使用 filebeat-8.7.1,我将其配置为将多个源推送到远程 elastisearch。我无法让它将自己的日志记录到本地文件中/var/log/filebeat/filebeat.log
,并且我无法阻止它将其日志转储到/var/log/syslog
(这也将用于 elastisearch)。
相关配置来自/etc/filebeat/filebeat.yml
:
filebeat.inputs:
- type: filestream
id: rsc-server
enabled: true
paths:
- /var/log/rstudio/rstudio-connect/rstudio*.log
fields:
log_type: rsc_server
- type: filestream
enabled: true
ignore_older: 5m
id: rsc-jobs
paths:
- /srv/R/RSC/jobs/[0-9]*/*/*
fields:
log_type: rsc
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
host: "http://my.elasti.host:30002"
output.elasticsearch:
hosts: ["http://my.elasti.host:30003"]
allow_older_versions: true
username: "myuser"
password: "mypass"
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
logging:
- level: warning
- to_syslog: false
- to_stderr: false
- json: true
- files:
- path: /var/log/filebeat
- name: filebeat
- keepfile: 3
- permissions: 0644
从/etc/filebeat/modules.d/
目录中,生成的启用配置是:
# Module: nginx
# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-nginx.html
- module: nginx
# Access logs
access:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Error logs
error:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Ingress-nginx controller logs. This is disabled by default. It could be used in Kubernetes environments to parse ingress-nginx logs
ingress_controller:
enabled: false
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Module: redis
# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-redis.html
- module: redis
# Main logs
log:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths: ["/var/log/redis/redis-server.log*"]
# Slow logs, retrieved via the Redis API (SLOWLOG)
slowlog:
enabled: false
# The Redis hosts to connect to.
#var.hosts: ["localhost:6379"]
# Optional, the password to use when connecting to Redis.
#var.password:
# Module: system
# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-system.html
- module: system
# Syslog
syslog:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Authorization logs
auth:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
我相信系统模块的使用syslog
是从中提取 /var/log/syslog
,而不是推送到中。(当我禁用该模块时,行为不会改变。)
如何修复将logging.*
日志发送到的部分/var/log/filebeat/
,以及如何防止它发送到 syslog 和/var/log/syslog
?
(这是在 ubuntu-22.04 虚拟机上。)
编辑:/lib/systemd/system/filebeat.service
有一个空BEAT_LOG_OPTS
参数(这是默认文件,不是我编辑的):
[Unit]
Description=Filebeat sends log files to Logstash or directly to Elasticsearch.
Documentation=https://www.elastic.co/beats/filebeat
Wants=network-online.target
After=network-online.target
[Service]
UMask=0027
Environment="GODEBUG='madvdontneed=1'"
Environment="BEAT_LOG_OPTS="
Environment="BEAT_CONFIG_OPTS=-c /etc/filebeat/filebeat.yml"
Environment="BEAT_PATH_OPTS=--path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat"
ExecStart=/usr/share/filebeat/bin/filebeat --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS
Restart=always
[Install]
WantedBy=multi-user.target
重新加载(并且性能没有变化):
# systemctl daemon-reload
# systemctl restart filebeat.service
# systemctl status filebeat.service
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-05-04 14:49:12 UTC; 20s ago
Docs: https://www.elastic.co/beats/filebeat
Main PID: 2080223 (filebeat)
Tasks: 25 (limit: 76964)
Memory: 114.4M
CPU: 5.315s
CGroup: /system.slice/filebeat.service
└─2080223 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat
该进程以 root 身份运行,/var/log/filebeat
目录由具有正常权限的 root 拥有:
# ps faxu | grep [/]filebeat
root 2080223 9.4 0.1 2635592 169112 ? Ssl 14:49 0:36 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat
# ll -d /var/log/filebeat
drwxr-xr-x 2 root root 4096 May 4 12:54 /var/log/filebeat/
# ll /var/log/filebeat
total 8
drwxr-xr-x 2 root root 4096 May 4 12:54 ./
drwxr-xr-x 18 root syslog 4096 May 4 12:54 ../
我看到--environment systemd
每个filebeat 命令行选项意味着
如果指定了 systemd 或 container,Filebeat 将默认记录到 stdout 和 stderr。
/var/log/syslog
这表明日志记录将由于systemd
处理进程中的 stdout/stderr 的方式而发生。这似乎是一个进步,但我们仍然没有日志记录到/var/log/filebeat/
,这最终是 stdout/stderr 应该去的地方(这将解决日志记录到的问题/var/log/syslog
)。