logstash grok配置

%{NOTSPACE:applicationName} %{NOTSPACE:instanceName} %{TIMESTAMP_ISO8601:@metadata} [%{NOTSPACE:sessionid}] [%{WORD:requestid}] %{LOGLEVEL:level} %{JAVACLASS:class} - (?<logmessage>(.*))

logback配置格式

<pattern>${applicationName} ${instanceId} %d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] [%X{requestId}] %-5level%logger{50} - %msg%n</pattern>

日志打印格式

iflydocs-fs 10.1.12.6:8084 2020-07-14 11:27:36.539 [main] [requestidxxx] INFO com.netflix.discovery.DiscoveryClient - Initializing Eureka in region us-east-1

测试启动命令

cd /root/filebeat/filebeat-6.5.1-linux-x86_64
./filebeat -e -c filebeat.yml

后台启动命令

nohup ./filebeat -e -c filebeat.yml >/dev/null 2>&1 &

停止filebeat：
查找进程ID并kill掉：

ps -ef |grep filebeat
kill -9 进程号

filebeat支持多行配置

filebeat.inputs:

- type: log

  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
      - /logs/*.log

  multiline:
      pattern: '^ServerName-'
      negate: true
      match: after
      max_lines: 20
      timeout: 5s
#---------- Logstash output -----------
output.logstash:
  # The Logstash hosts
  hosts: ["logstashaddr:port"]

生产环境经常会遇到日志换行的情况，所以日志需要处理多行的情况，比如exception,这里只要以ServerName开头的日志会被认为是一行，后面20行以内不以服务名开头都合并到上面一行