运维进阶训练营 -W06H
作者:赤色闪电
- 2022-12-03 北京
本文字数:2810 字
阅读完需:约 9 分钟
1、基于 logstash filter 功能将 nginx 默认的访问日志及 error log 转换为 json 格式并写入 elasticsearch
input {
file {
path => "/apps/nginx/logs/access.log"
type => "nginx-accesslog"
stat_interval => "1"
start_position => "beginning"
}
file {
path => "/apps/nginx/logs/error.log"
type => "nginx-errorlog"
stat_interval => "1"
start_position => "beginning"
}
}
filter {
if [type] == "nginx-accesslog" {
grok {
match => { "message" => ["%{IPORHOST:clientip} - %{DATA:username} \[%{HTTPDATE:request-time}\] \"%{WORD:request-method} %{DATA:request-uri} HTTP/%{NUMBER:http_version}\" %{NUMBER:response_code} %{NUMBER:body_sent_bytes} \"%{DATA:referrer}\" \"%{DATA:useragent}\""] }
remove_field => "message"
add_field => { "project" => "magedu"}
}
mutate {
convert => [ "[response_code]", "integer"]
}
}
if [type] == "nginx-errorlog" {
grok {
match => { "message" => ["(?<timestamp>%{YEAR}[./]%{MONTHNUM}[./]%{MONTHDAY} %{TIME}) \[%{LOGLEVEL:loglevel}\] %{POSINT:pid}#%{NUMBER:threadid}\: \*%{NUMBER:connectionid} %{GREEDYDATA:message}, client: %{IPV4:clientip}, server: %{GREEDYDATA:server}, request: \"(?:%{WORD:request-method} %{NOTSPACE:request-uri}(?: HTTP/%{NUMBER:httpversion}))\", host: %{GREEDYDATA:domainname}"]}
remove_field => "message"
}
}
}
output {
if [type] == "nginx-accesslog" {
elasticsearch {
hosts => ["172.31.2.101:9200"]
index => "magedu-nginx-accesslog-%{+yyyy.MM.dd}"
user => "magedu"
password => "123456"
}}
if [type] == "nginx-errorlog" {
elasticsearch {
hosts => ["172.31.2.101:9200"]
index => "magedu-nginx-errorlog-%{+yyyy.MM.dd}"
user => "magedu"
password => "123456"
}}
}input {
file {
path => "/var/log/nginx/access.log"
start_position => "end"
type => "nginx-json-accesslog"
stat_interval => "1"
codec => json
}
}
output {
if [type] == "nginx-json-accesslog" {
elasticsearch {
hosts => ["172.31.2.101:9200"]
index => "nginx-accesslog-2.107-%{+YYYY.MM.dd}"
user => "magedu"
password => "123456"
}}
}
复制代码
2、基于 logstash 收集 json 格式的 nginx 访问日志
input {
file {
path => "/var/log/nginx/access.log"
start_position => "end"
type => "nginx-json-accesslog"
stat_interval => "1"
codec => json
}
}
output {
if [type] == "nginx-json-accesslog" {
elasticsearch {
hosts => ["172.31.2.101:9200"]
index => "nginx-accesslog-2.107-%{+YYYY.MM.dd}"
user => "magedu"
password => "123456"
}}
}
复制代码
3、基于 logstash 收集 java 日志并实现多行合并
input {
file {
path => "/data/eslogs/magedu-es-cluster1.log"
type => "eslog"
stat_interval => "1"
start_position => "beginning"
codec => multiline {
#pattern => "^\["
pattern => "^\[[0-9]{4}\-[0-9]{2}\-[0-9]{2}"
negate => "true"
what => "previous"
}
}
}
output {
if [type] == "eslog" {
elasticsearch {
hosts => ["172.31.2.102:9200"]
index => "magedu-eslog-%{+YYYY.ww}"
user => "magedu"
password => "123456"
}}
}
复制代码
4、基于 logstash 收集 syslog 类型日志 (以 haproxy 替代网络设备)
input{
syslog {
type => "rsyslog-haproxy"
port => "514" #监听一个本地的端口
}}
output{
if [type] == "rsyslog-haproxy" {
elasticsearch {
hosts => ["172.31.2.102:9200"]
index => "magedu-rsyslog-haproxy-%{+YYYY.ww}"
user => "magedu"
password => "123456"
}}
}
复制代码
5、logstash 收集日志并写入 Redis、再通过其它 logstash 消费至 elasticsearch 并保持 json 格式日志的解析
input {
file {
path => "/var/log/nginx/access.log"
type => "magedu-nginx-accesslog"
start_position => "beginning"
stat_interval => "1"
codec => "json" #对json格式日志进行json解析
}
file {
path => "/apps/nginx/logs/error.log"
type => "magedu-nginx-errorlog"
start_position => "beginning"
stat_interval => "1"
}
}
filter {
if [type] == "magedu-nginx-errorlog" {
grok {
match => { "message" => ["(?<timestamp>%{YEAR}[./]%{MONTHNUM}[./]%{MONTHDAY} %{TIME}) \[%{LOGLEVEL:loglevel}\] %{POSINT:pid}#%{NUMBER:threadid}\: \*%{NUMBER:connectionid} %{GREEDYDATA:message}, client: %{IPV4:clientip}, server: %{GREEDYDATA:server}, request: \"(?:%{WORD:request-method} %{NOTSPACE:request-uri}(?: HTTP/%{NUMBER:httpversion}))\", host: %{GREEDYDATA:domainname}"]}
remove_field => "message" #删除源日志
}
}
}
output {
if [type] == "magedu-nginx-accesslog" {
redis {
data_type => "list"
key => "magedu-nginx-accesslog"
host => "172.31.2.105"
port => "6379"
db => "0"
password => "123456"
}
}
if [type] == "magedu-nginx-errorlog" {
redis {
data_type => "list"
key => "magedu-nginx-errorlog"
host => "172.31.2.105"
port => "6379"
db => "0"
password => "123456"
}
}
}
复制代码
6、基于 docker-compose 部署单机版本 ELK
基于docker-compose部署ELK:
# git clone https://gitee.com/jiege-gitee/elk-docker-compose.git
# cd docker-elk-compose
# docker-compose up -d elasticsearch #运行elasticsearch容器
# docker exec -it elasticsearch /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive #设置账户密码magedu123
修改kibana连接elasticsearch的账户密码:
# vim kibana/config/kibana.yml
修改logstash连接elasticsearch的账户密码
# vim logstash/config/logstash.conf
修改Logstash输入输出规则
# vim logstash/config/logstash.conf
# docker-compose up -d
复制代码
划线
评论
复制
发布于: 刚刚阅读数: 4
版权声明: 本文为 InfoQ 作者【赤色闪电】的原创文章。
原文链接:【http://xie.infoq.cn/article/fa6f2859b777d96f9f16d2716】。未经作者许可,禁止转载。
赤色闪电
关注
还未添加个人签名 2018-05-30 加入
还未添加个人简介
评论