filebeat安装配置(Linux系统)

按照规划表修改配置：

执行步骤：

1、核对统一nginx日志格式：

log_format access
      '{"@timestamp":"$time_iso8601",'
      '"host":"$hostname",'
      '"server_ip":"$server_addr",'
      '"client_ip":"$remote_addr",'
      '"xff":"$http_x_forwarded_for",'
      '"domain":"$host",'
      '"url":"$uri",'
      '"referer":"$http_referer",'
      '"args":"$args",'
      '"upstreamtime":"$upstream_response_time",'
      '"responsetime":"$request_time",'
      '"request_method":"$request_method",'
      '"status":"$status",'
      '"size":"$body_bytes_sent",'
      '"request_body":"$request_body",'
      '"request_length":"$request_length",'
      '"protocol":"$server_protocol",'
      '"upstreamhost":"$upstream_addr",'
      '"file_dir":"$request_filename",'
      '"http_user_agent":"$http_user_agent"'
    '}';
    access_log  /var/log/nginx/access.log  access;

2、解压文件：

tar zxvf filebeat-7.2.1-linux-x86_64.tar.gz
mv filebeat-7.2.1-linux-x86_64 filebeat

3、修改配置：

cat > /data/filebeat/nginx.yml << EOF
filebeat.inputs:
- type: log
  enabled: true
  paths:
   - /data/nginx/logs/access.log
  fields:
    kafka_topic: nginxlog
  fields_under_root: true
  encoding: plain
  tail_files: false
  json.keys_under_root: true
  json.overwrite_keys: true
  json.add_error_key: true
  scan_frequency: 3s
  backoff: 1s
  max_backoff: 5s
  backoff_factor: 2

output.kafka:
  enabled: true
  hosts: ['10.10.38.5:9092','10.10.38.6:9092']
  topic: '%{[kafka_topic]}'
EOF

4、启动程序在后台运行：

nohup /data/filebeat/filebeat -c /data/filebeat/nginx.yml &

5、验证服务是否在运行：

# ps -ef | grep filebeat
root 604 20874 5 16:47 pts/0 00:00:01 /data/filebeat/filebeat -c /data/filebeat/nginx.yml
root 1406 20874 0 16:48 pts/0 00:00:00 grep --color=auto filebeat

6、添加开机自启（该命令未验证可用性）

echo "nohup /data/filebeat/filebeat -c /data/filebeat/nginx.yml &" >> /etc/rc.d/rc.local
chmod +x /etc/rc.d/rc.local

注意事项：

最后注意，退出使用exit退出断开连接，我使用finalshell直接断开标签链接后，后台filebeat进程会自动退出的Bug，请注意检查！