filebeat合并java日志多行信息

编辑配置文件
[root@web-bj-docker-10 filebeat]# vim filebeat.yml
#添加以下内容

#=========================== Filebeat prospectors =============================

filebeat.prospectors:

# Each - is a prospector. Most options can be set at the prospector level, so
# you can use different prospectors for various configurations.
# Below are the prospector specific configurations.

- input_type: log                           #默认
  paths:                                    #路径
    - /mapbar/data/logs/gsmobd.log          #收集的日志
  document_type: tomcat_gsmobd              #日志类型，类似标签，logstash可以按照标签创建不同索引

#正则匹配以什么为开头
  multiline.pattern: '^\d{4}\-\d{2}\-\d{2}\s\d+\:\d+\:\d+\.\d+\s\[.*\]\sINFO|^\d{4}\-\d{2}\-\d{2}\s\d+\:\d+\:\d+\.\d+\s\[.*\]\sERROR|^\d{4}\-\d{2}\-\d{2}\s\d+\:\d+\:\d+\.\d+\s\[.*\]\sDEBUG|^\d{4}\-\d{2}\-\d{2}\s\d+\:\d+\:\d+\.\d+\s\[.*\]\sWARN'
  multiline.negate: true   #必要参数
  multiline.match: after    #必要参数
  exclude_lines: ['^\d{4}\-\d{2}\-\d{2}\s\d+\:\d+\:\d+\.\d+\s\[.*\]\sINFO','^\d{4}\-\d{2}\-\d{2}\s\d+\:\d+\:\d+\.\d+\s\[.*\]\sDEBUG']    #上面匹配完行，此行为如果匹配丢弃    
  include_lines: ['^\d{4}\-\d{2}\-\d{2}\s\d+\:\d+\:\d+\.\d+\s\[.*\]\sERROR', '^\d{4}\-\d{2}\-\d{2}\s\d+\:\d+\:\d+\.\d+\s\[.*\]\sWARN']   #此行为如果匹配通过

#输出给logstash,也可直接输出给es
#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
    hosts: ["127.0.0.1:5045"]



logstash配置

[root@web-bj-docker-10 config]# cat logstash.filebeat.conf
只是接收稍作改动，filebeat配置的输入给logstash5045端口，logstash需要开启bests模块，端口为5045
input {
     beats {
        port => 5045
}
#     file {
#     path => ["/mapbar/data/logs/gsmobd.log"]
#}
}

output{

 stdout { codec => rubydebug }


}