1. 首页
  2. 问题
  3. 使用filebeat,logstash和elasticsearch将json格式的日志发送到kibana?
小编典典

使用filebeat,logstash和elasticsearch将json格式的日志发送到kibana?

elasticsearch

我有这样的日志:

{"logId":"57aaf6c8d32fb","clientIp":"127.0.0.1","time":"03:11:29 pm","uniqueSubId":"57aaf6c98963b","channelName":"JSPC","apiVersion":"v1","modulName":null,"actionName":"apiRequest","typeOfError":"","statusCode":"","message":"In Auth","exception":"In Auth","logType":"Info"}

{"logId":"57aaf6c8d32fb","clientIp":"127.0.0.1","time":"03:11:29 pm","uniqueSubId":"57aaf6c987206","channelName":"JSPC","apiVersion":"v2","modulName":null,"actionName":"performV2","typeOfError":"","statusCode":"","message":"in inbox api v2 5","exception":"in inbox api v2 5","logType":"Info"}

我想把他们推到kibana。我正在使用filebeat通过以下配置将数据发送到logstash:

filebeat.yml

 ### Logstash as output
logstash:
# The Logstash hosts
hosts: ["localhost:5044"]

# Number of workers per Logstash host.
#worker: 1

现在使用以下配置,我想更改编解码器类型:

input {

     beats {
     port => 5000
     tags => "beats"
     codec => "json_lines"
     #ssl  => true
     #ssl_certificate => "/opt/filebeats/logs.example.com.crt"
     #ssl_key => "/opt/filebeats/logs.example.com.key"
     }


     syslog {
        type => "syslog"
        port => "5514"

    }

}

但是,我仍然以字符串格式获取日志:

“ message”:“ {\” logId \“:\” 57aaf6c96224b \“,\” clientIp \“:\” 127.0.0.1
\“,\” time \“:\” 03:11:29 pm \“,\ “ channelName \”:\“ JSPC \”,\“ apiVersion
\”:null,\“ modulName \”:null,\“ actionName \”:\“ 404 \”,\“ typeOfError
\”:\\“ EXCEPTION \” ,\“ statusCode \”:0,\“ message \”:\“ 404页面遇到了http:\ / \
/ localjs.com \ / uploads \ / NonScreenedImages \ / profilePic120 \ / 16 \ /
29 \ /
15997002iicee52ad041fed55e952d4e4e4d163d5972ii4c41f8845105429abbe11d330 “,\”
logType \“:\”错误\“}”,

请帮我解决这个问题。


阅读 945

收藏
2020-06-22

共1个答案

小编典典

要解析Logstash中从Filebeat发送的JSON日志行,您需要使用json过滤器而不是编解码器。这是因为Filebeat将其数据作为JSON发送,并且您的日志行的内容包含在该message字段中。

Logstash配置:

input {
  beats {
    port => 5044
  }   
}

filter {
  if [tags][json] {
    json {
      source => "message"
    }   
  }   
}

output {
  stdout { codec => rubydebug { metadata => true } } 
}

Filebeat配置:

filebeat:
  prospectors:
    - paths:
        - my_json.log
      fields_under_root: true
      fields:
        tags: ['json']
output:
  logstash:
    hosts: ['localhost:5044']

在Filebeat配置中,我向事件添加了“ json”标签,以便可以有条件地将json过滤器应用于数据。

Filebeat 5.0能够在不使用Logstash的情况下解析JSON,但是目前它仍是Alpha版本。这篇标题为“
使用Filebeat进行结构化日志记录”的博客文章演示了如何使用Filebeat 5.0解析JSON。

2020-06-22