使用filebeat收集并解析springboot日志
序
本文主要研究一下如何使用filebeat收集并解析springboot日志
安装
在官网的下载页面filebeat/downloads提供了一些特定平台的安装包,不过对应linux最为省事的安装方式就是直接下载x86_64压缩包,然后解压即可
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.9.0-linux-x86_64.tar.gz
解析
filebat.yml主要有input和output组成
json
比如对于json格式的日志,其input示例如下
filebeat.inputs:- type: logpaths:- "/data/logs/*/error.log"document_type: jsonjson.message_key: logjson.keys.under_root: truejson.overwrite_keys: truefields:logType: errJsonfields_under_root: true
对于json类型的指定document_type为json,其中
json.message_key用于指定json中哪个字段为message
logback
springboot logback默认的file pattern为
org/springframework/boot/spring-boot/2.7.14/spring-boot-2.7.14.jar!/org/springframework/boot/logging/logback/defaults.xml
<property name="FILE_LOG_PATTERN" value="${FILE_LOG_PATTERN:-%d{${LOG_DATEFORMAT_PATTERN:-yyyy-MM-dd HH:mm:ss.SSS}} ${LOG_LEVEL_PATTERN:-%5p} ${PID:- } --- [%t] %-40.40logger{39} : %m%n${LOG_EXCEPTION_CONVERSION_WORD:-%wEx}}"/>
打印出来的示例如下
2023-08-05 20:47:11.069 INFO 3396 --- [ main] org.example.Main : Started Main in 1.662 seconds (JVM running for 2.228)
针对这个,可以用filebeat的dissect来解析,如下
filebeat.inputs:
- type: stdinprocessors:- dissect:tokenizer: "%{logDate} %{logTime} %{logLevel} %{pid} --- [%{thread}] %{logger} : %{message}"field: "message"
output.console:enabled: truepretty: true
解析出来的json如下
{"@timestamp": "2023-08-05T12:53:28.738Z","@metadata": {"beat": "filebeat","type": "_doc","version": "8.9.0"},"log": {"offset": 0,"file": {"path": ""}},"message": "2023-08-05 20:47:11.069 INFO 3396 --- [ main] org.example.Main : Started Main in 1.662 seconds (JVM running for 2.228)","input": {"type": "stdin"},"dissect": {"logTime": "20:47:11.069","logLevel": "INFO","pid": "3396","thread": " main","logger": "org.example.Main ","message": "Started Main in 1.662 seconds (JVM running for 2.228)","logDate": "2023-08-05"},"agent": {"name": "dembp","type": "filebeat","version": "8.9.0","ephemeral_id": "4e4a9ee3-4682-41ab-ad9b-f4821543d991","id": "597a1a87-8165-492b-a9e8-d6530376b179"},"ecs": {"version": "8.0.0"},"host": {"name": "dembp"}
}
处理换行
上面给的例子其实没有处理换行的情况,这个时候可以使用filebeat的multiline来指定,比如
filebeat.inputs:
- type: stdinmultiline:pattern: '^\d{4}-\d{2}-\d{2}'negate: truematch: after
这里指定用
^\d{4}-\d{2}-\d{2}来匹配日期开头的日志,匹配上了就是一条日志;negate为true表示没有匹配上的那一行归属上面一条日志,而match的after代表合并到上一行的末尾,before代表合并到下一行的开头
输出
对于大型的应用,一般filebeat做轻量级的收集,不做解析,解析交给logstash或者elasticsearch pipeline或者其他中间服务;而对于一些小型规模的或者是非生产环境,在多部署一个logstash显得有点繁琐,可以用dissect替代logstash的grok进行日志解析,然后就可以直接output到目标服务,比如elasticsearch
logstash
output:logstash:hosts: ["192.168.99.100:5044"]
elasticsearch
output.elasticsearch:hosts: ["192.168.99.100:9200"]username: "xxxx"password: "xxxx"
小结
filebeat提供了processor能力,其中dissect替代logstash的grok进行日志解析,非常便捷。
doc
- dissect