ES集群地址
10.0.0.91:9200
10.0.0.92:9200
10.0.0.93:9200
启用模块
root@elk92:~# filebeat modules enable tomcat
修改模块配置文件
#启用
root@elk93:~# filebeat modules enable tomcat#修改
root@elk93:~# vim /etc/filebeat/modules.d/tomcat.yml
- module: tomcatlog:enabled: truevar.input: filevar.paths:- /usr/local/apache-tomcat-11.0.5/logs/*.jsonvar.tz_offset: +08:00
更改Tomcat的日志格式
我是采用的二进制部署Tomcat的
更改配置文件,添加/修改host
root@elk93:~# vim /usr/local/apache-tomcat-11.0.5/conf/server.xml <Host name="tomcat.dezyan.com" appBase="webapps"unpackWARs="true" autoDeploy="true"><Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"prefix="tomcat.oldboyedu.com_access_log" suffix=".json"
pattern="{"clientip":"%h","ClientUser":"%l","authenticated":"%u","AccessTime":"%t","request":"%r","status":"%s","SendBytes":"%b","Query?string":"%q","partner":"%{Referer}i","http_user_agent":"%{User-Agent}i"}"/></Host>
Filebeat实例
root@elk92:~# vim /etc/filebeat/config/03-modules-tomcat-to-es.yaml
filebeat.config.modules:path: ${path.config}/modules.d/tomcat.ymlreload.enabled: trueoutput.elasticsearch:hosts:- 10.0.0.91:9200- 10.0.0.92:9200- 10.0.0.93:9200index: dezyan-modules-tomcat-%{+yyyy.MM.dd}setup.ilm.enabled: false
setup.template.name: "dezyan"
setup.template.pattern: "dezyan-*"
setup.template.overwrite: true
setup.template.settings:index.number_of_shards: 5index.number_of_replicas: 0root@elk92:~# filebeat -e -c /etc/filebeat/config/03-modules-tomcat-to-es.yaml
