Logstash日志收集

目录

调整Logstash JVM

[root@db03 ~]# vim /etc/logstash/jvm.options
-Xms256m
-Xmx512m
Logstash配置
[root@db03 logstash]# grep '^[a-z]' logstash.yml
path.data: /var/lib/logstash
path.config: /etc/logstash/conf.d
path.logs: /var/log/logstash

将message日志收集到指定文件中

[root@db03 conf.d]# cat messages_to_file.conf 
input {
  file{
    type => "system_log"
    path => "/var/log/messages"
    start_position => "beginning"
  }     
}

output{
  file{
    path => "/tmp/messages_%{+YYYY.MM.dd}"
  }
}

# 检测语法
## 检测语法
[root@db03 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/messages_to_file.conf -t

## 启动logstash
[root@db03 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/messages_to_file.conf &

Logstash收集多日志到文件中

[root@db03 conf.d]# cat system_to_file.conf 
input{
  file{
    type => "msg_log"
    path => "/var/log/messages"
    start_position => "beginning"
  }
  file{
    type => "sec_log"
    path => "/var/log/secure"
    start_position => "beginning"
  }
}

output{
  if [type]  == "msg_log" {
    file{
       path => "/tmp/msg_%{+YYYY.MM.dd}"
    }
  }else if [type] == "sec_log" {
    file{
      path => "/tmp/sec_%{+YYYY.MM.dd}"
    }
  }
}

Logstash收集多个日志到ES中

[root@db03 conf.d]# cat system_to_es.conf 
input{
  file{
    type => "msg_log"
    path => "/var/log/messages"
    start_position => "beginning"
  }
  file{
    type => "sec_log"
    path => "/var/log/secure"
    start_position => "beginning"
  }
}

output{
    elasticsearch{
       hosts => ["10.0.0.51:9200"]
       index => "%{type}_%{+YYYY.MM.dd}"
    }
}

Logstash收集JAVA日志

# 1.启动tomcat
[root@db04 ~]# /app/tomcat/bin/startup.sh

# 2.编辑logstash配置文件
[root@db04 conf.d]# cat tomcat_to_es.conf 
input{
  file{
    type => "tomcat_catalina"
    path => "/app/tomcat/logs/catalina.out"
    start_position => "beginning"
  }
  file{
    type => "tomcat_access"
    path => "/app/tomcat/logs/localhost_access_log.*.txt"
    start_position => "beginning"

  }
}

output{
  elasticsearch{
    hosts => ["10.0.0.51:9200"]
    index => "%{type}_%{+YYYY.MM.dd}"
  }
}
# 3.检查语法
[root@db04 ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tomcat_to_es.conf -t

# 4.启动logstash
[root@db04 ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tomcat_to_es.conf &

image-20211103193600554

image-20211103185405282

将tomcat日志修改成json格式

[root@db04 conf.d]# vim /app/tomcat/conf/server.xml
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="access" suffix=".log"
               pattern="{&quot;clientip&quot;:&quot;%h&quot;,&quot;ClientUser&quot;:&quot;%l&quot;,&quot;authenticated&quot;:&quot;%u&quot;,&quot
;AccessTime&quot;:&quot;%t&quot;,&quot;method&quot;:&quot;%r&quot;,&quot;status&quot;:&quot;%s&quot;,&quot;SendBytes&quot;:&quot;%b&quot;,&quot;Q
uery?string&quot;:&quot;%q&quot;,&quot;partner&quot;:&quot;%{Referer}i&quot;,&quot;AgentVersion&quot;:&quot;%{User-Agent}i&quot;}" />

收集tomcat json日志

[root@db04 conf.d]# vim tomcat_json_es.conf 
input{
  file{
    type => "tomcat_json"
    path => "/app/tomcat/logs/access.*.log"
    start_position => "beginning"

  }
}

output{
  elasticsearch{
    hosts => ["10.0.0.51:9200"]
    index => "%{type}_%{+YYYY.MM.dd}"
    codec => "json"
  }
}

[root@db04 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tomcat_json_es.conf -t
[root@db04 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tomcat_json_es.conf &

image-20211103190249678

image-20211103191325601

image-20211103192212837

这个json不是我们想要的json 我们需要给logstash加规则

我们需要把获取到message中的KEY:VALUE将他解析成键值对的形式,展现出来

# 修改配置文件
	
#在Logstash的配置文件中,添加filter过滤规则
filter {
  json {
    source => "message"
    remove_field => ["message"]  # 删除message列
  }
}
#重新启动Logstash
[root@db04 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tomcat_json_es.conf &

image-20211103194538406

去除黄色感叹号

image-20211103194749666

黄色感叹号没有了

image-20211103194822981

非JSON格式缺陷

1.无法画图

2.日志格式不清晰

3.搜索

Logstash收集nginx日志

修改nginx日志格式

# 在nginx主配置文件配置
[root@db04 conf.d]# vim /etc/nginx/nginx.conf
log_format access_json '{"@timestamp":"$time_iso8601",'
            '"host":"$server_addr",'
            '"clientip":"$remote_addr",'
            '"size":$body_bytes_sent,'
            '"responsetime":$request_time,'
            '"upstreamtime":"$upstream_response_time",'
            '"upstreamhost":"$upstream_addr",'
            '"http_host":"$host",'
            '"url":"$uri",'
            '"domain":"$host",'
            '"xff":"$http_x_forwarded_for",'
            '"referer":"$http_referer",'
            '"status":"$status"}';

# 在子配置文件添加这一行
[root@db04 conf.d]# cat /etc/nginx/conf.d/blog.abc.com.conf
access_log  /var/log/nginx/blog_abc_com_access.log  access_json;

编辑Logstash配置

[root@db04 conf.d]# cat nginx_to_es.conf 
input{
  file{
    type => "blog_abc_com_access"
    path => "/var/log/nginx/blog_abc_com_access.log"
    start_position => "beginning"
  }
}

filter {
  json {
    source => "message"
    remove_field => ["message"]  # 删除message列
  }
}

output{
  elasticsearch{
    hosts => ["10.0.0.51:9200"]
    index => "%{type}_%{+YYYY.MM.dd}"
    codec => "json"
  }
}

# 启动
[root@db04 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/nginx_to_es.conf &

原文地址:http://www.cnblogs.com/bloglee/p/16787779.html

1. 本站所有资源来源于用户上传和网络,如有侵权请邮件联系站长! 2. 分享目的仅供大家学习和交流,请务用于商业用途! 3. 如果你也有好源码或者教程,可以到用户中心发布,分享有积分奖励和额外收入! 4. 本站提供的源码、模板、插件等等其他资源,都不包含技术服务请大家谅解! 5. 如有链接无法下载、失效或广告,请联系管理员处理! 6. 本站资源售价只是赞助,收取费用仅维持本站的日常运营所需! 7. 如遇到加密压缩包,默认解压密码为"gltf",如遇到无法解压的请联系管理员! 8. 因为资源和程序源码均为可复制品,所以不支持任何理由的退款兑现,请斟酌后支付下载 声明:如果标题没有注明"已测试"或者"测试可用"等字样的资源源码均未经过站长测试.特别注意没有标注的源码不保证任何可用性