Logstash日志收集
目录
调整Logstash JVM
[root@db03 ~]# vim /etc/logstash/jvm.options
-Xms256m
-Xmx512m
Logstash配置
[root@db03 logstash]# grep '^[a-z]' logstash.yml
path.data: /var/lib/logstash
path.config: /etc/logstash/conf.d
path.logs: /var/log/logstash
将message日志收集到指定文件中
[root@db03 conf.d]# cat messages_to_file.conf
input {
file{
type => "system_log"
path => "/var/log/messages"
start_position => "beginning"
}
}
output{
file{
path => "/tmp/messages_%{+YYYY.MM.dd}"
}
}
# 检测语法
## 检测语法
[root@db03 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/messages_to_file.conf -t
## 启动logstash
[root@db03 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/messages_to_file.conf &
Logstash收集多日志到文件中
[root@db03 conf.d]# cat system_to_file.conf
input{
file{
type => "msg_log"
path => "/var/log/messages"
start_position => "beginning"
}
file{
type => "sec_log"
path => "/var/log/secure"
start_position => "beginning"
}
}
output{
if [type] == "msg_log" {
file{
path => "/tmp/msg_%{+YYYY.MM.dd}"
}
}else if [type] == "sec_log" {
file{
path => "/tmp/sec_%{+YYYY.MM.dd}"
}
}
}
Logstash收集多个日志到ES中
[root@db03 conf.d]# cat system_to_es.conf
input{
file{
type => "msg_log"
path => "/var/log/messages"
start_position => "beginning"
}
file{
type => "sec_log"
path => "/var/log/secure"
start_position => "beginning"
}
}
output{
elasticsearch{
hosts => ["10.0.0.51:9200"]
index => "%{type}_%{+YYYY.MM.dd}"
}
}
Logstash收集JAVA日志
# 1.启动tomcat
[root@db04 ~]# /app/tomcat/bin/startup.sh
# 2.编辑logstash配置文件
[root@db04 conf.d]# cat tomcat_to_es.conf
input{
file{
type => "tomcat_catalina"
path => "/app/tomcat/logs/catalina.out"
start_position => "beginning"
}
file{
type => "tomcat_access"
path => "/app/tomcat/logs/localhost_access_log.*.txt"
start_position => "beginning"
}
}
output{
elasticsearch{
hosts => ["10.0.0.51:9200"]
index => "%{type}_%{+YYYY.MM.dd}"
}
}
# 3.检查语法
[root@db04 ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tomcat_to_es.conf -t
# 4.启动logstash
[root@db04 ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tomcat_to_es.conf &
将tomcat日志修改成json格式
[root@db04 conf.d]# vim /app/tomcat/conf/server.xml
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="access" suffix=".log"
pattern="{"clientip":"%h","ClientUser":"%l","authenticated":"%u","
;AccessTime":"%t","method":"%r","status":"%s","SendBytes":"%b","Q
uery?string":"%q","partner":"%{Referer}i","AgentVersion":"%{User-Agent}i"}" />
收集tomcat json日志
[root@db04 conf.d]# vim tomcat_json_es.conf
input{
file{
type => "tomcat_json"
path => "/app/tomcat/logs/access.*.log"
start_position => "beginning"
}
}
output{
elasticsearch{
hosts => ["10.0.0.51:9200"]
index => "%{type}_%{+YYYY.MM.dd}"
codec => "json"
}
}
[root@db04 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tomcat_json_es.conf -t
[root@db04 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tomcat_json_es.conf &
这个json不是我们想要的json 我们需要给logstash加规则
我们需要把获取到message中的KEY:VALUE
将他解析成键值对的形式,展现出来
# 修改配置文件
#在Logstash的配置文件中,添加filter过滤规则
filter {
json {
source => "message"
remove_field => ["message"] # 删除message列
}
}
#重新启动Logstash
[root@db04 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tomcat_json_es.conf &
去除黄色感叹号
黄色感叹号没有了
非JSON格式缺陷
1.无法画图
2.日志格式不清晰
3.搜索
Logstash收集nginx日志
修改nginx日志格式
# 在nginx主配置文件配置
[root@db04 conf.d]# vim /etc/nginx/nginx.conf
log_format access_json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"size":$body_bytes_sent,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamhost":"$upstream_addr",'
'"http_host":"$host",'
'"url":"$uri",'
'"domain":"$host",'
'"xff":"$http_x_forwarded_for",'
'"referer":"$http_referer",'
'"status":"$status"}';
# 在子配置文件添加这一行
[root@db04 conf.d]# cat /etc/nginx/conf.d/blog.abc.com.conf
access_log /var/log/nginx/blog_abc_com_access.log access_json;
编辑Logstash配置
[root@db04 conf.d]# cat nginx_to_es.conf
input{
file{
type => "blog_abc_com_access"
path => "/var/log/nginx/blog_abc_com_access.log"
start_position => "beginning"
}
}
filter {
json {
source => "message"
remove_field => ["message"] # 删除message列
}
}
output{
elasticsearch{
hosts => ["10.0.0.51:9200"]
index => "%{type}_%{+YYYY.MM.dd}"
codec => "json"
}
}
# 启动
[root@db04 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/nginx_to_es.conf &
原文地址:http://www.cnblogs.com/bloglee/p/16787779.html
1. 本站所有资源来源于用户上传和网络,如有侵权请邮件联系站长!
2. 分享目的仅供大家学习和交流,请务用于商业用途!
3. 如果你也有好源码或者教程,可以到用户中心发布,分享有积分奖励和额外收入!
4. 本站提供的源码、模板、插件等等其他资源,都不包含技术服务请大家谅解!
5. 如有链接无法下载、失效或广告,请联系管理员处理!
6. 本站资源售价只是赞助,收取费用仅维持本站的日常运营所需!
7. 如遇到加密压缩包,默认解压密码为"gltf",如遇到无法解压的请联系管理员!
8. 因为资源和程序源码均为可复制品,所以不支持任何理由的退款兑现,请斟酌后支付下载
声明:如果标题没有注明"已测试"或者"测试可用"等字样的资源源码均未经过站长测试.特别注意没有标注的源码不保证任何可用性