logstash是java应用,依赖JDK,首先需要安装JDK,在安装jdk过程中,logstash-2.3.4使用JDK-1.7版本有bug,使用JDK-1.8版本正常,因此我们安装JDK-1.8版本。

安装JDK

官网地址:http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html

# rpm -ivh jdk-8u101-linux-x64.rpm

# echo "export JAVA_HOME=/usr/java/latest" >> /etc/profile

# echo "export PATH=$PATH:$JAVA_HOME/bin" >> /etc/profile

# source /etc/profile

# java -version

java version "1.8.0_101"

Java(TM) SE Runtime Environment (build 1.8.0_101-b13)

Java HotSpot(TM) -Bit Server VM (build 25.101-b13, mixed mode)

安装logstash

官网地址:https://www.elastic.co/products/logstash

# tar xf logstash-2.3..tar.gz -C /usr/local/app/

# ln -sv /usr/local/app/logstash-2.3. /usr/local/logstash

# cd /usr/local/logstash
# mkdir patterns
NGUSERNAME [a-zA-Z\.\@\-\+_%]+

NGUSER %{NGUSERNAME}

NGINXACCESS %{IPORHOST:server_name} %{IPORHOST:server_ip} %{IPORHOST:client_ip} %{NUMBER:client_port} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response}  (?:%{NUMBER:body_bytes_sent}|-) (?:"(?:%{URI:referrer}|-)"|%{QS:referrer}) %{QS:agent} %{NUMBER:request_time} (?:%{NUMBER:upstream_response_time}|-)

patterns/nginx

SYSLOGBASE2 (?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:

SYSLOGPAMSESSION %{SYSLOGBASE} (?=%{GREEDYDATA:message})%{WORD:pam_module}\(%{DATA:pam_caller}\): session %{WORD:pam_session_state} for user %{USERNAME:username}(?: by %{GREEDYDATA:pam_by})?

CRON_ACTION [A-Z ]+

CRONLOG %{SYSLOGBASE} \(%{USER:user}\) %{CRON_ACTION:action} \(%{DATA:message}\)

SYSLOGLINE %{SYSLOGBASE2} %{GREEDYDATA:message}

# IETF  syslog() format (see http://www.rfc-editor.org/info/rfc5424)

SYSLOG5424PRI <%{NONNEGINT:syslog5424_pri}>

SYSLOG5424SD \[%{DATA}\]+

SYSLOG5424BASE %{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{HOSTNAME:syslog5424_host}|-) +(?:%{WORD:syslog5424_app}|-) +(?:%{WORD:syslog5424_proc}|-) +(?:%{WORD:syslog5424_msgid}|-) +(?:%{SYSLOG5424SD:syslog5424_sd}|-|)

SYSLOG5424LINE %{SYSLOG5424BASE} +%{GREEDYDATA:syslog5424_msg}

patterns/syslog

编写配置文件

配置文件编写是一个难点,这里有一些示例供参考:https://github.com/logstash-plugins/logstash-patterns-core/tree/master/patterns

input {

  beats {

    port =>

    host => "10.80.2.181"

  }

}

filter {

  if [type] == "51-nginxaccesslog" {

  grok {

    patterns_dir => ["./patterns"]

    match => { "message" => "%{IPORHOST:server_name} %{IPORHOST:server_ip} %{IPORHOST:clientip} %{NUMBER:clientport} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:status} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent} %{NUMBER:request_time:float} (?:%{NUMBER:upstream_time:float}|-)" }

    remove_field => ["message"]

  }

    date {

      match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z"]

    }

  } else if [type] == "51-nginxerrorlog" {

  grok {

    patterns_dir => ["./patterns"]

    match => { "message" => "%{DATESTAMP} %{SYSLOG5424SD:nginx_error_level} %{GREEDYDATA:nginx_error_msg}"}

    remove_field => ["message"]

  }

    date {

      match => [ "timestamp", "YYYY/MMM/dd HH:mm:ss"]

    }

  } else if [type] == "51-phperrorlog" {

  grok {

    patterns_dir => ["./patterns"]

    match => { "message" => "%{SYSLOG5424SD} (?:%{DATA:php_error_level}\:) %{GREEDYDATA:error_msg}" }

    remove_field => ["message"]

  }

    date {

      match => [ "timestamp", "dd-MMM-YYYY HH:mm:ss Z"]

    }

  }

}

output {

  if "_grokparsefailure" in [tags] {

    file { path => "/var/log/logstash/grokparsefailure-%{[type]}-%{+YYYY.MM.dd}.log" }

  }

  elasticsearch {

    hosts => ["10.80.2.83:9200","10.80.2.84:9200"]

    sniffing => true

    manage_template => false

    template_overwrite => true

    index => "%{[type]}-%{+YYYY.MM.dd}"

    document_type => "%{[type]}"

  }

}

conf.d/logstash.conf

编写启动脚本

#!/bin/sh

# Init script for logstash

# Maintained by Elasticsearch

# Generated by pleaserun.

# Implemented based on LSB Core 3.1:

#   * Sections: 20.2, 20.3

#

### BEGIN INIT INFO

# Provides:          logstash

# Required-Start:    $remote_fs $syslog

# Required-Stop:     $remote_fs $syslog

# Default-Start:

# Default-Stop:

# Short-Description:

# Description:        Starts Logstash as a daemon.

### END INIT INFO

PATH=/sbin:/usr/sbin:/bin:/usr/bin

export PATH

if [ `id -u` -ne  ]; then

   echo "You need root privileges to run this script"

   exit

fi

name=logstash

pidfile="/usr/local/logstash/$name.pid"

LS_USER=nobody

LS_GROUP=nobody

LS_HOME=/usr/local/logstash

#LS_HOME=/home/logstash

LS_HEAP_SIZE="12g"

LS_LOG_DIR=/data/logstash/log

LS_LOG_FILE="${LS_LOG_DIR}/$name.log"

LS_CONF_DIR=/usr/local/logstash/conf.d

LS_OPEN_FILES=

LS_NICE=-

LS_THREADS=

KILL_ON_STOP_TIMEOUT=${KILL_ON_STOP_TIMEOUT-} #default value is zero to this variable but could be updated by user request

LS_OPTS=""

[ -r /etc/default/$name ] && . /etc/default/$name

[ -r /etc/sysconfig/$name ] && . /etc/sysconfig/$name

program=/usr/local/logstash/bin/logstash

args="agent -f ${LS_CONF_DIR} -w ${LS_THREADS} -l ${LS_LOG_FILE} ${LS_OPTS}"

quiet() {

  "$@" > /dev/null >&

  return $?

}

start() {

  LS_JAVA_OPTS="${LS_JAVA_OPTS} -Djava.io.tmpdir=${LS_HOME}"

  HOME=${LS_HOME}

  export PATH HOME LS_HEAP_SIZE LS_JAVA_OPTS LS_USE_GC_LOGGING LS_GC_LOG_FILE

  # chown doesn't grab the suplimental groups when setting the user:group - so we have to do it for it.

  # Boy, I hope we're root here.

  SGROUPS=$(id -Gn "$LS_USER" | tr " " "," | sed 's/,$//'; echo '')

  if [ ! -z $SGROUPS ]

  then

    EXTRA_GROUPS="--groups $SGROUPS"

  fi

  # set ulimit as (root, presumably) first, before we drop privileges

  ulimit -n ${LS_OPEN_FILES}

  # Run the program!

  nice -n ${LS_NICE} chroot --userspec $LS_USER:$LS_GROUP $EXTRA_GROUPS / sh -c "

    cd $LS_HOME

    ulimit -n ${LS_OPEN_FILES}

    exec \"$program\" $args

  " > "${LS_LOG_DIR}/$name.stdout" 2> "${LS_LOG_DIR}/$name.err" &

  # Generate the pidfile from here. If we instead made the forked process

  # generate it there will be a race condition between the pidfile writing

  # and a process possibly asking for status.

  echo $! > $pidfile

  echo "$name started."

  return

}

stop() {

  # Try a few times to kill TERM the program

  if status ; then

    pid=`cat "$pidfile"`

    echo "Killing $name (pid $pid) with SIGTERM"

    kill -TERM $pid

    # Wait for it to exit.

    for i in          ; do

      echo "Waiting $name (pid $pid) to die..."

      status || break

      sleep

    done

    if status ; then

      if [ $KILL_ON_STOP_TIMEOUT -eq  ] ; then

        echo "Timeout reached. Killing $name (pid $pid) with SIGKILL. This may result in data loss."

        kill -KILL $pid

        echo "$name killed with SIGKILL."

      else

        echo "$name stop failed; still running."

        return  # stop timed out and not forced

      fi

    else

      echo "$name stopped."

    fi

  fi

}

status() {

  if [ -f "$pidfile" ] ; then

    pid=`cat "$pidfile"`

    if kill - $pid > /dev/null > /dev/null ; then

      # process by this pid is running.

      # It may not be our pid, but that's what you get with just pidfiles.

      # TODO(sissel): Check if this process seems to be the same as the one we

      # expect. It'd be nice to use flock here, but flock uses fork, not exec,

      # so it makes it quite awkward to use in this case.

      return

    else

      return  # program is dead but pid file exists

    fi

  else

    return  # program is not running

  fi

}

reload() {

  if status ; then

    kill -HUP `cat "$pidfile"`

  fi

}

force_stop() {

  if status ; then

    stop

    status && kill -KILL `cat "$pidfile"`

  fi

}

configtest() {

  # Check if a config file exists

  if [ ! "$(ls -A ${LS_CONF_DIR}/* 2> /dev/null)" ]; then

    echo "There aren't any configuration files in ${LS_CONF_DIR}"

    return

  fi

  HOME=${LS_HOME}

  export PATH HOME

  test_args="--configtest -f ${LS_CONF_DIR} ${LS_OPTS}"

  $program ${test_args}

  [ $? -eq  ] && return

  # Program not configured

  return

}

case "$1" in

  start)

    status

    code=$?

    if [ $code -eq  ]; then

      echo "$name is already running"

    else

      start

      code=$?

    fi

    exit $code

    ;;

  stop) stop ;;

  force-stop) force_stop ;;

  status)

    status

    code=$?

    if [ $code -eq  ] ; then

      echo "$name is running"

    else

      echo "$name is not running"

    fi

    exit $code

    ;;

  reload) reload ;;

  restart)

    quiet configtest

    RET=$?

    if [ ${RET} -ne  ]; then

      echo "Configuration error. Not restarting. Re-run with configtest parameter for details"

      exit ${RET}

    fi

    stop && start

    ;;

  configtest)

    configtest

    exit $?

    ;;

  *)

    echo "Usage: $SCRIPTNAME {start|stop|force-stop|status|reload|restart|configtest}" >&

    exit

  ;;

esac

exit $?

/etc/init.d/logstash

# chomd +x /etc/init.d/logstash

# chown –R nobody.nobody /usr/local/logstash

# chkconfig --add logstash

日志分析 第五章 安装logstash的更多相关文章

  1. 日志分析 第六章 安装elasticsearch

    在这里,以两台es集群为例. es集群健康状况有三种状态,这里我们搭建的es集群,只要两台不同时挂掉,数据不会丢失. green 所有主要分片和复制分片都可用 yellow 所有主要分片可用,但不是所 ...

  2. 日志分析 第四章 安装filebeat

    在进行前面准备之后可以开始安装了,我们的安装顺序是filebeat--->logstash--->elasticsearch filebeat安装很简单,先下载filebeat,这里我们使 ...

  3. 日志分析 第七章 安装grafana

    grafana依赖mysql存储数据,首先需要安装mysql 安装mysql 解压 # groupadd mysql # useradd -s /sbin/nologin -g mysql mysql ...

  4. 可视化日志分析工具Gltail的安装与使用

    可视化日志分析工具Gltail的安装与使用      GlTail.rb 是一款带有浓郁的 Geek 风格的可视化日志分析工具,它采用 Ruby 技术构建,并利用 OpenGL 图形技术进行渲染,呈现 ...

  5. 日志分析工具--GoAccess的安装部署

    需求:及时得到线上用户访问日志分析统计结果,以便给开发.测试.运维.运营人员提供决策! 方案:GoAccess,图文并茂,而且速度快,每秒8W 的日志记录解析速度,websocket10秒刷新统计数据 ...

  6. Linux内核分析——第五章 系统调用

    第五章 系统调用 5.1 与内核通信 1.系统调用在用户空间进程和硬件设备之间添加了一个中间层,该层主要作用有三个: (1)为用户空间提供了一种硬件的抽象接口 (2)系统调用保证了系统的稳定和安全 ( ...

  7. Linux内核分析第五章读书笔记

    第五章 系统调用 在操作系统中,内核提供了用户进程与内核进行交互的一组接口,这些接口在应用程序和内核之间扮演了使者的角色,保证系统稳定可靠,避免应用程序肆意妄行. 5.1 与内核通信 系统调用在用户空 ...

  8. Elasticsearch、Logstash、Kibana搭建统一日志分析平台

    // // ELKstack是Elasticsearch.Logstash.Kibana三个开源软件的组合.目前都在Elastic.co公司名下.ELK是一套常用的开源日志监控和分析系统,包括一个分布 ...

  9. 日志分析 第一章 ELK介绍

    1 ELK各组件介绍? ELK Stack是elasticsearch.logstash.kibana是三个开源软件的组合, fielbeat是一个轻量级日志收集工具,类似于Linux系统中tail ...

随机推荐

  1. pdo知识总结

    PDO 用了这么久了这里抽时间总结下: pdo (php data object) 是php5 新出来的支持 mysql 操作的一个功能.用其可代替mysqli扩展.因为是php自带的.所以我觉得效率 ...

  2. Python学习教程

    Python语法简洁清晰,特色之一是强制用空白符(white space)作为语句缩进.Python具有丰富和强大的库.它常被昵称为胶水语言,能够把用其他语言制作的各种模块(尤其是C/C++)很轻松地 ...

  3. 一次神奇的WCF的404错误解决

    现象:浏览器中可以访问元数据,但是运行的时候却报404的异常,说目标地址找不到. 折腾了一下午. 引用服务后config中的client的address是这样的http://host/aspx/Ser ...

  4. androd Sdk manager配置

    Android Android SDK 配置步骤 启动 Android SDK Manager ,打开主界面,依次选择「Tools」.「Options...」,弹出『Android SDK Manag ...

  5. [转]Spring 注解总结

    原文地址:http://blog.csdn.net/wangshfa/article/details/9712379 一 注解优点?注解解决了什么问题,为什么要使用注解? 二 注解的来龙去脉(历史) ...

  6. iPad开发--UIPopoverController简单使用iOS7之前和iOS7之后的使用方法

    一.iOS7之前的Popover的使用 对Popover进行懒加载处理 内容控制器中设置Popover弹出后的尺寸 设置显示的位置,两种情况.1 -- 给BarButtonItem设置Popover的 ...

  7. 关于 HTTP 请求头的内容

    HTTP(HyperTextTransferProtocol)即超文本传输协议,目前网页传输的的通用协议.HTTP协议采用了请求/响应模型,浏览器或其他客户端发出请求,服务器给与响应.就整个网络资源传 ...

  8. hdu1161 欧拉路

    欧拉路径是指能从一个点出发能够“一笔画”完整张图的路径:(每条边只经过一次而不是点) 在无向图中:如果每个点的度都为偶数 那么这个图是欧拉回路:如果最多有2个奇数点,那么出发点和到达点必定为该2点,那 ...

  9. jsrender-for循环中访问父属性

    jsrender中使用for循环数据时有时需要访问父级数据. 而jsrender在循环中的父级数据存放在隐藏属性parent.parent.data中,使用案例如下 {{:#parent.parent ...

  10. eclipse下查看jdk源码

    打开eclipse,点 "window"-> "Preferences" -> "Java" -> "Insta ...