使用filebeat采集日志,輸入到logstash�,發(fā)現(xiàn)如果日志文件新增一條記錄,filebeat會將所有的記錄輸入到logstash(全量采集)�����,而不是最新的一條(增量采集)
filebeat版本:
filebeat version 6.1.1 (amd64), libbeat 6.1.1
filebeat配置:
filebeat.prospectors:
- type: log
paths:
- /Users/king/max/logs/test.log
tail_files: true
output.logstash:
hosts: ["localhost:5044"]
logstash版本:
logstash 6.1.1
logstash配置:
input {
beats {
port => "5044"
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}"}
}
}
output {
stdout { codec => rubydebug }
}
日志格式:
83.149.9.216 - - [04/Jan/2015:05:13:42 +0000] "GET /presentations/logstash-monitorama-2013/images/kibana-search.png HTTP/1.1" 200 203023 "http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77
我手動往log文件里插一條數(shù)據(jù)��,filebeat總是會采集所有的日志記錄輸入到logstash���,網(wǎng)上查了半天�,也沒啥結(jié)論���,求大神支招���,謝謝~
