logstash编写2以及结合kibana使用
有时候根据日志的内容,可能一行不能全部显示,会延续在下一行,为了将上下内容关联在一起,于是codec插件中的multiline插件
就派上用场了,源日志内容:
[2017-09-20T16:04:34,936][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-*", "version"=>50001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"_default_"=>{"_all"=>{"enabled"=>true, "norms"=>false}, "dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"*", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date", "include_in_all"=>false}, "@version"=>{"type"=>"keyword", "include_in_all"=>false}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
[2017-09-20T16:04:34,949][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//192.168.44.134:9200"]}
根据时间戳前面的[这个符号进行判断日志内容是否是一起的
[root@node3 conf.d]# cat multiline.conf
input {
file {
path => ["/var/log/logstash/logstash-plain.log"]
start_position => "beginning"
codec => multiline {
pattern => "^\["
negate => true
what => "previous"
}
}
} output {
stdout {
codec => rubydebug
}
}
然后执行:
[root@node3 conf.d]# /usr/share/logstash/bin/logstash -f multiline.conf
Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
{
"@version" => "1",
"host" => "node3",
"path" => "/var/log/logstash/logstash-plain.log",
"@timestamp" => 2017-09-21T02:54:37.733Z,
"message" => "[2017-09-21T10:51:10,588][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>\"netflow\", :directory=>\"/usr/share/logstash/modules/netflow/configuration\"}"
}
{
"@version" => "1",
"host" => "node3",
"path" => "/var/log/logstash/logstash-plain.log",
"@timestamp" => 2017-09-21T02:54:37.743Z,
"message" => "[2017-09-21T10:51:10,596][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>\"fb_apache\", :directory=>\"/usr/share/logstash/modules/fb_apache/configuration\"}"
}
接下来开始nginx日志的收集
log_format name [escape=default|json] string,查看nginx文档,nginx日志格式支持json,于是采用json来配置nginx日志,再结合logstash的json插件来收集nginx的日志
1、首先安装nginx,这里采用yum安装,nginx存在于epel源中
2、配置nginx的日志输出为json格式
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format json '{"@timstamp":"$time_iso8601","@version":"1","client":"$remote_addr","url":"$uri","status":"$status","domain":"$host","host":"$server_addr","size":"$body_bytes_sent","responsetime":"$request_time","referer":"$http_referer","ua":"$http_user_agent"}';
#access_log /var/log/nginx/access.log main;
access_log /var/log/nginx/access.log json;
3、上面配置的value值都是nginx的一些变量,查看更多变量:http://nginx.org/en/docs/http/ngx_http_core_module.html#var_status
4、启动nginx服务,查看生成的日志是否是json格式:
[root@node3 nginx]# cat /var/log/nginx/access.log
{"@timstamp":"2017-09-21T13:47:43+08:00","@version":"1","client":"192.168.44.1","url":"/index.html","status":"200","domain":"192.168.44.136","host":"192.168.44.136","size":"3698","responsetime":"0.000","referer":"-","ua":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"}
{"@timstamp":"2017-09-21T13:47:43+08:00","@version":"1","client":"192.168.44.1","url":"/nginx-logo.png","status":"200","domain":"192.168.44.136","host":"192.168.44.136","size":"368","responsetime":"0.000","referer":"http://192.168.44.136/","ua":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"}
{"@timstamp":"2017-09-21T13:47:43+08:00","@version":"1","client":"192.168.44.1","url":"/poweredby.png","status":"200","domain":"192.168.44.136","host":"192.168.44.136","size":"2811","responsetime":"0.000","referer":"http://192.168.44.136/","ua":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"}
{"@timstamp":"2017-09-21T13:47:43+08:00","@version":"1","client":"192.168.44.1","url":"/404.html","status":"404","domain":"192.168.44.136","host":"192.168.44.136","size":"3652","responsetime":"0.000","referer":"http://192.168.44.136/","ua":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"}
然后利用logstash的json格式来收集nginx访问日志:
[root@node3 conf.d]# cat json.conf
input {
file {
path => ["/var/log/nginx/access.log"]
start_position => "beginning"
codec => json
}
} output {
stdout {
codec => rubydebug
}
}
执行编写的配置文件:
[root@node3 conf.d]# /usr/share/logstash/bin/logstash -f json.conf
Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
{
"referer" => "-",
"ua" => "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36",
"url" => "/index.html",
"path" => "/var/log/nginx/access.log",
"@timestamp" => 2017-09-21T05:58:44.442Z,
"size" => "3698",
"@timstamp" => "2017-09-21T13:47:43+08:00",
"domain" => "192.168.44.136",
"@version" => "1",
"host" => "192.168.44.136",
"client" => "192.168.44.1",
"responsetime" => "0.000",
"status" => "200"
}
现在将上面两个的日志(logstash和nginx的日志)都输出到elasticsearch中,将es中之前的index清空,重新使用logstash收集上面的日志到es中:
[root@node3 conf.d]# cat all.conf
input {
file {
type => "nginx-log"
path => ["/var/log/nginx/access.log"]
start_position => "beginning"
codec => json
}
file {
type => "logstash-log"
path => ["/var/log/logstash/logstash-plain.log"]
start_position => "beginning"
codec => multiline {
pattern => "^\["
negate => true
what => "previous"
}
}
} output {
if [type] == "logstash-log" {
elasticsearch {
hosts => ["192.168.44.134:9200"]
index => "logstash-log"
}
}
if [type] == "nginx-log" {
elasticsearch {
hosts => ["192.168.44.134:9200"]
index => "nginx-log"
}
}
}
然后在es上查看是否已经有数据了:
使用kibana来看看具体效果,开始安装kibana
这里采用rpm进行安装kinaba:
wget https://artifacts.elastic.co/downloads/kibana/kibana-5.6.1-x86_64.rpm
/etc/default/kibana
/etc/init.d/kibana
/etc/kibana/kibana.yml
/etc/systemd/system/kibana.service
/usr/share/kibana/LICENSE.txt
/usr/share/kibana/NOTICE.txt
/usr/share/kibana/README.txt
/usr/share/kibana/bin/kibana
/usr/share/kibana/bin/kibana-plugin
/usr/share/kibana/node/CHANGELOG.md
/usr/share/kibana/node/LICENSE
/usr/share/kibana/node/README.md
/usr/share/kibana/node/bin/node
/usr/share/kibana/node/bin/npm
修改kibana的配置:
[root@node3 ~]# egrep -v "^#|^$" /etc/kibana/kibana.yml
server.port: 5601
server.host: "192.168.44.136"
server.name: "node3"
elasticsearch.url: "http://192.168.44.134:9200"
kibana.index: ".kibana"
然后启动kibana:
[root@node3 ~]# /etc/init.d/kibana start
kibana started
[root@node3 ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6948/nginx
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1301/sshd
tcp 0 0 192.168.44.136:5601 0.0.0.0:* LISTEN 7451/node
访问kibana查看是否已经和es结合起来了:
现在将es中的nginx-log这个索引添加到kibana中:
于是kibana与es的简单结合操作完成
继续编logstash的配置文件:收集syslog的日志
[root@node3 conf.d]# cat syslog.conf
input {
syslog {
type => "syslog"
host => "192.168.44.136"
port => "514"
}
} output {
stdout {
codec => rubydebug
}
}
查看端口是否已经起来了:
[root@node3 conf.d]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6948/nginx
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1301/sshd
tcp 0 0 192.168.44.136:5601 0.0.0.0:* LISTEN 7451/node
tcp 0 0 :::80 :::* LISTEN 6948/nginx
tcp 0 0 :::22 :::* LISTEN 1301/sshd
tcp 0 0 ::ffff:127.0.0.1:9600 :::* LISTEN 7669/java
tcp 0 0 ::ffff:192.168.44.136:514 :::* LISTEN 7669/java
udp 0 0 0.0.0.0:68 0.0.0.0:* 1128/dhclient
udp 0 0 ::ffff:192.168.44.136:514 :::* 7669/java
修改rsyslog配置文件:
vim /etc/rsyslog.conf添加到最后一行:
*.* @@192.168.44.136:514
重启rsyslog服务:
[root@node3 conf.d]# /etc/init.d/rsyslog restart
关闭系统日志记录器: [确定]
启动系统日志记录器: [确定]
[root@node3 conf.d]# /usr/share/logstash/bin/logstash -f syslog.conf
Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
{
"severity" => 6,
"program" => "kernel",
"message" => "imklog 5.8.10, log source = /proc/kmsg started.\n",
"type" => "syslog",
"priority" => 6,
"logsource" => "node3",
"@timestamp" => 2017-09-21T07:28:55.000Z,
"@version" => "1",
"host" => "192.168.44.136",
"facility" => 0,
"severity_label" => "Informational",
"timestamp" => "Sep 21 15:28:55",
"facility_label" => "kernel"
}
接下来使用tcp插件进行收集数据:
[root@node3 conf.d]# cat tcp.conf
input {
tcp {
host => ["192.168.44.136"]
port => "6666"
}
} output {
stdout {
codec => rubydebug
}
}
[root@node3 conf.d]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6948/nginx
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1301/sshd
tcp 0 0 192.168.44.136:5601 0.0.0.0:* LISTEN 7451/node
tcp 0 0 :::80 :::* LISTEN 6948/nginx
tcp 0 0 :::22 :::* LISTEN 1301/sshd
tcp 0 0 ::ffff:127.0.0.1:9600 :::* LISTEN 7867/java
tcp 0 0 ::ffff:192.168.44.136:6666 :::* LISTEN 7867/java
可以看见端口6666已经开启了,现在开始测试:
[root@node3 ~]# nc 192.168.44.136 6666 < /etc/resolv.conf
[root@node3 ~]# nc 192.168.44.136 6666 < /etc/resolv.conf
[root@node3 conf.d]# /usr/share/logstash/bin/logstash -f tcp.conf
Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
{
"@version" => "1",
"host" => "192.168.44.136",
"@timestamp" => 2017-09-21T07:44:25.087Z,
"message" => "; generated by /sbin/dhclient-script",
"port" => 54117
}
{
"@version" => "1",
"host" => "192.168.44.136",
"@timestamp" => 2017-09-21T07:44:25.090Z,
"message" => "search localdomain",
"port" => 54117
}
下篇讲解将日志通过logstash收集到redis,然后再通过logstash从redis取出数据输出到es,通过kibana进行展示
logstash编写2以及结合kibana使用的更多相关文章
- Elasticsearch+Logstash+Kibana教程
参考资料 累了就听会歌吧! Elasticsearch中文参考文档 Elasticsearch官方文档 Elasticsearch 其他——那些年遇到的坑 Elasticsearch 管理文档 Ela ...
- 如何在 Ubuntu 14.04 上安装 Elasticsearch,Logstash 和 Kibana
介绍 在本教程中,我们将去的 Elasticsearch 麋鹿堆栈安装 Ubuntu 14.04 — — 那就是,Elasticsearch 5.2.x,Logstash 2.2.x 和 Kibana ...
- Elasticsearch+Logstash+Kibana搭建日志平台
1 ELK简介 ELK是Elasticsearch+Logstash+Kibana的简称 ElasticSearch是一个基于Lucene的分布式全文搜索引擎,提供 RESTful API进行数据读写 ...
- Elasticsearch、Logstash、Kibana搭建统一日志分析平台
// // ELKstack是Elasticsearch.Logstash.Kibana三个开源软件的组合.目前都在Elastic.co公司名下.ELK是一套常用的开源日志监控和分析系统,包括一个分布 ...
- 安装logstash,elasticsearch,kibana三件套
logstash,elasticsearch,kibana三件套 elk是指logstash,elasticsearch,kibana三件套,这三件套可以组成日志分析和监控工具 注意: 关于安装文档, ...
- 用Kibana和logstash快速搭建实时日志查询、收集与分析系统
Logstash是一个完全开源的工具,他可以对你的日志进行收集.分析,并将其存储供以后使用(如,搜索),您可以使用它.说到搜索,logstash带有一个web界面,搜索和展示所有日志. kibana ...
- 使用logstash+elasticsearch+kibana快速搭建日志平台
日志的分析和监控在系统开发中占非常重要的地位,系统越复杂,日志的分析和监控就越重要,常见的需求有: * 根据关键字查询日志详情 * 监控系统的运行状况 * 统计分析,比如接口的调用次数.执行时间.成功 ...
- How To Use Logstash and Kibana To Centralize Logs On CentOS 6
原文链接:https://www.digitalocean.com/community/tutorials/how-to-use-logstash-and-kibana-to-centralize-l ...
- 使用Elasticsearch、Logstash、Kibana与Redis(作为缓冲区)对Nginx日志进行收集(转)
摘要 使用Elasticsearch.Logstash.Kibana与Redis(作为缓冲区)对Nginx日志进行收集 版本 elasticsearch版本: elasticsearch-2.2.0 ...
随机推荐
- 【黑金原创教程】【TimeQuest】【第五章】网表质量与外部模型
声明:本文为黑金动力社区(http://www.heijin.org)原创教程,如需转载请注明出处,谢谢! 黑金动力社区2013年原创教程连载计划: http://www.cnblogs.com/al ...
- jfinal如何调用存储过程?
存储过程用一下 Db.execute(ICallback) 这个方法,在其中用一下:connection.prepareCall(sql).execute();就可以调用存储过程了,并且还可以自由控制 ...
- Python--进阶处理1
# ===============Python 进阶======================= # ---------第一章:数据结构和算法----------- # ----------解压序列 ...
- 2017 Multi-University Training Contest - Team 1—HDU6035
题目链接:http://acm.hdu.edu.cn/showproblem.php?pid=6035 题意:一棵树有n个点,每个点有自己的颜色,任意两个不同的点可以组成一条路径.也就是说一共有n(n ...
- w[wi].disabled = true;
w 目的:订房页面,已被预订的房间的时间段的区域td点击不弹出bootstrap模态框. <script> var w = document.querySelectorAll(" ...
- 笛卡尔乘积 python语法
修改为 bot_name = spider.settings.attributes['BOT_NAME'].value tablenameCommon = 'amazon_hot_new_releas ...
- Sparrow - Distributed, Low Latency Scheduling
http://www.cs.berkeley.edu/~matei/papers/2013/sosp_sparrow.pdf http://www.eecs.berkeley.edu/~keo/tal ...
- tomcat启动报错:Injection of autowired dependencies failed
Error creating bean with name 'backPrintPaperController': Injection of autowired dependencies failed ...
- 【opencv】 solvepnp 和 solvepnpRansac 求解 【空间三维坐标系 到 图像二维坐标系】的 三维旋转R 和 三维平移 T 【opencv2使用solvepnp求解rt不准的问题】
参考: pnp问题 与 solvepnp函数:https://www.jianshu.com/p/b97406d8833c 对图片进行二维仿射变换cv2.warpAffine() or 对图片进行二维 ...
- Favorite Donut--hdu5442(2015年长春网选赛,kmp,最大表示法)
题目链接:http://acm.hdu.edu.cn/showproblem.php?pid=5442 打比赛的时候还没学kmp更没有学最大最小表示法,之后做完了kmp的专题,学了它们,现在再来做这道 ...