注册渠道奖励统计]用户(87582819)客户端(0)注册渠道(1001)机器码(476931654)奖励包裹(77)个数(100)当日奖励(100)上限(1000000)
match => [ "message", "(?(?>\d{6}-\d\d:\d\d:\d\d)) ActivityServer\[\d+\].*?INFO: .*?\[用户注册渠道奖励统计\]用户$%{NUMBER:userid:int}$客户端$%{NUMBER:client:int}$注册渠道$%{NUMBER:apkid:int}$机器码$%{NUMBER:mid:int}$奖励包裹$%{NUMBER:packid:int}$个数$%{NUMBER:num:int}$当日奖励$%{NUMBER:todaynum:int}$上限$%{NUMBER:maxnum:int}$\)"]
}
}
else if( [message] =~ "充值礼包统计"){
mutate {replace => { "type" => "activityrechargebag" }}
grok {
#161220-17:02:53 ActivityServer[17700] INFO: [ActivityRechargeBag.cpp:559] [充值礼包统计]用户(60163778)获得(8800)礼包类型(2)用户获得( 1029:1)消费者获得( 1062:688)
match => [ "message", "(?(?>\d{6}-\d\d:\d\d:\d\d)) ActivityServer\[\d+\].*?INFO: \[.*?\] \[充值礼包统计\]用户$%{NUMBER:userid:int}$获得$%{NUMBER:pid:int}$礼包类型$%{NUMBER:ptype:int}$用户获得$%{DATA:userget}$消费者获得$%{DATA:singerget}$"]
}
}
else if( [message] =~ "16年度盛典消费统计"){
mutate {replace => { "type" => "activitymodules" }}
grok {
#161220-17:05:31 ActivityServer[17702] INFO: [ActivityModules.cpp:837][2016购物活动] [16年度盛典消费统计]用户(84795176)购物平台(65780103)消费者(65780103)个数(20)礼物(92)价值(0)原分数(385399)增加分数(20)现分数(385419)淘汰(0)新旧(0)
match => [ "message", "(?(?>\d{6}-\d\d:\d\d:\d\d)) ActivityServer\[\d+\] INFO: \[.*?\]\[2016购物活动\] \[16年度盛典消费统计\]用户$%{NUMBER:userid:int}$购物平台$%{NUMBER:channelid:int}$消费者$%{NUMBER:singerid:int}$个数$%{NUMBER:num:int}$礼物$%{NUMBER:itemid:int}$价值$%{NUMBER:coin:int}$原分数$%{NUMBER:oldscore:int}$增加分数$%{NUMBER:addscore:int}$现分数$%{NUMBER:nowscore:int}$淘汰$%{NUMBER:out:int}$新旧$%{NUMBER:isnew:int}$"]
}
}

}
else if( [type] == "vchannelserver" ){
if( [message] =~ "进出购物平台统计"){
mutate {replace => { "type" => "vchannelin" }}
grok {
#170109-12:59:39 VChannelServer[15000] INFO: [Channel.cpp:414] [进出购物平台统计]用户(22016998)(进入)购物平台(3998186)端(0)渠道(0)IMState(6)机器ID(246418457)消费者(87261227)游客(0)
#170109-12:59:40 VChannelServer[15000] INFO: [Channel.cpp:414] [进出购物平台统计]用户(83735196)(离开)购物平台(4029779)端(3)渠道(0)IMState(13)机器ID(0)消费者(0)游客(0)
#170118-09:59:58 VChannelServer[15001] INFO: [Channel.cpp:417] [进出购物平台统计]用户(87455625)(进入)购物平台(3830989)端(3)渠道(2017)IMState(13)机器ID(0)消费者(65256549)游客(0)游戏id(0)
#170118-09:59:59 VChannelServer[15001] INFO: [Channel.cpp:417] [进出购物平台统计]用户(3015482583)(离开)购物平台(3830989)端(0)渠道(0)IMState(13)机器ID(0)消费者(65256549)游客(1)游戏id(0)
match => [ "message", "(?(?>\d{6}-\d\d:\d\d:\d\d)) VChannelServer\[\d+\] INFO: \[.*?\] \[进出购物平台统计\]用户$%{NUMBER:userid:int}$$%{DATA:sop}$购物平台$%{NUMBER:channelid:int}$端$%{NUMBER:client:int}$渠道$%{NUMBER:apkid:int}$IMState$%{NUMBER:imstate:int}$机器ID$%{NUMBER:mid:int}$消费者$%{NUMBER:singerid:int}$游客$%{NUMBER:istemp:int}$游戏id$%{NUMBER:gameid:int}$"]
}
}
}
else if( [type] == "pchannelserver" ){
if( [message] =~ "进出购物平台统计"){
mutate {replace => { "type" => "pchannelin" }}
grok {
#170111-00:00:17 PChannelServer[18701] INFO: [进出购物平台统计]用户(88464974)(进入)购物平台(86972527)端(0)渠道(0)IMState(6)机器ID(0)消费者(86972527)游客(0)
#170111-00:00:43 PChannelServer[18701] INFO: [进出购物平台统计]用户(88464904)(退出)购物平台(86972527)端(0)渠道(0)IMState(6)机器ID(0)消费者(86972527)游客(0)
match => [ "message", "(?(?>\d{6}-\d\d:\d\d:\d\d)) PChannelServer\[\d+\] INFO: \[进出购物平台统计\]用户$%{NUMBER:userid:int}$$%{DATA:sop}$购物平台$%{NUMBER:channelid:int}$端$%{NUMBER:client:int}$渠道$%{NUMBER:apkid:int}$IMState$%{NUMBER:imstate:int}$机器ID$%{NUMBER:mid:int}$消费者$%{NUMBER:singerid:int}$游客$%{NUMBER:istemp:int}$"]
}
}
}

else if( [type] == "billserver" ){
if( [message] =~ "人民币统计"){
mutate {replace => { "type" => "dubijiesuan" }}
grok {
#170208-10:00:28 Bill[40268] INFO: [人民币结算]时间(1486519228),用户ID(30581009),原来人民币(12567),现在人民币(16567),人民币操作(1),增加(4000),操作类型(19),操作详情(2),操作数量(0).描述:通用人民币操作
#170208-10:00:01 Bill[40268] INFO: [人民币结算]时间(1486519201),用户ID(22327945),原来人民币(2572),现在人民币(2532),人民币操作(2),扣除(40),操作类型(19),操作详情(15),操作数量(0).描述:通用人民币操作
match => [ "message", "(?(?>\d{6}-\d\d:\d\d:\d\d)) Bill\[\d+\] INFO: \[人民币结算\]时间$%{NUMBER:time:int}$,用户ID$%{NUMBER:userid:int}$,原来人民币$%{NUMBER:oldcoin:int}$,现在人民币$%{NUMBER:currentcoin:int}$,人民币操作$%{NUMBER:coinop:int}$,%{DATA:sop}$%{NUMBER:coinnum:int}$,操作类型$%{NUMBER:optype:int}$,操作详情$%{NUMBER:opdetail:int}$,操作数量$%{NUMBER:opnum:int}$.描述:%{DATA:sinfo}"]
}
}
}

else{
drop{}
}
date {
match => ["datetime", "yyMMdd-HH:mm:ss"]
}
ruby {
code => "event.timestamp.time.localtime"
}
ruby {
code => "event.set('daytag',event.timestamp.time.localtime.strftime('%Y.%m.%d'))"
remove_field => ["tags"]
}
}

output {
#stdout {
# codec => plain {
# charset => "UTF-8"
# #charset => "GBK"
# }
#}
#file {
# path => "/tmp/logstash.log"
# codec => json {
# charset => "UTF-8"
# }
#}
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "%{type}-%{daytag}"
#index => "%{type}-%{+yyyy.MM.dd}"
user => "logstashserver"
password => "33E42C1AC59210CD5CDF8"
}
}

cat /home/haoren/data/logstash-5.0.2/billserver.conf

input {
file {
path => "/log/abcbillserver.log"
codec => plain {
charset => "GBK"
}
#start_position => "beginning"
#sincedb_path => "/dev/null"
type => "billserver"
}
}

filter {
if ([message] =~ "人民币统计"){
mutate {replace => { "type" => "dubijiesuan" }}
grok {
#170208-10:00:28 Bill[40268] INFO: [人民币结算]时间(1486519228),用户ID(30581009),原来人民币(12567),现在人民币(16567),人民币操作(1),增加(4000),操作类型(19),操作详情(2),操作数量(0).描述:通用人民币操作
#170208-10:00:01 Bill[40268] INFO: [人民币结算]时间(1486519201),用户ID(22327945),原来人民币(2572),现在人民币(2532),人民币操作(2),扣除(40),操作类型(19),操作详情(15),操作数量(0).描述:通用人民币操作
match => [ "message", "(?(?>\d{6}-\d\d:\d\d:\d\d)) Bill\[\d+\] INFO: \[人民币结算\]时间$%{NUMBER:time:int}$,用户ID$%{NUMBER:userid:int}$,原来人民币$%{NUMBER:oldcoin:int}$,现在人民币$%{NUMBER:currentcoin:int}$,人民币操作$%{NUMBER:coinop:int}$,%{DATA:sop}$%{NUMBER:coinnum:int}$,操作类型$%{NUMBER:optype:int}$,操作详情$%{NUMBER:opdetail:int}$,操作数量$%{NUMBER:opnum:int}$.描述:%{DATA:sinfo}"]
}
}
else{
drop{}
}
date {
match => ["datetime", "yyMMdd-HH:mm:ss"]
#timezone => ["Asia/Hong_Kong"]
#remove_field => ["time"]
}
ruby {
code => "event.timestamp.time.localtime"
}
mutate {
#some pc no host
replace => { "host" => "192.168.10.7" }
}
}

output {
#stdout {
# codec => plain {
# charset => "UTF-8"
# #charset => "GBK"
# }
#}
#file {
# path => "/tmp/logstash.log"
# codec => json {
# charset => "UTF-8"
# }
#}
redis {
host => ["192.168.10.18"]
port => 6379
data_type => "list"
key => "logstash"
password => "A8841c09BAD52E63067C4DA"
codec => json {
charset => "UTF-8"
}
}
}

cat /home/haoren/data/logstash-5.0.2/activityserver.conf

input {
file {
path => "/log/aactivityserver.log"
codec => plain {
charset => "GBK"
}
#start_position => "beginning"
#sincedb_path => "/dev/null"
type => "aactivityserver"
}
}

filter {
if ([message] =~ "运统计"){
mutate {replace => { "type" => "activityescort" }}
grok {
#161201-13:12:28 ActivityServer[17701] INFO: [Escort.cpp:595] [统计]序号(53)用户(23619530)(攻)值(4360)暴击率(4)使用道具(57)本次花费(0)本总花费(0)车原始量(1706792)剩余量(1702432)总值(4360)
match => [ "message", "(?(?>\d{6}-\d\d:\d\d:\d\d)) ActivityServer\[\d+\].*?INFO: \[.*?\] \[运镖统计\]序号$%{NUMBER:carid:int}$用户$%{NUMBER:userid:int}$$%{DATA:sop}$.*?$%{NUMBER:itemvalue:int}$暴击率$%{NUMBER:baoji:int}$使用道具$%{NUMBER:itemid:int}$本次花费$%{NUMBER:coin:int}$本总花费$%{NUMBER:allusercoin:int}$车原始量$%{NUMBER:oldblood:int}$剩余量$%{NUMBER:blood:int}$总值$%{NUMBER:allvalue:int}$"]
}
}
else if ([message] =~ "运通用奖励"){
mutate {replace => { "type" => "activityescort" }}
grok {
#161201-13:15:16 ActivityServer[17701] INFO: [运]序号(54), [运通用奖励] 用户(21772699)奖励方式(0)奖励类型(34)购物车ID(61)数量(16)
match => [ "message", "(?(?>\d{6}-\d\d:\d\d:\d\d)) ActivityServer\[\d+\] INFO: \[运\]序号$%{NUMBER:carid:int}$, \[运通用奖励\] 用户$%{NUMBER:userid:int}$奖励方式$%{NUMBER:method:int}$奖励类型$%{NUMBER:addtype:int}$包裹ID$%{NUMBER:itemid:int}$数量$%{NUMBER:num:int}$"]
}
}
else{
drop{}
}
date {
match => ["datetime", "yyMMdd-HH:mm:ss"]
#timezone => ["Asia/Hong_Kong"]
#remove_field => ["time"]
}
ruby {
code => "event.timestamp.time.localtime"
}
mutate {
#some pc no host
replace => { "host" => "192.168.10.13" }
}
}

output {
#stdout {
# codec => plain {
# charset => "UTF-8"
# #charset => "GBK"
# }
#}
#file {
# path => "/tmp/logstash.log"
# codec => json {
# charset => "UTF-8"
# }
#}
redis {
host => ["192.168.10.8"]
port => 6379
data_type => "list"
key => "logstash"
password => "A8841c09BAD52E63067C4DA"
codec => json {
charset => "UTF-8"
}
}
}

cat /home/haoren/data/filebeat-5.0.2-linux-x86_64/filebeat.yml

filebeat.prospectors:
- input_type: log
paths:
- /log/billserver.log
#- /home/haoren/data/filebeat-5.0.2-linux-x86_64/test.log
encoding: gbk
symlinks: true
include_lines: ['\[.*?统计\]','\[.*?结算\]']
document_type: billserver
fields_under_root: true
fields:
host: 192.168.10.7

processors:
- drop_fields:
#fields: ["beat.hostname", "beat.name", "beat.version", "input_type", "beat"]
fields: ["input_type", "beat", "offset", "source"]

output.redis:
enabled: true
hosts: ["192.168.10.18"]
password: "A8841c09BAD52E63067C4DA"
port: 6379
datatype: list
key: "filebeat"
db: 0

output.file:
enabled: false
path: "/tmp/filebeat"

output.console:
enabled: false

阅读(2081) | 评论(0) | 转发(0) |

上一篇：Zeppelin0.5.6使用spark解释器

下一篇：部署维护docker环境

给主人留下些什么吧！~~

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6