logstash是java应用,依赖JDK,首先需要安装JDK,在安装jdk过程中,logstash-2.3.4使用JDK-1.7版本有bug,使用JDK-1.8版本正常,因此我们安装JDK-1.8版本。

安装JDK

官网地址:http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html

# rpm -ivh jdk-8u101-linux-x64.rpm

# echo "export JAVA_HOME=/usr/java/latest" >> /etc/profile

# echo "export PATH=$PATH:$JAVA_HOME/bin" >> /etc/profile

# source /etc/profile

# java -version

java version "1.8.0_101"

Java(TM) SE Runtime Environment (build 1.8.0_101-b13)

Java HotSpot(TM) -Bit Server VM (build 25.101-b13, mixed mode)

安装logstash

官网地址:https://www.elastic.co/products/logstash

# tar xf logstash-2.3..tar.gz -C /usr/local/app/

# ln -sv /usr/local/app/logstash-2.3. /usr/local/logstash

# cd /usr/local/logstash
# mkdir patterns
NGUSERNAME [a-zA-Z\.\@\-\+_%]+

NGUSER %{NGUSERNAME}

NGINXACCESS %{IPORHOST:server_name} %{IPORHOST:server_ip} %{IPORHOST:client_ip} %{NUMBER:client_port} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response}  (?:%{NUMBER:body_bytes_sent}|-) (?:"(?:%{URI:referrer}|-)"|%{QS:referrer}) %{QS:agent} %{NUMBER:request_time} (?:%{NUMBER:upstream_response_time}|-)

patterns/nginx

SYSLOGBASE2 (?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:

SYSLOGPAMSESSION %{SYSLOGBASE} (?=%{GREEDYDATA:message})%{WORD:pam_module}\(%{DATA:pam_caller}\): session %{WORD:pam_session_state} for user %{USERNAME:username}(?: by %{GREEDYDATA:pam_by})?

CRON_ACTION [A-Z ]+

CRONLOG %{SYSLOGBASE} \(%{USER:user}\) %{CRON_ACTION:action} \(%{DATA:message}\)

SYSLOGLINE %{SYSLOGBASE2} %{GREEDYDATA:message}

# IETF  syslog() format (see http://www.rfc-editor.org/info/rfc5424)

SYSLOG5424PRI <%{NONNEGINT:syslog5424_pri}>

SYSLOG5424SD \[%{DATA}\]+

SYSLOG5424BASE %{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{HOSTNAME:syslog5424_host}|-) +(?:%{WORD:syslog5424_app}|-) +(?:%{WORD:syslog5424_proc}|-) +(?:%{WORD:syslog5424_msgid}|-) +(?:%{SYSLOG5424SD:syslog5424_sd}|-|)

SYSLOG5424LINE %{SYSLOG5424BASE} +%{GREEDYDATA:syslog5424_msg}

patterns/syslog

编写配置文件

配置文件编写是一个难点,这里有一些示例供参考:https://github.com/logstash-plugins/logstash-patterns-core/tree/master/patterns

input {

  beats {

    port =>

    host => "10.80.2.181"

  }

}

filter {

  if [type] == "51-nginxaccesslog" {

  grok {

    patterns_dir => ["./patterns"]

    match => { "message" => "%{IPORHOST:server_name} %{IPORHOST:server_ip} %{IPORHOST:clientip} %{NUMBER:clientport} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:status} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent} %{NUMBER:request_time:float} (?:%{NUMBER:upstream_time:float}|-)" }

    remove_field => ["message"]

  }

    date {

      match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z"]

    }

  } else if [type] == "51-nginxerrorlog" {

  grok {

    patterns_dir => ["./patterns"]

    match => { "message" => "%{DATESTAMP} %{SYSLOG5424SD:nginx_error_level} %{GREEDYDATA:nginx_error_msg}"}

    remove_field => ["message"]

  }

    date {

      match => [ "timestamp", "YYYY/MMM/dd HH:mm:ss"]

    }

  } else if [type] == "51-phperrorlog" {

  grok {

    patterns_dir => ["./patterns"]

    match => { "message" => "%{SYSLOG5424SD} (?:%{DATA:php_error_level}\:) %{GREEDYDATA:error_msg}" }

    remove_field => ["message"]

  }

    date {

      match => [ "timestamp", "dd-MMM-YYYY HH:mm:ss Z"]

    }

  }

}

output {

  if "_grokparsefailure" in [tags] {

    file { path => "/var/log/logstash/grokparsefailure-%{[type]}-%{+YYYY.MM.dd}.log" }

  }

  elasticsearch {

    hosts => ["10.80.2.83:9200","10.80.2.84:9200"]

    sniffing => true

    manage_template => false

    template_overwrite => true

    index => "%{[type]}-%{+YYYY.MM.dd}"

    document_type => "%{[type]}"

  }

}

conf.d/logstash.conf

编写启动脚本

#!/bin/sh

# Init script for logstash

# Maintained by Elasticsearch

# Generated by pleaserun.

# Implemented based on LSB Core 3.1:

#   * Sections: 20.2, 20.3

#

### BEGIN INIT INFO

# Provides:          logstash

# Required-Start:    $remote_fs $syslog

# Required-Stop:     $remote_fs $syslog

# Default-Start:

# Default-Stop:

# Short-Description:

# Description:        Starts Logstash as a daemon.

### END INIT INFO

PATH=/sbin:/usr/sbin:/bin:/usr/bin

export PATH

if [ `id -u` -ne  ]; then

   echo "You need root privileges to run this script"

   exit

fi

name=logstash

pidfile="/usr/local/logstash/$name.pid"

LS_USER=nobody

LS_GROUP=nobody

LS_HOME=/usr/local/logstash

#LS_HOME=/home/logstash

LS_HEAP_SIZE="12g"

LS_LOG_DIR=/data/logstash/log

LS_LOG_FILE="${LS_LOG_DIR}/$name.log"

LS_CONF_DIR=/usr/local/logstash/conf.d

LS_OPEN_FILES=

LS_NICE=-

LS_THREADS=

KILL_ON_STOP_TIMEOUT=${KILL_ON_STOP_TIMEOUT-} #default value is zero to this variable but could be updated by user request

LS_OPTS=""

[ -r /etc/default/$name ] && . /etc/default/$name

[ -r /etc/sysconfig/$name ] && . /etc/sysconfig/$name

program=/usr/local/logstash/bin/logstash

args="agent -f ${LS_CONF_DIR} -w ${LS_THREADS} -l ${LS_LOG_FILE} ${LS_OPTS}"

quiet() {

  "$@" > /dev/null >&

  return $?

}

start() {

  LS_JAVA_OPTS="${LS_JAVA_OPTS} -Djava.io.tmpdir=${LS_HOME}"

  HOME=${LS_HOME}

  export PATH HOME LS_HEAP_SIZE LS_JAVA_OPTS LS_USE_GC_LOGGING LS_GC_LOG_FILE

  # chown doesn't grab the suplimental groups when setting the user:group - so we have to do it for it.

  # Boy, I hope we're root here.

  SGROUPS=$(id -Gn "$LS_USER" | tr " " "," | sed 's/,$//'; echo '')

  if [ ! -z $SGROUPS ]

  then

    EXTRA_GROUPS="--groups $SGROUPS"

  fi

  # set ulimit as (root, presumably) first, before we drop privileges

  ulimit -n ${LS_OPEN_FILES}

  # Run the program!

  nice -n ${LS_NICE} chroot --userspec $LS_USER:$LS_GROUP $EXTRA_GROUPS / sh -c "

    cd $LS_HOME

    ulimit -n ${LS_OPEN_FILES}

    exec \"$program\" $args

  " > "${LS_LOG_DIR}/$name.stdout" 2> "${LS_LOG_DIR}/$name.err" &

  # Generate the pidfile from here. If we instead made the forked process

  # generate it there will be a race condition between the pidfile writing

  # and a process possibly asking for status.

  echo $! > $pidfile

  echo "$name started."

  return

}

stop() {

  # Try a few times to kill TERM the program

  if status ; then

    pid=`cat "$pidfile"`

    echo "Killing $name (pid $pid) with SIGTERM"

    kill -TERM $pid

    # Wait for it to exit.

    for i in          ; do

      echo "Waiting $name (pid $pid) to die..."

      status || break

      sleep

    done

    if status ; then

      if [ $KILL_ON_STOP_TIMEOUT -eq  ] ; then

        echo "Timeout reached. Killing $name (pid $pid) with SIGKILL. This may result in data loss."

        kill -KILL $pid

        echo "$name killed with SIGKILL."

      else

        echo "$name stop failed; still running."

        return  # stop timed out and not forced

      fi

    else

      echo "$name stopped."

    fi

  fi

}

status() {

  if [ -f "$pidfile" ] ; then

    pid=`cat "$pidfile"`

    if kill - $pid > /dev/null > /dev/null ; then

      # process by this pid is running.

      # It may not be our pid, but that's what you get with just pidfiles.

      # TODO(sissel): Check if this process seems to be the same as the one we

      # expect. It'd be nice to use flock here, but flock uses fork, not exec,

      # so it makes it quite awkward to use in this case.

      return

    else

      return  # program is dead but pid file exists

    fi

  else

    return  # program is not running

  fi

}

reload() {

  if status ; then

    kill -HUP `cat "$pidfile"`

  fi

}

force_stop() {

  if status ; then

    stop

    status && kill -KILL `cat "$pidfile"`

  fi

}

configtest() {

  # Check if a config file exists

  if [ ! "$(ls -A ${LS_CONF_DIR}/* 2> /dev/null)" ]; then

    echo "There aren't any configuration files in ${LS_CONF_DIR}"

    return

  fi

  HOME=${LS_HOME}

  export PATH HOME

  test_args="--configtest -f ${LS_CONF_DIR} ${LS_OPTS}"

  $program ${test_args}

  [ $? -eq  ] && return

  # Program not configured

  return

}

case "$1" in

  start)

    status

    code=$?

    if [ $code -eq  ]; then

      echo "$name is already running"

    else

      start

      code=$?

    fi

    exit $code

    ;;

  stop) stop ;;

  force-stop) force_stop ;;

  status)

    status

    code=$?

    if [ $code -eq  ] ; then

      echo "$name is running"

    else

      echo "$name is not running"

    fi

    exit $code

    ;;

  reload) reload ;;

  restart)

    quiet configtest

    RET=$?

    if [ ${RET} -ne  ]; then

      echo "Configuration error. Not restarting. Re-run with configtest parameter for details"

      exit ${RET}

    fi

    stop && start

    ;;

  configtest)

    configtest

    exit $?

    ;;

  *)

    echo "Usage: $SCRIPTNAME {start|stop|force-stop|status|reload|restart|configtest}" >&

    exit

  ;;

esac

exit $?

/etc/init.d/logstash

# chomd +x /etc/init.d/logstash

# chown –R nobody.nobody /usr/local/logstash

# chkconfig --add logstash

日志分析 第五章 安装logstash的更多相关文章

  1. 日志分析 第六章 安装elasticsearch

    在这里,以两台es集群为例. es集群健康状况有三种状态,这里我们搭建的es集群,只要两台不同时挂掉,数据不会丢失. green 所有主要分片和复制分片都可用 yellow 所有主要分片可用,但不是所 ...

  2. 日志分析 第四章 安装filebeat

    在进行前面准备之后可以开始安装了,我们的安装顺序是filebeat--->logstash--->elasticsearch filebeat安装很简单,先下载filebeat,这里我们使 ...

  3. 日志分析 第七章 安装grafana

    grafana依赖mysql存储数据,首先需要安装mysql 安装mysql 解压 # groupadd mysql # useradd -s /sbin/nologin -g mysql mysql ...

  4. 可视化日志分析工具Gltail的安装与使用

    可视化日志分析工具Gltail的安装与使用      GlTail.rb 是一款带有浓郁的 Geek 风格的可视化日志分析工具,它采用 Ruby 技术构建,并利用 OpenGL 图形技术进行渲染,呈现 ...

  5. 日志分析工具--GoAccess的安装部署

    需求:及时得到线上用户访问日志分析统计结果,以便给开发.测试.运维.运营人员提供决策! 方案:GoAccess,图文并茂,而且速度快,每秒8W 的日志记录解析速度,websocket10秒刷新统计数据 ...

  6. Linux内核分析——第五章 系统调用

    第五章 系统调用 5.1 与内核通信 1.系统调用在用户空间进程和硬件设备之间添加了一个中间层,该层主要作用有三个: (1)为用户空间提供了一种硬件的抽象接口 (2)系统调用保证了系统的稳定和安全 ( ...

  7. Linux内核分析第五章读书笔记

    第五章 系统调用 在操作系统中,内核提供了用户进程与内核进行交互的一组接口,这些接口在应用程序和内核之间扮演了使者的角色,保证系统稳定可靠,避免应用程序肆意妄行. 5.1 与内核通信 系统调用在用户空 ...

  8. Elasticsearch、Logstash、Kibana搭建统一日志分析平台

    // // ELKstack是Elasticsearch.Logstash.Kibana三个开源软件的组合.目前都在Elastic.co公司名下.ELK是一套常用的开源日志监控和分析系统,包括一个分布 ...

  9. 日志分析 第一章 ELK介绍

    1 ELK各组件介绍? ELK Stack是elasticsearch.logstash.kibana是三个开源软件的组合, fielbeat是一个轻量级日志收集工具,类似于Linux系统中tail ...

随机推荐

  1. ASimpleCache使用感受

    一.简介 ASimpleCache只能作为一份教程,一个学习样板,不能当真把它当回事. 作者杨福海,Afinal框架也是他创造的. 可是我读ASimpleCache的900行代码时,发现各种难看,并且 ...

  2. Rootkit Hunter恶意程序查杀

    恶意程序,恶意代码检测 下载:https://pkgs.org/search/rkhunter 安装:rpm -ivh rkunter* Installed: #需要先安装  lsof.x86_64 ...

  3. .Net Core 1.0.0正式版安装及示例教程

    使用VS Code 从零开始开发调试.NET Core 1.0 RTM. .NET Core 是一个开源的.跨平台的 .NET 实现. VS Code 全称是 Visual Studio Code,V ...

  4. 安装findbugs

    Welcome to the FindBugs Eclipse plugin update site. This web page provides automatic distribution an ...

  5. Java多线程有哪几种实现方式? Java中的类如何保证线程安全? 请说明ThreadLocal的用法和适用场景

    java的同步机制,大概是通过:1.synchronized:2.Object方法中的wait,notify:3.ThreadLocal机制来实现的, 其中synchronized有两种用法:1.对类 ...

  6. UML类图中的六种关系及实例

    前言: 设计模式是一种对于面向对象语言(C#,C++,Java)的高级应用.其思维体现出的是真正的代码设计.每一种模式都堪称巧妙!但基于各种设计模式,这里少不了基本的类图设计,本文简要列出6种关系,及 ...

  7. perl split 的一种特殊用法

    参考 http://blog.chinaunix.net/uid-1919528-id-2792055.html split 函数的正规语法应该是: split /PATTERN/, EXPR 而使用 ...

  8. Kudu 实时的存储系统

  9. Android Studio高级配置

    转载:http://www.jianshu.com/p/4243f3b52644   Android Studio 提供了一个非常方便的功能帮助我们导入或者导出设置.因此我们在安装一个新的Androi ...

  10. linux永久更改eth0的ip地址后仍然ping不通过

    编辑文件/etc/sysconfig/network-scripts/ifcfg-eth0 引用:DEVICE=eth0 //设备名称,不要修改 BOOTPROTO=static //不要修改 BRO ...