ELK之三-----JAVA日志多行合并tomcat json日志收集与处理

Posted 一叶知秋~~

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了ELK之三-----JAVA日志多行合并tomcat json日志收集与处理相关的知识,希望对你有一定的参考价值。

实战一:通过Logstash收集tomcat服务器的日志

1、配置JDK环境

1、解压JDK包,创建软链接

[root@tomcat-web1 src]# tar xvf jdk-8u212-linux-x64.tar.gz 
[root@tomcat-web1 src]# ln -sv /usr/local/src/jdk1.8.0_212/ /usr/local/jdk
‘/usr/local/jdk/jdk1.8.0_212’ -> ‘/usr/local/src/jdk1.8.0_212/’
[root@tomcat-web1 src]# ln -sv /usr/local/jdk/bin/java  /usr/bin

2、配置java的环境变量

[root@tomcat-web1 ~]# vim /etc/profile.d/jdk.sh  #配置环境变量
export HISTTIMEFORMAT="%F %T `whoami`"
export export LANG="en_US.utf-8"
export JAVA_HOME=/usr/local/jdk
export CLASSPATH=.:$JAVA_HOME/jre/lib/rt.jar:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
export PATH=$PATH:$JAVA_HOME/bin

[root@tomcat-web1 ~]# .  /etc/profile.d/jdk.sh  #将环境变量生效

3、查看版本信息及java家目录信息

[root@tomcat-web1 src]# java -version
java version "1.8.0_212"
Java(TM) SE Runtime Environment (build 1.8.0_212-b10)
Java HotSpot(TM) 64-Bit Server VM (build 25.212-b10, mixed mode)
[root@tomcat-web1 src]# echo $JAVA_HOME
/usr/local/jdk

2、配置tomcat服务并启动

1、解压tomcat服务器的安装包,并创建tomcat软链接

[root@tomcat-web1 ~]# mkdir /apps
[root@tomcat-web1 ~]# cd /apps/
[root@tomcat-web1 apps]# ls
apache-tomcat-8.5.42  apache-tomcat-8.5.42.tar.gz  tomcat
[root@tomcat-web1 apps]# tar xvf apache-tomcat-8.5.42.tar.gz 
[root@tomcat-web1 apps]# ln -s /apps/apache-tomcat-8.5.42 /apps/tomcat  #创建tomcat软链接

2、启动tomcat服务

[root@tomcat-web1 apps]# /apps/tomcat/bin/startup.sh 
Using CATALINA_BASE:   /apps/tomcat
Using CATALINA_HOME:   /apps/tomcat
Using CATALINA_TMPDIR: /apps/tomcat/temp
Using JRE_HOME:        /usr/local/jdk
Using CLASSPATH:       /apps/tomcat/bin/bootstrap.jar:/apps/tomcat/bin/tomcat-juli.jar
Tomcat started.

3、设置访问网站路径

[root@tomcat-web1 apps]# vim /apps/tomcat/conf/server.xml 
<Host name="localhost"  appBase="/data/tomcat/tomcat_webdir"

4、查看tomcat访问页面,此访问页面是前面自制的页面,能访问,说明tomcat服务正常。

 5、修改tomcat服务的配置文件,收集log日志为json格式:/apps/tomcat/bin/server.xml,实际的tomcat访问log日志文件目录在:/apps/tomcat/logs/tomcat_access_log.2020-03-13.log 

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"  
               prefix="tomcat_access_log" suffix=".log"  # 将log日志文件名进行修改,以.log为后缀的文件
                pattern="{"clientip":"%h","ClientUser":"%l","authenticated":"%u",&quo  #修改为json格式日志文件。
t;AccessTime":"%t","method":"%r","status":"%s","SendBytes":"%b","
Query?string":"%q","partner":"%{Referer}i","AgentVersion":"%{User-Agent}i"}"/>

访问此时的tomcat日志文件:/apps/tomcat/logs/tomcat_access_log.2020-03-13.log ,验证日志是否是json格式的,可以在网上查看。

[root@logstash ~]# tail -f  /apps/tomcat/logs/tomcat_access_log.2020-03-13.log 
{"clientip":"192.168.7.1","ClientUser":"-","authenticated":"-","AccessTime":"[13/Mar/2020:15:19:16 +0800]","method":"GET / HTTP/1.1","status":"404","SendBytes":"1078","Query?string":"","partner":"-","AgentVersion":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (Khtml, like Gecko) Chrome/78.0.3904.108 Safari/537.36"}
{"clientip":"192.168.7.1","ClientUser":"-","authenticated":"-","AccessTime":"[13/Mar/2020:15:19:16 +0800]","method":"GET /favicon.ico HTTP/1.1","status":"404","SendBytes":"1078","Query?string":"","partner":"http://192.168.7.102:8080/","AgentVersion":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"}
{"clientip":"192.168.7.1","ClientUser":"-","authenticated":"-","AccessTime":"[13/Mar/2020:15:22:09 +0800]","method":"GET / HTTP/1.1","status":"404","SendBytes":"1078","Query?string":"","partner":"-","AgentVersion":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"}
{"clientip":"192.168.7.1","ClientUser":"-","authenticated":"-","AccessTime":"[13/Mar/2020:15:22:38 +0800]","method":"GET /myapp HTTP/1.1","status":"302","SendBytes":"-","Query?string":"","partner":"-","AgentVersion":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"}
{"clientip":"192.168.7.1","ClientUser":"-","authenticated":"-","AccessTime":"[13/Mar/2020:15:22:38 +0800]","method":"GET /myapp/ HTTP/1.1","status":"200","SendBytes":"14","Query?string":"","partner":"-","AgentVersion":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"}

3、收集tomcat日志文件

需要将logstash主机启动脚本改为root启动用户,否则无法收集到tomcat的日志文件

[root@logstash conf.d]# vim /etc/systemd/system/logstash.service 
User=root
Group=root

重启logstash服务

[root@logstash conf.d]# systemctl restart logstash

创建/etc/logstash/conf.d目录下的配置文件:tomcat-java-log.conf                                                                                            

input {
  file {
   path => "/var/log/logstash/logstash-plain.log"  #收集java的日志文件目录
   start_position => "beginning"
   stat_interval => 3
   type => "java-log"
  }

  file {
   path => "/apps/tomcat/logs/tomcat_access_log.*.log"  # 收集tomcat日志的文件目录
   start_position => "beginning"
   stat_interval => 3
   type => "tomcat-access-log"
   codec => "json"  # 输出tomcat 的json日志格式
  }
}

output {
  if [type] == "java-log" {
   elasticsearch {
   hosts => ["192.168.7.100:9200"]
   index => "javalog-7-102-%{+YYYY.MM.dd}"
   }
  }

  if [type] == "tomcat-access-log" {
   elasticsearch {
   hosts => ["192.168.7.100:9200"]
   index => "tomcat-access-log-7-102-%{+YYYY.MM.dd}"
   }
  }
}

在kibana网站上创建tomcat日志的索引

 在discover选项中,查看添加后的tomcat日志文件

3、收集java日志json格式的文件

1、在/etc/logstash/conf.d/目录下创建一个java.conf文件,修改此配置文件,将logstash的日志文件收集到elasticsearch主机上。

input {
  file {
   path => "/var/log/logstash/logstash-plain.log"
   start_position => "beginning"
   stat_interval => 3
   type => "java-log"
  }
}


output {
  if [type] == "java-log" {
   elasticsearch {
   hosts => ["192.168.7.100:9200"]
   index => "javalog-7-102-%{+YYYY.MM.dd}"
   }
  }
}

2、重启logstash服务,并观察logstash启动情况

# systemctl restart logstash

在/var/log/logstash/logstash-plain.log文件中可以查看此时的logstash服务器启动情况。

[root@logstash conf.d]# tail -f /var/log/logstash/logstash-plain.log
[2020-03-13T15:49:04,872][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//192.168.7.100:9200"]}
[2020-03-13T15:49:11,231][INFO ][logstash.inputs.file     ] No sincedb_path set, generating one based on the "path" setting {:sincedb_path=>"/var/lib/logstash/plugins/inputs/file/.sincedb_7d5605c109b000fd1e6e680ae503330d", :path=>["/var/log/logstash/logstash-plain.log"]}
[2020-03-13T15:49:11,291][INFO ][logstash.inputs.file     ] No sincedb_path set, generating one based on the "path" setting {:sincedb_path=>"/var/lib/logstash/plugins/inputs/file/.sincedb_452905a167cf4509fd08acb964fdb20c", :path=>["/var/log/messages"]}
[2020-03-13T15:49:11,297][INFO ][logstash.inputs.file     ] No sincedb_path set, generating one based on the "path" setting {:sincedb_path=>"/var/lib/logstash/plugins/inputs/file/.sincedb_d883144359d3b4f516b37dba51fab2a2", :path=>["/var/log/nginx/access.log"]}
[2020-03-13T15:49:11,387][INFO ][logstash.pipeline        ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x35cee74 run>"}
[2020-03-13T15:49:11,453][INFO ][filewatch.observingtail  ] START, creating Discoverer, Watch with file and sincedb collections
[2020-03-13T15:49:11,456][INFO ][filewatch.observingtail  ] START, creating Discoverer, Watch with file and sincedb collections
[2020-03-13T15:49:11,478][INFO ][filewatch.observingtail  ] START, creating Discoverer, Watch with file and sincedb collections
[2020-03-13T15:49:11,622][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2020-03-13T15:49:12,874][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}   # 查看到此信息,说明logstash已经启动了。

3、在kibana控制台添加java日志文件

 4、此时在discover选项可以看到添加的javalog日志。

5、日志多行合并处理—multiline插件(重点)

目前5.5版本支持此插件,6.x版本已经不需要此版本,可以自动合并日志文件。

官方文档:https://www.elastic.co/guide/en/logstash/current/plugins-codecs-multiline.html

 介绍multiline

pattern:正则匹配从哪行合并

negate:true/false,匹配到pattern 部分开始合并,还是不配到的合并

input {
  file {
   path => "/var/log/logstash/logstash-plain.log"  # 要采集的log日志
   start_position => "beginning"
      codec => multiline {
             pattern => "^\\["  # 以[开头开始匹配
             negate => true
             what => "previous"
      }
   }
}


output {  # 输出到elasticsearch主机上
    elasticsearch {
    hosts => ["192.168.7.100:9200"]
    index => "logstash-log-7-100-%{+YYYY.MM.dd}"
  }}

 

以上是关于ELK之三-----JAVA日志多行合并tomcat json日志收集与处理的主要内容,如果未能解决你的问题,请参考以下文章

ELK显示多行日志

ELK 处理来自多个 docker 镜像的多行日志

logstash收集java日志,多行合并成一行

使用logstash收集javanginx系统等常见日志

按日期合并多个日志文件,包括多行

Docker安装Graylog