使用filebeat5.0.1版本,用filebeat作为日志收集工具时:
java日志格式需要多行匹配,在filebeat配置文件中添加: ### Multiline options # Mutiline can be used for log messages spanning multiple lines. This is common # for Java Stack Traces or C-Line Continuation # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [ multiline.pattern: ^[ # Defines if the pattern set under pattern should be negated or not. Default is false. multiline.negate: true # Match can be set to “after” or “before”. It is used to define if lines should be append to a pattern # that was (not) matched before or after or as long as a pattern is not matched based on negate. # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash multiline.match: after上面配置的意思是:不以[开头的行都合并到上一行的末尾
pattern:正则表达式
negate:true 或 false;默认是false,匹配pattern的行合并到上一行;true,不匹配pattern的行合并到上一行
match:after 或 before,合并到上一行的末尾或开头
filebeat.prospectors:
-
input_type: log
paths:
- /home/work/workspace/ws/risk_rebuild/log/*.log
multiline:
pattern: ‘^\d{4}-\d{2}-\d{2}’ negate: true match: after max_lines: 20 timeout: 5s tail_files: false
output.elasticsearch:
# Array of hosts to connect to. hosts: [“172.16.102.102:9200”,”172.16.102.103:9200”,”172.16.102.104:9200”] index: “risk_engine