Filebeat 日志收集与转发配置
Filebeat 是 Elastic 公司推出的轻量级日志收集代理,用于从各类日志文件中读取数据并转发到 Elasticsearch、Logstash 或其他输出目标。相比 Logstash,Filebeat 资源消耗极低,非常适合在搬瓦工 VPS 上部署。
一、安装 Filebeat
1.1 APT 安装(Ubuntu/Debian)
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor -o /usr/share/keyrings/elastic.gpg
echo "deb [signed-by=/usr/share/keyrings/elastic.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-8.x.list
apt update
apt install filebeat -y1.2 YUM 安装(CentOS)
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
cat > /etc/yum.repos.d/elastic.repo <<EOF
[elastic-8.x]
name=Elastic repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
yum install filebeat -y1.3 启动服务
systemctl enable filebeat
systemctl start filebeat二、基础配置
Filebeat 主配置文件为 /etc/filebeat/filebeat.yml:
cat > /etc/filebeat/filebeat.yml <<'EOF'
filebeat.inputs:
- type: filestream
id: syslog
enabled: true
paths:
- /var/log/syslog
- /var/log/messages
fields:
log_type: syslog
- type: filestream
id: auth-log
enabled: true
paths:
- /var/log/auth.log
fields:
log_type: auth
- type: filestream
id: nginx-access
enabled: true
paths:
- /var/log/nginx/access.log
fields:
log_type: nginx-access
- type: filestream
id: nginx-error
enabled: true
paths:
- /var/log/nginx/error.log
fields:
log_type: nginx-error
output.elasticsearch:
hosts: ["http://localhost:9200"]
index: "filebeat-%{+yyyy.MM.dd}"
setup.template.name: "filebeat"
setup.template.pattern: "filebeat-*"
setup.ilm.enabled: false
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
EOF三、输出目标配置
3.1 输出到 Elasticsearch
output.elasticsearch:
hosts: ["http://localhost:9200"]
username: "elastic"
password: "your_password"
index: "filebeat-%{+yyyy.MM.dd}"3.2 输出到 Logstash
output.logstash:
hosts: ["logstash-server:5044"]
ssl.certificate_authorities: ["/etc/filebeat/ca.pem"]3.3 输出到文件(调试用)
output.file:
path: "/tmp/filebeat-output"
filename: "filebeat"
rotate_every_kb: 10000四、内置模块
Filebeat 内置了多种日志模块,开箱即用:
# 查看所有可用模块
filebeat modules list
# 启用 Nginx 模块
filebeat modules enable nginx
# 启用系统日志模块
filebeat modules enable system
# 启用 MySQL 模块
filebeat modules enable mysql4.1 Nginx 模块配置
# /etc/filebeat/modules.d/nginx.yml
- module: nginx
access:
enabled: true
var.paths: ["/var/log/nginx/access.log"]
error:
enabled: true
var.paths: ["/var/log/nginx/error.log"]4.2 System 模块配置
# /etc/filebeat/modules.d/system.yml
- module: system
syslog:
enabled: true
var.paths: ["/var/log/syslog"]
auth:
enabled: true
var.paths: ["/var/log/auth.log"]五、多行日志处理
处理 Java 堆栈跟踪等跨多行的日志:
filebeat.inputs:
- type: filestream
id: java-app
paths:
- /var/log/myapp/app.log
parsers:
- multiline:
type: pattern
pattern: '^\d{4}-\d{2}-\d{2}'
negate: true
match: after这个配置表示:如果一行不以日期格式开头,则将其追加到前一行后面。
六、处理器(Processors)
processors:
# 添加主机元数据
- add_host_metadata: ~
# 丢弃不需要的字段
- drop_fields:
fields: ["agent.ephemeral_id", "agent.id"]
# 根据条件过滤事件
- drop_event:
when:
contains:
message: "health check"
# 添加自定义标签
- add_tags:
tags: ["production", "bwg-vps"]
# 根据日志内容提取字段
- dissect:
tokenizer: "%{client_ip} - - [%{timestamp}] \"%{method} %{path} %{protocol}\" %{status} %{size}"
field: "message"
target_prefix: "nginx"七、Docker 部署
docker run -d \
--name filebeat \
--restart unless-stopped \
--user root \
-v /etc/filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro \
-v /var/log:/var/log:ro \
-v filebeat-data:/usr/share/filebeat/data \
docker.elastic.co/beats/filebeat:8.13.0 \
filebeat -e --strict.perms=false八、测试与调试
# 测试配置文件语法
filebeat test config -e
# 测试输出连接
filebeat test output
# 前台运行查看详细日志
filebeat -e -d "*"
# 查看 Filebeat 日志
journalctl -u filebeat -f
# 查看注册文件状态
cat /var/lib/filebeat/registry/filebeat/log.json | python3 -m json.tool九、性能优化
# 调整批量发送参数
output.elasticsearch:
hosts: ["http://localhost:9200"]
bulk_max_size: 2048
worker: 2
# 调整队列大小
queue.mem:
events: 4096
flush.min_events: 512
flush.timeout: 5s
# 限制 CPU 使用
max_procs: 1十、常见问题
日志收集延迟
检查 scan_frequency 和 close_inactive 配置。默认 Filebeat 每 10 秒扫描一次新文件。
filebeat.inputs:
- type: filestream
id: realtime-log
paths:
- /var/log/app/*.log
prospector.scanner.check_interval: 1s重复收集日志
Filebeat 通过 registry 文件记录采集进度。如果 registry 文件损坏或被删除,可能导致重复采集。registry 路径默认为 /var/lib/filebeat/registry。
总结
Filebeat 是 ELK Stack 生态中最轻量的日志采集组件,非常适合在搬瓦工 VPS 上收集各类应用日志。收集的日志可以发送到 Elasticsearch 后通过 Kibana 进行搜索和可视化分析。选购搬瓦工 VPS 请参考 全部方案,使用优惠码 NODESEEK2026 可享受 6.77% 的循环折扣。