标签:ELK server13 logstash conf test 日志 root Logstash log
文章目录
- 1、 logstash介绍
- 2、安装logstash
- 3、elasticsearch输出插件
- 4、file输入插件
- 5、Syslog输入插件
- 6、多行过滤插件
- 7、grok过滤插件(采集过滤apache日志)
1、 logstash介绍
- Logstash是一个开源的服务器端数据处理管道。
- logstash拥有200多个插件,能够同时从多个来源采集数据,转换数据,然后将数据发送到您最喜欢的 “存储库” 中。(大多都是 Elasticsearch。)
- Logstash管道有两个必需的元素,输入和输出,以及一个可选元素过滤器。
2、安装logstash
2.1 下载jdk-8u181-linux-x64.rpm和logstash-7.6.1.rpm
[root@server13 ~]# ll ##官网下载
total 334812
-rw-r--r-- 1 root root 170023183 Sep 5 2018 jdk-8u181-linux-x64.rpm
-rw-r--r-- 1 root root 172821011 Mar 12 2020 logstash-7.6.1.rpm
2.2 安装
[root@server13 ~]# rpm -ivh jdk-8u181-linux-x64.rpm
[root@server13 ~]# rpm -ivh logstash-7.6.1.rpm
2.3 配置环境变量
[root@server13 opt]# cd /usr/share/logstash/bin
[root@server13 bin]# ls
benchmark.sh logstash logstash.lib.sh pqrepair
cpdump logstash.bat logstash-plugin ruby
dependencies-report logstash-keystore logstash-plugin.bat setup.bat
ingest-convert.sh logstash-keystore.bat pqcheck system-install
[root@server13 bin]# pwd
/usr/share/logstash/bin
[root@server13 bin]# cd
[root@server13 ~]# vim .bash_profile
[root@server13 ~]# cat .bash_profile | grep bin
PATH=$PATH:$HOME/bin:/usr/share/logstash/bin
[root@server13 ~]# source .bash_profile
[root@server13 ~]# which logstash
/usr/share/logstash/bin/logstash
2.4 安装完成测试一下
标准输入输出
[root@server13 ~]# logstash -e 'input { stdin { }} output { stdout {} }'
##标准输入输出,键盘输入,屏幕输出。ctrl+c退出
2.5 标准输入与标准输出
[root@server13 ~]# cd /etc/logstash/
[root@server13 logstash]# ls
conf.d log4j2.properties logstash.yml startup.options
jvm.options logstash-sample.conf pipelines.yml
[root@server13 logstash]# cd conf.d/ ##目录下任意的conf文件都可以执行
[root@server13 conf.d]# ls
[root@server13 conf.d]# vim test.conf
[root@server13 conf.d]# cat test.conf
input {
stdin {}
}
output {
stdout {}
}
[root@server13 conf.d]# logstash -f /etc/logstash/conf.d/test.conf ##执行文件
2.6 标准输入到文件
[root@server16 conf.d]# vim test.conf
[root@server16 conf.d]# cat test.conf ##输入到文件
input {
stdin { }
}
output {
stdout {}
file {
path => "/tmp/testfile"
codec => line { format => "custom format: %{message}"}
}
}
[root@server16 conf.d]# logstash -f /etc/logstash/conf.d/test.conf 运行
[root@server16 conf.d]# cat /tmp/testfile ##查看文件内容
custom format: hello
3、elasticsearch输出插件
[root@server13 conf.d]# cd /etc/logstash/conf.d/
[root@server13 conf.d]# vim test.conf
[root@server13 conf.d]# cat test.conf
input {
file {
path => "/var/log/messages"
start_position => "beginning"
}
}
output {
stdout {}
#file {
# path => "/tmp/testfile"
# codec => line { format => "custom format: %{message}"}
#}
elasticsearch {
hosts => ["172.25.200.5:9200"]
index => "syslog-%{+yyyy.MM.dd}"
}
}
[root@server13 conf.d]# logstash -f /etc/logstash/conf.d/test.conf
4、file输入插件
5、Syslog输入插件
logstash可以伪装成日志服务器,直接接受远程日志
[root@server13 conf.d]# vim test.conf
[root@server13 conf.d]# cat test.conf
input {
#file {
#path => "/var/log/messages"
#start_position => "beginning"
#}
syslog{} ##日志默认收集端口514
}
output {
stdout {}
#file {
# path => "/tmp/testfile"
# codec => line { format => "custom format: %{message}"}
#}
elasticsearch {
hosts => ["172.25.200.5:9200"]
index => "syslog-%{+yyyy.MM.dd}"
}
}
[root@server13 conf.d]# logstash -f /etc/logstash/conf.d/test.conf #指定配置文件运行
[root@server13 conf.d]# netstat -antulp |grep :514
tcp6 0 0 172.25.200.13:514 172.25.200.6:44300 FIN_WAIT2 -
[root@server6 ~]# netstat -antulp |grep :514
tcp 1 0 172.25.200.6:44298 172.25.200.13:514 CLOSE_WAIT
配置客户端传入日志
[root@server6 ~]# vim /etc/rsyslog.conf
[root@server6 ~]# systemctl restart rsyslog.service
测试:
6、多行过滤插件
多行过滤可以把多行日志记录合并为一行事件
6.1 原理测试
[root@server13 conf.d]# vim demo.conf
[root@server13 conf.d]# logstash -f /etc/logstash/conf.d/demo.conf
查看输出
6.2 java类型报错日志采集
java一条错误会现实很多行,这里将日志按照时间戳归类为一条
[root@server5 elasticsearch]# scp my-es.log server13:/var/log
The authenticity of host 'server13 (172.25.200.13)' can't be established.
ECDSA key fingerprint is SHA256:nLo7FniQXEU0jhR+TkuB2oUVT7uSgCm3zDHaDmDSuXU.
ECDSA key fingerprint is MD5:80:06:78:da:83:6d:80:59:b4:bb:37:0a:e8:db:f4:10.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server13,172.25.200.13' (ECDSA) to the list of known hosts.
root@server13's password:
my-es.log 100% 15KB 6.2MB/s 00:00
[root@server13 conf.d]# cat test.conf
input {
file {
path => "/var/log/my-es.log"
start_position => "beginning"
codec => multiline {
pattern => "^\["
negate => "true"
what => "previous"
}
}
}
output {
#stdout {}
#file {
# path => "/tmp/testfile"
# codec => line { format => "custom format: %{message}"}
#}
elasticsearch {
hosts => ["172.25.200.5:9200"]
index => "my-ce-%{+yyyy.MM.dd}"
}
}
[root@server13 conf.d]# logstash -f /etc/logstash/conf.d/test.conf
7、grok过滤插件(采集过滤apache日志)
7.1 先安装apache
[root@server13 conf.d]# yum install -y httpd
[root@server13 conf.d]# systemctl start httpd.service
[root@server13 conf.d]# systemctl status httpd.service
[root@server13 conf.d]# echo server13 > /var/www/html/index.html
[root@haojin ~]# ab -c1 -n 100 172.25.200.13/index.html ##真机压测获得日志数据
7.2 采集apache日志
1.增加被采集目录权限,否则采集不到数据
[root@server13 httpd]# ll -d /var/log/httpd/
drwx------ 2 root root 41 3月 10 11:27 /var/log/httpd/
[root@server13 httpd]# chmod 755 /var/log/httpd/
[root@server13 httpd]# ll -d /var/log/httpd/
drwxr-xr-x 2 root root 41 3月 10 11:27 /var/log/httpd/
2. 编辑conf文件,运行采集程序
[root@server13 conf.d]# vim grok.conf
[root@server13 conf.d]# cat grok.conf
input {
file {
path => "/var/log/httpd/access_log"
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => "%{HTTPD_COMBINEDLOG}" }
}
}
output {
stdout {}
elasticsearch{
hosts => ["172.25.200.5:9200"]
index => "apache-%{+yyyy.MM.dd}"
}
}
[root@server13 conf.d]# logstash -f grok.conf
希望本文对你有帮助,请点个赞鼓励一下作者吧~ 谢谢!
标签:ELK,server13,logstash,conf,test,日志,root,Logstash,log 来源: https://blog.csdn.net/weixin_41191813/article/details/114605877
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。