logstash是java应用,依赖JDK,首先需要安装JDK,在安装jdk过程中,logstash-2.3.4使用JDK-1.7版本有bug,使用JDK-1.8版本正常,因此我们安装JDK-1.8版本。

安装JDK

官网地址:http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html

# rpm -ivh jdk-8u101-linux-x64.rpm

# echo "export JAVA_HOME=/usr/java/latest" >> /etc/profile

# echo "export PATH=$PATH:$JAVA_HOME/bin" >> /etc/profile

# source /etc/profile

# java -version

java version "1.8.0_101"

Java(TM) SE Runtime Environment (build 1.8.0_101-b13)

Java HotSpot(TM) -Bit Server VM (build 25.101-b13, mixed mode)

安装logstash

官网地址:https://www.elastic.co/products/logstash

# tar xf logstash-2.3..tar.gz -C /usr/local/app/

# ln -sv /usr/local/app/logstash-2.3. /usr/local/logstash

# cd /usr/local/logstash
# mkdir patterns
NGUSERNAME [a-zA-Z\.\@\-\+_%]+

NGUSER %{NGUSERNAME}

NGINXACCESS %{IPORHOST:server_name} %{IPORHOST:server_ip} %{IPORHOST:client_ip} %{NUMBER:client_port} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response}  (?:%{NUMBER:body_bytes_sent}|-) (?:"(?:%{URI:referrer}|-)"|%{QS:referrer}) %{QS:agent} %{NUMBER:request_time} (?:%{NUMBER:upstream_response_time}|-)

patterns/nginx

SYSLOGBASE2 (?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:

SYSLOGPAMSESSION %{SYSLOGBASE} (?=%{GREEDYDATA:message})%{WORD:pam_module}\(%{DATA:pam_caller}\): session %{WORD:pam_session_state} for user %{USERNAME:username}(?: by %{GREEDYDATA:pam_by})?

CRON_ACTION [A-Z ]+

CRONLOG %{SYSLOGBASE} \(%{USER:user}\) %{CRON_ACTION:action} \(%{DATA:message}\)

SYSLOGLINE %{SYSLOGBASE2} %{GREEDYDATA:message}

# IETF  syslog() format (see http://www.rfc-editor.org/info/rfc5424)

SYSLOG5424PRI <%{NONNEGINT:syslog5424_pri}>

SYSLOG5424SD \[%{DATA}\]+

SYSLOG5424BASE %{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{HOSTNAME:syslog5424_host}|-) +(?:%{WORD:syslog5424_app}|-) +(?:%{WORD:syslog5424_proc}|-) +(?:%{WORD:syslog5424_msgid}|-) +(?:%{SYSLOG5424SD:syslog5424_sd}|-|)

SYSLOG5424LINE %{SYSLOG5424BASE} +%{GREEDYDATA:syslog5424_msg}

patterns/syslog

编写配置文件

配置文件编写是一个难点,这里有一些示例供参考:https://github.com/logstash-plugins/logstash-patterns-core/tree/master/patterns

input {

  beats {

    port =>

    host => "10.80.2.181"

  }

}

filter {

  if [type] == "51-nginxaccesslog" {

  grok {

    patterns_dir => ["./patterns"]

    match => { "message" => "%{IPORHOST:server_name} %{IPORHOST:server_ip} %{IPORHOST:clientip} %{NUMBER:clientport} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:status} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent} %{NUMBER:request_time:float} (?:%{NUMBER:upstream_time:float}|-)" }

    remove_field => ["message"]

  }

    date {

      match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z"]

    }

  } else if [type] == "51-nginxerrorlog" {

  grok {

    patterns_dir => ["./patterns"]

    match => { "message" => "%{DATESTAMP} %{SYSLOG5424SD:nginx_error_level} %{GREEDYDATA:nginx_error_msg}"}

    remove_field => ["message"]

  }

    date {

      match => [ "timestamp", "YYYY/MMM/dd HH:mm:ss"]

    }

  } else if [type] == "51-phperrorlog" {

  grok {

    patterns_dir => ["./patterns"]

    match => { "message" => "%{SYSLOG5424SD} (?:%{DATA:php_error_level}\:) %{GREEDYDATA:error_msg}" }

    remove_field => ["message"]

  }

    date {

      match => [ "timestamp", "dd-MMM-YYYY HH:mm:ss Z"]

    }

  }

}

output {

  if "_grokparsefailure" in [tags] {

    file { path => "/var/log/logstash/grokparsefailure-%{[type]}-%{+YYYY.MM.dd}.log" }

  }

  elasticsearch {

    hosts => ["10.80.2.83:9200","10.80.2.84:9200"]

    sniffing => true

    manage_template => false

    template_overwrite => true

    index => "%{[type]}-%{+YYYY.MM.dd}"

    document_type => "%{[type]}"

  }

}

conf.d/logstash.conf

编写启动脚本

#!/bin/sh

# Init script for logstash

# Maintained by Elasticsearch

# Generated by pleaserun.

# Implemented based on LSB Core 3.1:

#   * Sections: 20.2, 20.3

#

### BEGIN INIT INFO

# Provides:          logstash

# Required-Start:    $remote_fs $syslog

# Required-Stop:     $remote_fs $syslog

# Default-Start:

# Default-Stop:

# Short-Description:

# Description:        Starts Logstash as a daemon.

### END INIT INFO

PATH=/sbin:/usr/sbin:/bin:/usr/bin

export PATH

if [ `id -u` -ne  ]; then

   echo "You need root privileges to run this script"

   exit

fi

name=logstash

pidfile="/usr/local/logstash/$name.pid"

LS_USER=nobody

LS_GROUP=nobody

LS_HOME=/usr/local/logstash

#LS_HOME=/home/logstash

LS_HEAP_SIZE="12g"

LS_LOG_DIR=/data/logstash/log

LS_LOG_FILE="${LS_LOG_DIR}/$name.log"

LS_CONF_DIR=/usr/local/logstash/conf.d

LS_OPEN_FILES=

LS_NICE=-

LS_THREADS=

KILL_ON_STOP_TIMEOUT=${KILL_ON_STOP_TIMEOUT-} #default value is zero to this variable but could be updated by user request

LS_OPTS=""

[ -r /etc/default/$name ] && . /etc/default/$name

[ -r /etc/sysconfig/$name ] && . /etc/sysconfig/$name

program=/usr/local/logstash/bin/logstash

args="agent -f ${LS_CONF_DIR} -w ${LS_THREADS} -l ${LS_LOG_FILE} ${LS_OPTS}"

quiet() {

  "$@" > /dev/null >&

  return $?

}

start() {

  LS_JAVA_OPTS="${LS_JAVA_OPTS} -Djava.io.tmpdir=${LS_HOME}"

  HOME=${LS_HOME}

  export PATH HOME LS_HEAP_SIZE LS_JAVA_OPTS LS_USE_GC_LOGGING LS_GC_LOG_FILE

  # chown doesn't grab the suplimental groups when setting the user:group - so we have to do it for it.

  # Boy, I hope we're root here.

  SGROUPS=$(id -Gn "$LS_USER" | tr " " "," | sed 's/,$//'; echo '')

  if [ ! -z $SGROUPS ]

  then

    EXTRA_GROUPS="--groups $SGROUPS"

  fi

  # set ulimit as (root, presumably) first, before we drop privileges

  ulimit -n ${LS_OPEN_FILES}

  # Run the program!

  nice -n ${LS_NICE} chroot --userspec $LS_USER:$LS_GROUP $EXTRA_GROUPS / sh -c "

    cd $LS_HOME

    ulimit -n ${LS_OPEN_FILES}

    exec \"$program\" $args

  " > "${LS_LOG_DIR}/$name.stdout" 2> "${LS_LOG_DIR}/$name.err" &

  # Generate the pidfile from here. If we instead made the forked process

  # generate it there will be a race condition between the pidfile writing

  # and a process possibly asking for status.

  echo $! > $pidfile

  echo "$name started."

  return

}

stop() {

  # Try a few times to kill TERM the program

  if status ; then

    pid=`cat "$pidfile"`

    echo "Killing $name (pid $pid) with SIGTERM"

    kill -TERM $pid

    # Wait for it to exit.

    for i in          ; do

      echo "Waiting $name (pid $pid) to die..."

      status || break

      sleep

    done

    if status ; then

      if [ $KILL_ON_STOP_TIMEOUT -eq  ] ; then

        echo "Timeout reached. Killing $name (pid $pid) with SIGKILL. This may result in data loss."

        kill -KILL $pid

        echo "$name killed with SIGKILL."

      else

        echo "$name stop failed; still running."

        return  # stop timed out and not forced

      fi

    else

      echo "$name stopped."

    fi

  fi

}

status() {

  if [ -f "$pidfile" ] ; then

    pid=`cat "$pidfile"`

    if kill - $pid > /dev/null > /dev/null ; then

      # process by this pid is running.

      # It may not be our pid, but that's what you get with just pidfiles.

      # TODO(sissel): Check if this process seems to be the same as the one we

      # expect. It'd be nice to use flock here, but flock uses fork, not exec,

      # so it makes it quite awkward to use in this case.

      return

    else

      return  # program is dead but pid file exists

    fi

  else

    return  # program is not running

  fi

}

reload() {

  if status ; then

    kill -HUP `cat "$pidfile"`

  fi

}

force_stop() {

  if status ; then

    stop

    status && kill -KILL `cat "$pidfile"`

  fi

}

configtest() {

  # Check if a config file exists

  if [ ! "$(ls -A ${LS_CONF_DIR}/* 2> /dev/null)" ]; then

    echo "There aren't any configuration files in ${LS_CONF_DIR}"

    return

  fi

  HOME=${LS_HOME}

  export PATH HOME

  test_args="--configtest -f ${LS_CONF_DIR} ${LS_OPTS}"

  $program ${test_args}

  [ $? -eq  ] && return

  # Program not configured

  return

}

case "$1" in

  start)

    status

    code=$?

    if [ $code -eq  ]; then

      echo "$name is already running"

    else

      start

      code=$?

    fi

    exit $code

    ;;

  stop) stop ;;

  force-stop) force_stop ;;

  status)

    status

    code=$?

    if [ $code -eq  ] ; then

      echo "$name is running"

    else

      echo "$name is not running"

    fi

    exit $code

    ;;

  reload) reload ;;

  restart)

    quiet configtest

    RET=$?

    if [ ${RET} -ne  ]; then

      echo "Configuration error. Not restarting. Re-run with configtest parameter for details"

      exit ${RET}

    fi

    stop && start

    ;;

  configtest)

    configtest

    exit $?

    ;;

  *)

    echo "Usage: $SCRIPTNAME {start|stop|force-stop|status|reload|restart|configtest}" >&

    exit

  ;;

esac

exit $?

/etc/init.d/logstash

# chomd +x /etc/init.d/logstash

# chown –R nobody.nobody /usr/local/logstash

# chkconfig --add logstash

日志分析 第五章 安装logstash的更多相关文章

  1. 日志分析 第六章 安装elasticsearch

    在这里,以两台es集群为例. es集群健康状况有三种状态,这里我们搭建的es集群,只要两台不同时挂掉,数据不会丢失. green 所有主要分片和复制分片都可用 yellow 所有主要分片可用,但不是所 ...

  2. 日志分析 第四章 安装filebeat

    在进行前面准备之后可以开始安装了,我们的安装顺序是filebeat--->logstash--->elasticsearch filebeat安装很简单,先下载filebeat,这里我们使 ...

  3. 日志分析 第七章 安装grafana

    grafana依赖mysql存储数据,首先需要安装mysql 安装mysql 解压 # groupadd mysql # useradd -s /sbin/nologin -g mysql mysql ...

  4. 可视化日志分析工具Gltail的安装与使用

    可视化日志分析工具Gltail的安装与使用      GlTail.rb 是一款带有浓郁的 Geek 风格的可视化日志分析工具,它采用 Ruby 技术构建,并利用 OpenGL 图形技术进行渲染,呈现 ...

  5. 日志分析工具--GoAccess的安装部署

    需求:及时得到线上用户访问日志分析统计结果,以便给开发.测试.运维.运营人员提供决策! 方案:GoAccess,图文并茂,而且速度快,每秒8W 的日志记录解析速度,websocket10秒刷新统计数据 ...

  6. Linux内核分析——第五章 系统调用

    第五章 系统调用 5.1 与内核通信 1.系统调用在用户空间进程和硬件设备之间添加了一个中间层,该层主要作用有三个: (1)为用户空间提供了一种硬件的抽象接口 (2)系统调用保证了系统的稳定和安全 ( ...

  7. Linux内核分析第五章读书笔记

    第五章 系统调用 在操作系统中,内核提供了用户进程与内核进行交互的一组接口,这些接口在应用程序和内核之间扮演了使者的角色,保证系统稳定可靠,避免应用程序肆意妄行. 5.1 与内核通信 系统调用在用户空 ...

  8. Elasticsearch、Logstash、Kibana搭建统一日志分析平台

    // // ELKstack是Elasticsearch.Logstash.Kibana三个开源软件的组合.目前都在Elastic.co公司名下.ELK是一套常用的开源日志监控和分析系统,包括一个分布 ...

  9. 日志分析 第一章 ELK介绍

    1 ELK各组件介绍? ELK Stack是elasticsearch.logstash.kibana是三个开源软件的组合, fielbeat是一个轻量级日志收集工具,类似于Linux系统中tail ...

随机推荐

  1. Ubuntu's Trash

    1.Location    Where is Trash?    /home/userName/.local/share/Trash2.Under Trash    Three files:      ...

  2. Beta版本冲刺———第四天

    会议照片: 项目燃尽图: 1.项目进展: 今天解决的进度:新增加了一个撤销按钮,实现对上一步操作的撤销. 仍在进行对排行榜分数变更的实现. 2.每个人每天做的事情 郭怡锋:汇总工作进度,对此总结,进行 ...

  3. 路由知识之ip route 命令中的疑惑

    1.基础知识 1.1 路由 (Routing) 1.1.1 路由策略 (使用 ip rule 命令操作路由策略数据库) 基于策略的路由比传统路由在功能上更强大,使用更灵活,它使网络管理员不仅能够根据目 ...

  4. [转]servlet中的service, doGet, doPost方法的区别和联系

    原文地址:http://m.blog.csdn.net/blog/ghyg525/22928567 大家都知道在javax.servlet.Servlet接口中只有init, service, des ...

  5. JS搞基指南----延迟对象入门提高资料整理

    JavaScript的Deferred是比较高大上的东西,  主要的应用还是主ajax的应用,  因为JS和nodeJS这几年的普及,  前端的代码越来越多,  各种回调套回调再套回调实在太让人崩溃, ...

  6. Echarts-画叠加柱状图,双折线图

    导入echarts包 <script src='../scripts/libraries/echarts/echarts-all.js'></script> js如下 load ...

  7. Jquery-获取iframe中的dom对象

    父窗口中操作iframe: $(window.frames["iframeChild"].document) //假如iframe的id为iframeChild 在子窗口中操作父窗 ...

  8. WakeLock, AlarmManager, JobScheduler

    应用程序耗电的实质,是所启用的硬件在消耗电量. 手机的耗电单元 CPU: 应用处理器(AP)和基带处理器(BB或BP) GPU(图形处理单元) 外设:wifi,BT, GPS,LCD等 AP是ARM架 ...

  9. Yii2美化confirm

    在view中, <?= Html::a('删除', ['post/delete', 'id' => $post['id']],['data-confirm'=>'确定要删除吗?']) ...

  10. 自定义UITabBar的两种方式

    开发中,经常会遇到各种各样的奇葩设计要求,因为apple提供的UITabBar样式单一,只是简单的"图片+文字"样式,高度49又不可以改变.自定义UITabBar成为了唯一的出路. ...