ELK收集tomcat和nginx日志(分别用了filebeat和logstash收集)

Posted 年華似水

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了ELK收集tomcat和nginx日志(分别用了filebeat和logstash收集)相关的知识,希望对你有一定的参考价值。

ELK收集tomcat和nginx日志(分别用了filebeat和logstash收集)_elasticsearch

es所有需要下载的包地址(根据不同的版本选择,这里是7的版本)

​https://mirrors.tuna.tsinghua.edu.cn/elasticstack/7.x/yum/7.3.0/​

# 下载安装包

wget ​​https://mirrors.huaweicloud.com/elasticsearch/7.3.0/elasticsearch-7.3.0-linux-x86_64.tar.gz​

tar -xzf elasticsearch-7.3.0-linux-x86_64.tar.gz -C /data/elasticsearch

分别设置节点对应修改network.host和node.name

network.host修改为本机ip

node.name修改为node-1,node-2,node-3

cat /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4

::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

10.168.104.201 m1

10.168.104.202 node-5

10.168.104.203 node-4

10.168.104.204 node-3

10.168.104.205 node-2

10.168.104.206 node-1

hostnamectl set-hostname node-1

hostnamectl set-hostname node-2

hostnamectl set-hostname node-3

hostnamectl set-hostname node-4

hostnamectl set-hostname node-5

vim /etc/security/limits.conf

* soft nofile 65536

* hard nofile 65536

* soft nproc 65536

* hard nproc 65536

创建elasticsearch用户及授权

groupadd elsearch

useradd elsearch -g elsearch -p elasticsearch

mkdir /data/elasticsearch/data,log -p

chown -R elsearch:elsearch elasticsearch*

分别配置每个节点(注意修改里面IP地址,节点名称)

配置vi /data/elasticsearch-7.3.0/config/elasticsearch.yml

#集群名称

cluster.name: elasticsearch

#节点名称

node.name: node-1

#是不是有资格竞选主节点

node.master: true

#是否存储数据

node.data: true

#最大集群节点数

node.max_local_storage_nodes: 5

#ip地址

network.host: 10.168.104.206

#端口

http.port: 9200

#内部节点之间沟通端口

transport.tcp.port: 9300

#es7.x 之后新增的配置,写入候选主节点的设备地址,在开启服务后可以被选为主节点

discovery.seed_hosts: ["10.168.104.206:9300", "10.168.104.205:9300", "10.168.104.204:9300", "10.168.104.203:9300", "10.168.104.202:9300"]

#es7.x 之后新增的配置,初始化一个新的集群时需要此配置来选举master

cluster.initial_master_nodes: ["10.168.104.206", "10.168.104.205", "10.168.104.204", "10.168.104.203", "10.168.104.202"]

# ping超时时长,默认3S,适当修改,防止脑裂

discovery.zen.ping_timeout: 120s

client.transport.ping_timeout: 60s

#数据存储路径

path.data: /data/elasticsearch/data

#日志存储路径

path.logs: /data/elasticsearch/log

bootstrap.system_call_filter: false

http.cors.enabled: true

http.cors.allow-origin: "*"

http.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE

http.cors.allow-headers: "X-Requested-With, Content-Type, Content-Length, X-User"

启动elasticsearch

su elsearch

cd /data/elasticsearch-7.3.0/bin/

./elasticsearch -d

报错解决

OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.

修改jvm.options文件配置vi /data/elasticsearch-7.3.0/config/jvm.options

-XX:+UseConcMarkSweepGC 改为 -XX:+UseG1GC

[1] bootstrap checks failed

[1]: memory locking requested for elasticsearch process but memory is not locked

# vim /etc/elasticsearch/elasticsearch.yml          // 设置成false就正常运行了。

bootstrap.memory_lock: false

max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]

编辑 vi /etc/sysctl.conf,追加以下内容:

vm.max_map_count=655360

保存后,执行:

sysctl -p

ElasticSearch7.x—head插件安装

es授权

修改es配置,加入如下内容

http.cors.enabled: true

http.cors.allow-origin: "*"

作用是开启HTTP对外提供服务,使Head插件能够访问Elasticsearch,修改完成后需要重启es。

一、下载 elasticsearch-head-master.zip

​https://codeload.github.com/mobz/elasticsearch-head/tar.gz/v5.0.0​

解压并进入目录

二、下载node.js

elasticsearch-head-master]# curl --silent --location ​​https://rpm.nodesource.com/setup_10.x​​ | bash -

elasticsearch-head-master]# yum install -y nodejs

查看是否下载成功(这里版本会有不同)

elasticsearch-head-master]# node -v

v10.16.0

elasticsearch-head-master]# npm -v

6.9.0

三、安装grunt

elasticsearch-head-master]# npm install -g grunt-cli

elasticsearch-head-master]# npm install

四、修改head配置

elasticsearch-head-master]# vim Gruntfile.js,添加hostname: 10.168.104.206

server:

        options:

                hostname: 10.168.104.206,

                port: 9100,

                base: .,

                keepalive: true

        

elasticsearch-head-master]# vim _site/app.js,将this.prefs.get("app-base_uri") || "10.168.104.206:9200",修改如下

this._super();

this.prefs = services.Preferences.instance();

this.base_uri = this.config.base_uri || this.prefs.get("app-base_uri") || "​​http://192.168.25.180:9200";​


六、启动Head插件

切换到elasticsearch-head-master目录下,运行启动命令:

grunt server

ELK收集tomcat和nginx日志(分别用了filebeat和logstash收集)_elasticsearch_02

安装kibana-7.X

wget ​​https://artifacts.elastic.co/downloads/kibana/kibana-7.6.1-linux-x86_64.tar.gz​

tar -zxvf kibana-7.6.1-linux-x86_64.tar.gz

修改kibana配置文件kibana.yml

vim config/kibana.yml

# 放开注释,将默认配置改成如下:

server.port: 5601

server.host: "0.0.0.0"

elasticsearch.hosts: ["​​http://10.168.104.206:9200​​", "​​http://10.168.104.205:9200​​", "​​http://10.168.104.204:9200​​", "​​http://10.168.104.203:9200​​", "​​http://10.168.104.202:9200​​"]

server.name: "kib-server" #随意

i18n.locale: "zh-CN" #汉化

useradd kibana

chown -R kibana:kibana /data/kibana

su kibana

cd /data/kibana/bin

./kibana &  //启动应用(后台)

ELK收集tomcat和nginx日志(分别用了filebeat和logstash收集)_elasticsearch_03

安装filebeat

wget ​​https://mirrors.tuna.tsinghua.edu.cn/elasticstack/7.x/yum/7.3.0/filebeat-7.3.0-x86_64.rpm​

rpm -ivh filebeat-7.3.0-x86_64.rpm

启动

systemctl start filebeat

ELK收集nginx的json日志

1、将nginx中的日志以json格式记录

2、filebeat采的时候说明是json格式

3、传入es的日志为json,那么显示在kibana的格式也是json,便于日志管理

1、配置nginx的日志以json格式记录

#修改/etc/nginx/nginx.conf配置文件,加入以下内容,yml文件注意缩进

log_format  json "time_local": "$time_local",

                           "remote_addr": "$remote_addr",

                           "referer": "$http_referer",

                           "request": "$request",

                           "status": $status,

                           "bytes": $body_bytes_sent,

                           "agent": "$http_user_agent",

                           "x_forwarded": "$http_x_forwarded_for",

                           "up_addr": "$upstream_addr",

                           "up_host": "$upstream_http_host",

                           "upstream_time": "$upstream_response_time",

                           "request_time": "$request_time"

                     ;


access_log  /var/log/nginx/access.log  json;

#重启nginx服务

systemctl restart nginx.service

#再次进行压测&&查看nginx日志是否记录显示为json格式的键值对&&查看可知已是json格式

ab -n 100 -c 100 ​​http://10.20.1.114/​

tail -f /var/log/nginx/access.log

ELK收集Tomcat日志

#修改tomcat日志为json格式

vim /etc/tomcat/server.xml

##删除第139行

139                pattern="%h %l %u %t "%r" %s %b" />

##将以下配置放入到139行

pattern=""clientip":"%h","ClientUser":"%l","authenticated":"%u","AccessTime":"%t","method":"%r","status":"%s","SendBytes":"%b","Query?string":"%q","partn    er":"%Refereri","AgentVersion":"%User-Agenti""/>

##保存退出&&重启服务&&查看日志

systemctl restart tomcat

tail -f /var/log/tomcat/localhost_access_log.2020-09-05.txt

filebeat直接给es传输日志,自定义索引名,自定义多个索引文件

filebeat.inputs:

- type: log

  enabled: true

  paths:

    - /var/log/nginx/access.log

  fields:

    type: nginx

- type: log

  enabled: true

  paths:

    - /var/log/tomcat/localhost_access_log.*.txt

  fields:

    type: tomcat

setup.ilm.enabled: false

setup.template.settings:

  index.number_of_shards: 5

  index.number_of_replicas: 1

  index.codec: best_compression

  json.keys_under_root: true

  json.overwrite_keys: true

output.elasticsearch:

  hosts: ["10.168.104.206:9200", "10.168.104.205:9200", "10.168.104.204:9200", "10.168.104.203:9200", "10.168.104.202:9200"]

  indices:

    - index: "nginx_%+yyyy.MM.dd"

      when.equals:

        fields.type: "nginx"

    - index: "tomcat_%+yyyy.MM.dd"

      when.equals:

        fields.type: "tomcat"

ELK收集tomcat和nginx日志(分别用了filebeat和logstash收集)_tomcat_04

安装logstash 收集日志

[root@redis conf.d]# cat nginx_log.conf

input

    file

       path  => ["/usr/local/nginx/logs/access.log"]

       start_position => "beginning"

       type => "access"

    

    file

       path => ["/usr/local/nginx/logs/error.log"]

       start_position => "beginning"

       type => "error"

    

output

    if [type] == "access"

        elasticsearch

            hosts => ["192.168.10.128:9200"]

            index => "nginx_access-%+YYYY.MM.dd"

        

    

    if [type] == "error"

        elasticsearch

            hosts => ["192.168.10.128:9200"]

            index => "nginx_error-%+YYYY.MM.dd"

        

    

Logstash 这个命令测试

字段描述解释:

-f  通过这个选项可以指定logstash的配置文件,根据配置文件配置logstash

-e  后面跟着字符串 该字符串可以被当做logstash的配置(如果是” ”,则默认使用stdin做为输入、stdout作为输出)

-t  测试配置文件是否正确,然后退出

[root@redis conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/nginx_log.conf -t

Sending Logstashs logs to /var/log/logstash which is now configured via log4j2.properties

Configuration OK

ELK收集tomcat和nginx日志(分别用了filebeat和logstash收集)_nginx_05




以上是关于ELK收集tomcat和nginx日志(分别用了filebeat和logstash收集)的主要内容,如果未能解决你的问题,请参考以下文章

ELK+kafka收集 Nginx与tomcat日志

elk分析nginx日志和tomcat日志

ELK日志收集

ELK日志收集

ELK日志分析系统搭建配置

ELK 平台收集Tomcat日志记录