基于 Docker18.09.0
简单介绍
Filebeat 是一个轻量级的托运人,用于转发和集中日志数据。Filebeat作为代理安装在服务器上,监视您指定的日志文件或位置,收集日志事件,并将它们转发到Elasticsearch或 Logstash进行索引。
以下是 Filebeat 的工作原理:启动Filebeat时,它会启动一个或多个输入,这些输入将查找您指定的位置的日志数据。
对于Filebeat找到的每个日志,Filebeat启动一个收集器。每个收集器为新内容读取单个日志,并将新日志数据发送到 libbeat,libbeat 聚合事件并将聚合数据发送到您为 Filebeat 配置的输出。
工作流图
FilebeatLogstash都是以事件为推动的和处理单位的,不是以文件中的行。
获取镜像
docker pull docker.elastic.co/beats/filebeat:6.5.2
配置输入和输出
容器内的配置文件位置是 /usr/share/filebeat/filebeat.yml
Filebeat 容器默认没有配置输入,默认的输出目标是 elasticsearch:9200
为了调试目的,下面的示例是配置输入为本地的某一个 Nginx 日志格式的日志文件,输出是 console, 就是输出到屏幕终端。
filebeat.inputs:
- type: log
paths:
- /*.log
output.console:
pretty: true
假如你的文件的编码不是
utf-8, 这可能会导致乱码的现象,解决办法是使用配置项encoding指定具体的编码。比如encoding: gbk。
如果pretty设置为true,则写入stdout的事件将被很好地格式化。默认值为false。
运行容器
下面是利用上面的配置文件运行容器的示例
- 准备源日志文件
www.sharkyun.com.log
95.213.177.126 - - [18/Jul/2017:00:01:09 +0800] "POST http://check.proxyradar.com/azenv.php HTTP/1.1" 404 326 "https://proxyradar.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)" "-"
202.108.211.56 - - [18/Jul/2017:00:03:23 +0800] "GET http://1.1.1.1/ HTTP/1.1" 200 6228 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.21 (KHTML, like Gecko) Chrome/19.0.1042.0 Safari/535.21" "-"
221.228.109.90 - - [18/Jul/2017:01:52:17 +0800] "GET http://www.sharkyun.com/ HTTP/1.1" 200 6228 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0" "119.61.20.114"
221.228.109.90 - - [18/Jul/2017:01:52:17 +0800] "GET http://www.sharkyun.com/css/style_eeoweb.css HTTP/1.1" 200 11988 "https://www.sharkyun.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0" "119.61.20.114"
221.228.109.90 - - [18/Jul/2017:01:52:18 +0800] "GET http://www.sharkyun.com/mobile/js/deviceType.js HTTP/1.1" 200 1055 "https://www.sharkyun.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0" "119.61.20.114"
221.228.109.90 - - [18/Jul/2017:01:52:18 +0800] "GET http://www.sharkyun.com/js/jplayer/skin/black/css/style.css HTTP/1.1" 200 3339 "https://www.sharkyun.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0" "119.61.20.114"
221.228.109.90 - - [18/Jul/2017:01:52:18 +0800] "GET http://www.sharkyun.com/js/index_eeoweb.js HTTP/1.1" 200 910 "https://www.sharkyun.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0" "119.61.20.114"
221.228.109.90 - - [18/Jul/2017:01:52:18 +0800] "GET http://www.sharkyun.com/js/easySlider.js HTTP/1.1" 200 2431 "https://www.sharkyun.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0" "119.61.20.114"
221.228.109.90 - - [18/Jul/2017:01:52:18 +0800] "GET http://www.sharkyun.com/js/require_eeoweb.js HTTP/1.1" 200 7161 "https://www.sharkyun.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0" "119.61.20.114"
221.228.109.90 - - [18/Jul/2017:01:52:18 +0800] "GET http://www.sharkyun.com/js/jquery.js HTTP/1.1" 200 46467 "https://www.sharkyun.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0" "119.61.20.114"
上面只是个示例日志部分内容
- 使用自定义的配置文件运行容器
我们上面的配置文件是输入到标准输出的,要想看到效果就不能让容器在后台运行了。
$ docker run -it --rm --name=filebeat65_stdout --mount type=bind,src=$(pwd)/www.sharkyun.com.log,dst=/shark.log,readonly --mount type=bind,src=$(pwd)/filebeat_stdout.yml,dst=/usr/share/filebeat/filebeat.yml,readonly docker.elastic.co/beats/filebeat:6.5.2
部分输出结果
"input": {
"type": "log"
},
"host": {
"name": "db719e24b943"
},
"beat": {
"name": "db719e24b943",
"hostname": "db719e24b943",
"version": "6.5.2"
},
"source": "/shark.log",
"offset": 2514473,
"message": "106.75.19.227 - - [18/Jul/2017:03:28:16 +0800] \"POST http://www.sharkyun.com/partner/api/course.api.php HTTP/1.1\" 200 521 \"-\" \"-\" \"-\"",
"prospector": {
"type": "log"
}
}
