Work-configuration-file/filebast/admin子配置文件.yaml

filebeat.inputs:
  - type: log
    enabled: true
    paths:
      - /root/logs/sys-info*.log
      - /root/logs/sys-error*.log
      - /root/logs/sys-user*.log
    fields:
      application: my_app  # 自定义字段，标识应用名称
    fields_under_root: true
    multiline.pattern: '^[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}' # 根据你的日志格式调整
    multiline.negate: true
    multiline.match: after
    ignore_older: 24h
    scan_frequency: 10s
    clean_inactive: 25h
    close_inactive: 5m
    close_renamed: true
    start_position: beginning

processors:
  - drop_fields:
      fields: ["agent", "ecs", "host.architecture", "host.os.*", "input.type", "log.offset", "tags"]
  - include_fields:
      fields: ["@timestamp", "message", "application", "host.ip", "host.name", "log.file.path"]

output.elasticsearch:
  hosts: ["http://<elasticsearch_host>:9200"]
  index: "my_app-${+yyyy.MM.dd}"  # 按天分割的索引
初始化提交 2025-10-07 15:58:15 +08:00			`filebeat.inputs:`
			`- type: log`
			`enabled: true`
			`paths:`
			`- /root/logs/sys-info*.log`
			`- /root/logs/sys-error*.log`
			`- /root/logs/sys-user*.log`
			`fields:`
			`application: my_app # 自定义字段，标识应用名称`
			`fields_under_root: true`
			`multiline.pattern: '^[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}' # 根据你的日志格式调整`
			`multiline.negate: true`
			`multiline.match: after`
			`ignore_older: 24h`
			`scan_frequency: 10s`
			`clean_inactive: 25h`
			`close_inactive: 5m`
			`close_renamed: true`
			`start_position: beginning`

			`processors:`
			`- drop_fields:`
			`fields: ["agent", "ecs", "host.architecture", "host.os.*", "input.type", "log.offset", "tags"]`
			`- include_fields:`
			`fields: ["@timestamp", "message", "application", "host.ip", "host.name", "log.file.path"]`

			`output.elasticsearch:`
			`hosts: ["http://<elasticsearch_host>:9200"]`
			`index: "my_app-${+yyyy.MM.dd}" # 按天分割的索引`