CentOS7 安装 Logstash
Posted jeikerxiao
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了CentOS7 安装 Logstash相关的知识,希望对你有一定的参考价值。
CentOS7 安装 Logstash
Logstash 工作原理
Logstash使用管道方式进行日志的搜集处理和输出。
有点类似Linux系统的管道命令 aaa| bbb | ccc,aaa执行完了会执行bbb,然后执行ccc。
在logstash中,包括了三个阶段:
输入input --> 处理filter(不是必须的) --> 输出output
配置文件也是按这个顺序进行配置的。
安装Logstash
下载
进入软件目录
cd /opt/software
下载安装包
wget https://artifacts.elastic.co/downloads/logstash/logstash-6.5.2.tar.gz
解压
tar -zxvf logstash-6.5.2.tar.gz
重命名
mv logstash-6.5.2 logstash
修改配置文件
进入配置文件目录
➜ cd /opt/software/logstash/config
查看配置文件
➜ ls
jvm.options logstash-sample.conf pipelines.yml
log4j2.properties logstash.yml startup.options
复制配置文件
➜ cp logstash-sample.conf syslog.conf
修改
# 定义日志源
input
syslog
type => "system-syslog" # 定义类型
port => 10514 # 定义监听端口
# 定义日志输出
output
stdout
codec => rubydebug # 将日志输出到当前的终端上显示
验证配置文件
➜ ./logstash --path.settings /opt/software/logstash/config/ -f /opt/software/logstash/config/syslog.conf --config.test_and_exit
正确输出如下:
Sending Logstash logs to /opt/software/logstash/logs which is now configured via log4j2.properties
[2018-11-23T09:28:36,184][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
Configuration OK
[2018-11-23T09:28:38,630][INFO ][logstash.runner ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash
看到 Configuration OK 可以知道我们的配置没有问题。
命令说明:
--path.settings用于指定logstash的配置文件所在的目录-f指定需要被检测的配置文件的路径--config.test_and_exit指定检测完之后就退出,不然就会直接启动了
设置数据源日志输出
配置服务器的ip以及配置的监听端口
➜ vim /etc/rsyslog.conf
去除注释,增加自己服务器IP:
#### RULES ####
*.* @@192.168.0.514:10514
重启rsyslog,让配置生效:
➜ systemctl restart rsyslog
启动Logstash
指定配置文件,启动logstash:
➜ cd /opt/software/logstash/bin
➜ ./logstash --path.settings /opt/software/logstash/config/ -f /opt/software/logstash/config/syslog.conf
打开新终端检查一下10514端口是否已被监听:
➜ netstat -lntp |grep 10514
tcp 0 0 0.0.0.0:10514 0.0.0.0:* LISTEN 14580/java
然后在别的机器ssh登录到这台机器上,测试一下有没有日志输出:
"@version" => "1",
"@timestamp" => 2018-11-23T01:44:48.000Z,
"priority" => 86,
"logsource" => "iZbp18jvb8bcz1z6pqd27",
"pid" => "14632",
"message" => "Accepted publickey for root from 113.240.229.5 port 3780 ssh2: RSA 05:4c:4d:59:0d:bd:12:a2:8c:b6:4d:96:29:78:19:43\\n",
"type" => "system-syslog",
"severity_label" => "Informational",
"program" => "sshd",
"severity" => 6,
"facility" => 10,
"host" => "192.168.0.514",
"timestamp" => "Nov 23 09:44:48",
"facility_label" => "security/authorization"
"@version" => "1",
"@timestamp" => 2018-11-23T01:44:48.000Z,
"priority" => 86,
"logsource" => "iZbp18jvb8bcz1z6pqd27",
"pid" => "14632",
"message" => "pam_unix(sshd:session): session opened for user root by (uid=0)\\n",
"type" => "system-syslog",
"severity_label" => "Informational",
"program" => "sshd",
"severity" => 6,
"facility" => 10,
"host" => "192.168.0.514",
"timestamp" => "Nov 23 09:44:48",
"facility_label" => "security/authorization"
如上,可以看到,终端中以JSON的格式打印了收集到的日志,表示测试成功了。
输出日志到 Elasticsearch
以上只是测试的配置,这一步我们需要重新改一下配置文件,让收集的日志信息输出到Elasticsearch 服务器中,而不是当前终端:
➜ vim /opt/software/logstash/config/syslog.conf
修改输出源
input
syslog
type => "system-syslog"
port => 10514
output
elasticsearch
hosts => ["192.168.0.514:9200"] # 定义es服务器的ip
index => "system-syslog-%+YYYY.MM" # 定义索引
修改完配置文件,检测一下配置文件是否正确:
➜ ./logstash --path.settings /opt/software/logstash/config/ -f /opt/software/logstash/config/syslog.conf --config.test_and_exit
端口正常监听了,这样我们的logstash服务就启动成功了:
[root@iZbp18jvb8bcz1z6pqd27xZ config]# netstat -lntp |grep 9600
tcp 0 0 127.0.0.1:9600 0.0.0.0:* LISTEN 14687/java
[root@iZbp18jvb8bcz1z6pqd27xZ config]# netstat -lntp |grep 10514
tcp 0 0 0.0.0.0:10514 0.0.0.0:* LISTEN 14687/java
但是可以看到,logstash 的监听 ip是 127.0.0.1 这个本地ip,本地ip无法远程通信,所以需要修改一下配置文件,配置一下监听的ip:
➜ vim /etc/logstash/logstash.yml
http.host: "192.168.0.254"
重新启动Logstash
➜ netstat -lntp |grep 9600
tcp 0 0 192.168.0.254:9600 0.0.0.0:* LISTEN 14687/java
查看接口
curl '192.168.0.254:9200/_cat/indices?v'
输出结果:
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open .kibana 4MdKQbgsTPG5YDBcsOFN7Q 1 1 1 0 3.2kb 3.2kb
yellow open system-syslog-2018.11 X1XXTQ9US_WcjJbrOPk8VA 5 1 6 0 57.5kb 57.5kb
如上,可以看到,在logstash配置文件中定义的system-syslog索引成功获取到了,证明配置没问题,logstash与es通信正常。
获取指定索引详细信息:
curl -XGET '192.168.0.254:9200/system-syslog-2018.11?pretty'
如果日后需要删除索引的话,使用以下命令可以删除指定索引:
curl -XDELETE '192.168.0.254:9200/system-syslog-2018.11'
es与logstash能够正常通信后就可以去配置kibana了,浏览器访问 192.168.0.254:5601,到kibana页面上配置索引:
index pattern
system-syslog-2018.11
或者
system-syslog-*
http://192.168.0.254:9200/system-syslog-2018.11/_search?q=*
Logstash收集nginx日志
进入Logstash目录
cd /opt/software/logstash/config
编辑logstash的配置文件,nginx.conf配置文件
vim nginx.conf
logstash的 nginx.conf 配置文件如下
input
file # 指定一个文件作为输入源
path => "/opt/software/nginx/logs/elk.access.log" # 指定文件的路径
start_position => "beginning" # 指定何时开始收集
type => "nginx" # 定义日志类型,可自定义
filter # 配置过滤器
grok
match => "message" => "%IPORHOST:http_host %IPORHOST:clientip - %USERNAME:remote_user \\[%HTTPDATE:timestamp\\] \\"(?:%WORD:http_verb %NOTSPACE:http_request(?: HTTP/%NUMBER:http_version)?|%DATA:raw_http_request)\\" %NUMBER:response (?:%NUMBER:bytes_read|-) %QS:referrer %QS:agent %QS:xforwardedfor %NUMBER:request_time:float" # 定义日志的输出格式
geoip
source => "clientip"
output
stdout codec => rubydebug
elasticsearch
hosts => ["192.168.0.254:9200"]
index => "nginx-test-%+YYYY.MM.dd"
验证配置文件
同样的编辑完配置文件之后,还需要检测配置文件是否有错:
➜ ./logstash --path.settings /opt/software/logstash/config/ -f /opt/software/logstash/config/nginx.conf --config.test_and_exit
配置Nginx日志
Nginx 同样安装在 /opt/software 下面。
进入Nginx 虚拟主机配置文件所在的目录中,新建一个虚拟主机配置文件:
➜ cd /opt/software/nginx/conf/vhost/
server
listen 80;
server_name localhost;
# 访问日志输出位置,日志格式
access_log logs/elk.access.log elk_log_format;
location /
proxy_pass http://192.168.0.254:5601;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
error_page 500 502 503 504 /50x.html;
location = /50x.html
root html;
配置Nginx的主配置文件nginx.conf下配置elk日志输出格式,增加以下内容:
➜ vim /opt/software/nginx/conf/nginx.conf
注意日志格式文件写入的位置,是在 Nginx 主配置文件中。
log_format elk_log_format '$http_host $remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$upstream_addr" $request_time';
验证 Nginx 配置文件写入
➜ cd /opt/software/nginx
➜ ./sbin/nginx -t
输出如下,表示配置正确:
nginx: the configuration file /opt/software/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /opt/software/nginx/conf/nginx.conf test is successful
启动 Logstash
➜ ./logstash --path.settings /opt/software/logstash/config/ -f /opt/software/logstash/config/nginx.conf
访问 http://192.168.0.254 会进入 Nginx 然后跳转入 http://192.168.0.254:5601 进入Kibana.
访问成功后,查看生成的日志文件:
➜ ls /opt/software/nginx/logs/elk.access.log
/opt/software/nginx/logs/elk.access.log
➜ wc -l !$
323 /opt/software/nginx/logs/elk.access.log
如上,可以看到,nginx的访问日志已经生成了。
重启logstash服务,生成日志的索引
重启完成后,在es服务器上检查是否有nginx-test开头的索引生成:
curl '192.168.0.254:9200/_cat/indices?v'
可以看到,nginx-test索引已经生成了,那么这时就可以到kibana上配置该索引:
nginx-test-*
配置完成之后就可以在 “Discover” 里进行查看nginx的访问日志数据了。
以上是关于CentOS7 安装 Logstash的主要内容,如果未能解决你的问题,请参考以下文章
Centos7安装elasticsearchlogstashkibanaelasticsearch head
Linux centOS7安装ELK技术栈Linux系统安装ElasticSearch8.1.3Kibana8.1.3Logstash8.1.3Filebeat8.1.3