FileBeat 是一款轻量型日志采集器，当您要面对成百上千、甚至成千上万的服务器、虚拟机和容器生成的日志时，请告别 SSH 吧。Filebeat 将为您提供一种轻量型方法，用于转发和汇总日志与文件，让简单的事情不再繁杂。

记住：

• 设置源有两种方式，Input和Module二选一即可
• FileBeat 支持多输入，单输出

Input

如下：容器Container，标准输入Stdin

#------------------------------ Container input --------------------------------
- type: container
  enabled: true
  # Paths for container logs that should be crawled and fetched.
  paths:
    - /var/lib/docker/containers/*/*.log
  # Configure stream to filter to a specific stream: stdout, stderr or all (default)
  #stream: all

#----------------------------- Stdin input -------------------------------
- type: stdin
  enabled: true

Module

以 Nginx Module为例

Nginx日志格式如下：

https://github.com/kubernetes/ingress-nginx/blob/nginx-0.28.0/docs/user-guide/nginx-configuration/log-format.md

log_format upstreaminfo
     '$remote_addr - $remote_user [$time_local] "$request" '
     '$status $body_bytes_sent "$http_referer" "$http_user_agent" '
     '$request_length $request_time [$proxy_upstream_name] [$proxy_alternative_upstream_name] $upstream_addr '
     '$upstream_response_length $upstream_response_time $upstream_status $req_id';

#查看Filebeat支持模块
filebeat modules list

#启用nginx模块
filebeat modules enable nginx

#禁用nginx模块
filebeat modules disable nginx

vi modules.d/nginx.yml

- module: nginx
  access:
    enabled: true

  error:
    enabled: true
    var.paths: ["/var/log/nginx/error.log"]

  ingress_controller:
    enabled: false
    var.paths: [ "/var/log/nginx/access.log" ]

更多示例

https://github.com/chudaozhe/docker-beats/tree/master/filebeat

参考

https://www.cnblogs.com/h--d/p/13180025.html

https://www.cnblogs.com/h--d/p/13172062.html