ELK收集tomcat日志

收集tomcat日志

1.安装tomcat

yum install tomcat tomcat-webapps tomcat-admin-webapps tomcat-docs-webapp tomcat-javadoc -y

2.修改tomcat配置文件为json格式

vim /etc/tomcat/server.xml
第139行替换为：
pattern="{"clientip":"%h","ClientUser":"%l","authenticated":"%u","AccessTime":"%t","method":"%r","status":"%s","SendBytes":"%b","Query?string":"%q","partner":"%{Referer}i","AgentVersion":"%{User-Agent}i"}"/>

3.重启tomcat

systemctl restart tomcat

4.修改filebeat配置文件

filebeat.inputs:
- type: log
  enabled: true 
  paths:
    - /var/log/nginx/bbs_access.log
  json.keys_under_root: true
  json.overwrite_keys: true
  tags: ["bbs"]

- type: log
  enabled: true 
  paths:
    - /var/log/nginx/blog_access.log
  json.keys_under_root: true
  json.overwrite_keys: true
  tags: ["blog"]

- type: log
  enabled: true 
  paths:
    - /var/log/nginx/www_access.log
  json.keys_under_root: true
  json.overwrite_keys: true
  tags: ["www"]

- type: log
  enabled: true 
  paths:
    - /var/log/tomcat/localhost_access_log.2019-07-11.txt
  json.keys_under_root: true
  json.overwrite_keys: true
  tags: ["tomcat"]

- type: log
  enabled: true 
  paths:
    - /var/log/nginx/error.log
  tags: ["error"]

output.elasticsearch:
  hosts: ["10.0.0.51:9200"]
  indices:
    - index: "nginx_www_access-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        tags: "www"
    - index: "nginx_bbs_access-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        tags: "bbs"
    - index: "nginx_blog_access-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        tags: "blog"
    - index: "nginx_error-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        tags: "error"
    - index: "tomcat_access-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        tags: "tomcat"

setup.template.name: "nginx"
setup.template.pattern: "nginx_*"
setup.template.enabled: false
setup.template.overwrite: true