Logstash 日志收集(补)
安装 Tomcat
# 安装 jdk
[root@web01 ~]# rpm -ivh jdk-8u181-linux-x64.rpm
# 下载
[root@web01 ~]# wget https://archive.apache.org/dist/tomcat/tomcat-10/v10.0.0-M7/bin/apache-tomcat-10.0.0-M7.tar.gz
# 解压
[root@web01 ~]# tar xf apache-tomcat-10.0.0-M7.tar.gz -C /usr/local/
# 做软连接
[root@web01 ~]# ln -s /usr/local/apache-tomcat-10.0.0-M7 /usr/local/tomcat
# 启动 Tomcat
[root@web01 ~]# /usr/local/tomcat/bin/startup.sh
# 6.访问页面 10.0.0.7:8080收集 Tomcat 访问日志(Access-log)
Tomcat 访问日志(Access-log)的格式在 server.xml 中可以直接修改,先修改访问格式的日志试试水 ~ ~ ~
# 把原来的日志格式注释,添加我们的格式
[root@web01 ~]# vim /usr/local/tomcat/conf/server.xml
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".log"
pattern="{"clientip":"%h","ClientUser":"%l","authenticated":"%u","AccessTime":"%t","method":"%r","status":"%s","SendBytes":"%b","Query?string":"%q","partner":"%{Referer}i","AgentVersion":"%{User-Agent}i"}"/>
# 重启 tomcat
[root@web01 ~]# /usr/local/tomcat/bin/shutdown.sh
[root@web01 ~]# /usr/local/tomcat/bin/startup.sh
# 配置收集新的 tomcat 日志
[root@web01 ~]# vim /etc/logstash/conf.d/tomcat_json_es.conf
input {
file {
path => "/usr/local/tomcat/logs/localhost_access_log.*.log"
start_position => "beginning"
}
}
output {
elasticsearch {
hosts => ["10.0.0.121:9200"]
index => "tomcat_json_%{+YYYY-MM-dd}"
}
}收集 Tomcat 服务运行日志(Catalina-log)
一般我们会收集 Tomcat 服务运行日志(Catalina-log),当遇到报错时,一条报错会被分割成很多条数据,不方便查看,解决方法:
①. — 修改 Tomcat 的 Catalina 日志格式为 Json
— 1)开发修改输出日志为 Json
— 2)修改 Tomcat 配置,日志格式为 Json
②. — 使用 Logstash 的 input 插件下的 mutiline 模块
下面使用第二种方法,即 mutiline 模块实现服务运行日志的切分
Mutiline 模块初识
# 使用 mutiline 模块
[root@web01 ~]# vim /etc/logstash/conf.d/test_mutiline.conf
input {
stdin {
codec => multiline {
# 匹配以 `[` 开头
pattern => "^\["
# 匹配到
negate => true
# 向上合并,向下合并是 next
what => "previous"
}
}
}
output {
stdout {
codec => "json"
}
}
# 测试,输入内容不会直接输出,当遇到以 [ 开头才会收集以上的日志
[root@web01 ~]# logstash -f /etc/logstash/conf.d/test_mutiline.conf
......
...
]
A
B
C
D
[
{"tags":["multiline"],"host":"web01","@timestamp":"2020-08-14T02:30:33.906Z","message":"[\n]\nA\nB\nC\nD","@version":"1"}
a
b
c
d
e
f
g
[
{"tags":["multiline"],"host":"web01","@timestamp":"2020-08-14T02:28:58.590Z","message":"[\na\nb\nc\nd\ne\nf\ng","@version":"1"}收集 Tomcat 错误日志(Catalina-log)
# 收集 catalina 错误日志
[root@web01 conf.d]# vim /etc/logstash/conf.d/catalina_out.conf
input {
file {
path => "/usr/local/tomcat/logs/catalina.*.log"
start_position => "beginning"
codec => multiline {
pattern => "^\["
negate => true
what => "previous"
}
}
}
output {
elasticsearch {
hosts => ["10.0.0.121:9200"]
index => "catalina_%{+YYYY-MM-dd}"
codec => "json"
}
}追加 Tomcat 错误日志(Catalina-log)
# 测试,手动添加一些错误的日志,到 Catlina 日志中
[root@web01 ~]# cat tomcat_error.log >> /usr/local/tomcat/logs/catalina.2020-08-14.log
安装 Nginx
[root@web01 ~]# yum install -y nginx收集 Nginx 访问日志(Access-log)
# 配置 nginx 访问日志格式
[root@web01 ~]# vim /etc/nginx/nginx.conf
... ...
http {
log_format json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"size":$body_bytes_sent,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamhost":"$upstream_addr",'
'"http_host":"$host",'
'"url":"$uri",'
'"referer":"$http_referer",'
'"agent":"$http_user_agent",'
'"status":"$status"}';
access_log /var/log/nginx/access.log json;
... ...
# 配置收集访问日志
[root@web01 ~]# vim /etc/logstash/conf.d/nginx_json.conf
input {
file {
path => "/var/log/nginx/access.log"
start_position => "beginning"
}
}
output {
elasticsearch {
hosts => ["10.0.0.121:9200"]
index => "nginx_json_%{+YYYY-MM-dd}"
}
}收集 Nginx 错务日志(Error-log)
Nginx 中的错误日志不会像 Tomcat 中的错误日志一样分成很多行,只需要正常的配置,按行切分
拆分 message 字段
[root@web01 ~]# vim /etc/logstash/conf.d/tomcat_json_es.conf
input {
file {
path => "/usr/local/tomcat/logs/localhost_access_log.*.log"
start_position => "beginning"
}
}
# 把收集到的数据进行处理
filter {
json {
# 将 message 字段中的键值对,拆分成为索引文档中的字段
source => "message"
}
}
output {
elasticsearch {
hosts => ["10.0.0.121:9200"]
index => "tomcat_json_%{+YYYY-MM-dd}"
}
}移除 message 字段
因为将 Message 字段拆分到文档字段后,就不需要 Message 字段数据了,所以需要将 Message 字段移除:
# message 数据已经拆分,数据还在,去掉 message 数据
filter {
json {
source => "message"
remove_field => ["message"]
}
}
# 最方便的方法,只需要一行 codec => "json"
# file 中的日志格式一定要是 Json 格式
[root@web01 ~]# vim /etc/logstash/conf.d/nginx_json.conf
input {
file {
path => "/var/log/nginx/access.log"
start_position => "beginning"
codec => "json"
}
}
output {
elasticsearch {
hosts => ["10.0.0.121:9200"]
index => "nginx_json_%{+YYYY-MM-dd}"
}
}编辑 Logstash 配置文件
# 收集 catalina 服务启动(及报错)日志
[root@web01 conf.d]# cat catalina_out.conf
input {
file {
path => "/usr/local/tomcat/logs/catalina.*.log"
start_position => "beginning"
codec => multiline {
pattern => "^\["
negate => true
what => "previous"
}
}
}
output {
elasticsearch {
hosts => ["10.0.0.121:9200"]
index => "catalina_%{+YYYY-MM-dd}"
codec => "json"
}
}
# 收集 nginx 、tomcat 访问日志
[root@web01 conf.d]# cat nginx_tomcat.conf
input {
file {
type => "nginx_log"
path => "/var/log/nginx/access.log"
start_position => "beginning"
codec => "json"
}
file {
type => "tomcat_log"
path => "/usr/local/tomcat/logs/localhost_access_log.*.log"
start_position => "beginning"
codec => "json"
}
}
output {
elasticsearch {
hosts => ["10.0.0.121:9200"]
index => "%{type}_%{+YYYY-MM-dd}"
}
}启动 Logstash 多实例
[root@web01 conf.d]# logstash -f /etc/logstash/conf.d/nginx_tomcat.conf &
[root@web01 conf.d]# logstash -f /etc/logstash/conf.d/catalina_out.conf --path.data=/data/logstash/catalina/ &安装 Redis(略)
配置输出数据到 Redis
[root@web01 ~]# vim /etc/logstash/conf.d/nginx_to_redis.conf
input {
file {
path => "/var/log/nginx/access.log"
start_position => "beginning"
codec => "json"
}
}
output {
redis {
host => "172.16.1.121"
port => "6379"
data_type => "list"
db => "0"
key => "nginx_log"
}
}手机扫一扫
移动阅读更方便
你可能感兴趣的文章