一、在Filebeat写好配置文件

yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /usr/local/nginx/logs/access.log*
  tags: ["access"]
  fields:
    name: "access"

- type: log
  enabled: true
  paths:
    -  /usr/local/nginx/logs/error.log*
  tags: ["error"]
  fields:
    name: "error"
    
  fields_under_root: true

output.elasticsearch:
  enabled: true
  hosts: ["http://192.168.201.112:9200", "http://192.168.201.113:9200", "http://192.168.201.114:9200"]
  index: "nginx-elk-%{+yyyy.MM.dd}"
  indices:
    - index: "nginx-elk-access-%{+yyyy.MM.dd}"
      when.contains:
        tags: "access"
    - index: "nginx-elk-error-%{+yyyy.MM.dd}"
      when.contains:
        tags: "error"

# 禁用索引生命周期管理
setup.ilm.enabled: false
# 设置索引模板
setup.template.name: "mysongxuan-elk"
setup.template.pattern: "mysongxuan-elk*"
#设置已有索引模版直接覆盖
setup.template.overwrite: true

#设置索引模版分片
setup.template.settings:
    #设置分片数
    index.number_of_shards: 3
    #设置副本数
    index.number_of_replicas: 0

在nginx服务器上启动Filebeat

js
filebeat -e -c /etc/filebeat/filebeat.yml

然后去索引管理创建好索引模式最后查看已经完成配置

二、这种方式查看，不会把字段分出来

修改nginx.conf

js
worker_processes  1;

events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    include   songxuan.conf; #配置外置文件

    # 定义JSON格式日志
    log_format json_combined escape=json
    '{'
        '"timestamp":"$time_iso8601",'
        '"remote_addr":"$remote_addr",'
        '"remote_user":"$remote_user",'
        '"request":"$request",'
        '"status": "$status",'
        '"body_bytes_sent":"$body_bytes_sent",'
        '"request_time":"$request_time",'
        '"http_referer":"$http_referer",'
        '"http_user_agent":"$http_user_agent",'
        '"http_x_forwarded_for":"$http_x_forwarded_for"'
    '}';
    # 指定访问日志路径和格式
    access_log /usr/local/nginx/logs/access.log json_combined;
    error_log  /usr/local/nginx/logs/error.log;

}

yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /usr/local/nginx/logs/access.log*
  tags: ["access"]
  
  #添加json格式
  json.keys_under_root: true
  json.add_error_key: true
  
  fields:
    name: "access"

- type: log
  enabled: true
  paths:
    -  /usr/local/nginx/logs/error.log*
  tags: ["error"]
  fields:
    name: "error"
    
  fields_under_root: true

output.elasticsearch:
  enabled: true
  hosts: ["http://192.168.201.112:9200", "http://192.168.201.113:9200", "http://192.168.201.114:9200"]
  index: "nginx-elk-%{+yyyy.MM.dd}"
  indices:
    - index: "nginx-elk-access-%{+yyyy.MM.dd}"
      when.contains:
        tags: "access"
    - index: "nginx-elk-error-%{+yyyy.MM.dd}"
      when.contains:
        tags: "error"

# 禁用索引生命周期管理
setup.ilm.enabled: false
# 设置索引模板
setup.template.name: "mysongxuan-elk"
setup.template.pattern: "mysongxuan-elk*"
#设置已有索引模版直接覆盖
setup.template.overwrite: true

#设置索引模版分片
setup.template.settings:
    #设置分片数
    index.number_of_shards: 3
    #设置副本数
    index.number_of_replicas: 0

这样配置查看能，能区别更清楚字段

目录

一、在Filebeat写好配置文件

二、这种方式查看，不会把字段分出来