devops之elk日志收集系统logstash的常见使用方法
编写简单配置
[root@server01 logstash-6.2.4]# cat config/logstash.conf
input {
stdin {
}
}
output {
stdout{
codec => rubydebug{}
}
}
Input配置
从文件中读取日志
# more config/logstash.conf
input {
stdin{
type => "system"
}
file {
path => "/var/log/mesos/lt-mesos-master.INFO"
}
}
filter{
}
output {
stdout{
codec => rubydebug{}
}
}
Tcp插件,可以启动15000端口,应用测就可以用这个端口集中采集日志
# cat /usr/local/elk/logstash-6.2.4/config/logstash.conf
input {
tcp {
port => 15000
codec => json
}
}
output {
stdout{
codec => rubydebug{}
}
# 通过python程序进行tcp日志的传输
安装python插件
# pip install python-logstash
# cat logstashtest.py
import logging
import logstash
import sys
host = '192.168.254.161'
test_logger = logging.getLogger('python-logstash-logger')
test_logger.setLevel(logging.INFO)
# test_logger.addHandler(logstash.LogstashHandler(host, 5959, version=1))
test_logger.addHandler(logstash.TCPLogstashHandler(host, 15000, version=1))
if __name__ == "__main__":
test_logger.error('python-logstash: test logstash error message.')
test_logger.info('python-logstash: test logstash info message.')
test_logger.warning('python-logstash: test logstash warning message.')
# 运行程序,可以看到logstash接收到的日志
# python logstashtest.py
# grok插件文本过滤解析
logstash插入数据案例:
2021-05-13-16:03:04|192.168.9.61|117.135.212.53|http://www.imooc.com/user|Mozilla/5.0 (iPhone; CPU iPhone OS 8_2 like Mac OS X) AppleWebKit/600.1.4 (Khtml, like Gecko) Mobile/12D508 MicroMessenger/6.1.5 NetType/WIFI||
# grok配置示例
# cat /usr/local/elk/logstash-6.2.4/config/logstash.conf
input {
stdin{
}
}
filter{
grok {
match =>
{ "message" => "%{DATA:timestamp}\\|%{IP:serverIp}\\|%{IP:clientIp}\\|%{DATA:reqUrl}\\|%{DATA:device}\\|\\|"}
}
}
output {
stdout{
codec => rubydebug{}
}
}
Ip地理位置显示
Logstash配置
# /usr/local/elk/logstash-6.2.4]# cat config/logstash.conf
input {
stdin{
}
}
filter{
grok {
match =>
{ "message" => "%{DATA:timestamp}\\|%{IP:serverIp}\\|%{IP:clientIp}\\|%{DATA:reqUrl}\\|%{DATA:device}\\|\\|"}
}
geoip {
source => "clientIp"
}
}
output {
stdout{
codec => rubydebug{}
}
}
使用标准输入测试,直接输入
2021-05-13-16:03:04|192.168.9.61|117.135.212.53|http://www.imooc.com/user|Mozilla/5.0 (iPhone; CPU iPhone OS 8_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12D508 MicroMessenger/6.1.5 NetType/WIFI||
设备信息
获取客户端设备信息
# logstash.conf
input {
stdin{
}
}
filter{
grok {
match =>
{ "message" => "%{DATA:timestamp}\\|%{IP:serverIp}\\|%{IP:clientIp}\\|%{DATA:reqUrl}\\|%{DATA:device}\\|\\|"}
}
geoip {
source => "clientIp"
}
useragent {
source => "device"
target => "userDevice"
}
}
output {
stdout{
codec => rubydebug{}
}
}
output输出:file输出到文件
# logstash.conf
input {
stdin{
#type => "system"
}
}
filter{
grok {
match =>
{ "message" => "%{DATA:timestamp}\\|%{IP:serverIp}\\|%{IP:clientIp}\\|%{DATA:reqUrl}\\|%{DATA:device}\\|\\|"}
}
geoip {
source => "clientIp"
}
useragent {
source => "device"
target => "userDevice"
}
}
output {
stdout{
codec => rubydebug{}
}
file {
path => "/var/log/test/test1.log"
codec => line { format => "custom format: %{message}"}
}
}
[root@ws-yt-server01-standby:~]# more /var/log/test/test1.log
custom format: 2021-05-13-16:03:04|192.168.9.61|117.135.212.53|http://www.imooc.com/user|Mozilla/5.0 (iPhone; CPU iPhone OS 8_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12D508 MicroMessenger/6.1.5 NetType/WIFI||
Logstash输出到elasticsearch
Docker安装es
# docker run -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" docker.elastic.co/elasticsearch/elasticsearch:6.2.4
#es 常用接口
# 测试是否正常
# curl http://localhost:9200
# 查询所有的索引
# curl -X GET 'http://localhost:9200/_cat/indices'
green open .monitoring-es-6-2021.05.15 wCrGqg8nTcOFzaUKR5JniA 1 0 74 6 338.2kb 338.2kb
# 查询索引下的type
# curl http://localhost:9200/_mapping?pretty=true
# 创建数据
# curl -X PUT http://localhost:9200/person/course/1 -H 'Content-Type: application/json' -d '{"user": "jack", "course": "devopst prictise"}'
curl -X PUT http://localhost:9200/person/course/2 -H 'Content-Type: application/json' -d '{"user": "jack", "course": "java 架构师之路"}'
curl -X PUT http://localhost:9200/person/course/3 -H 'Content-Type: application/json' -d '{"user": "jack", "course": "python全栈工程师"}'
# 查询数据
# curl http://localhost:9200/person/course/_search
# 删除记录
# curl -X DELETE 'localhost:9200/person/course/1'
And搜索
# curl 'localhost:9200/person/course/_search' -H 'Content-Type: application/json' -d'{
"query":{
"bool":{
"must":[
{"match": {"course": "devops"}},
{"match": {"course": "java"}}
]
}
}
}'
logstash和Elasticsearch整合
# 将logstash的数据输出到elasticsearch
input {
stdin{
}
}
filter{
grok {
match =>
{ "message" => "%{DATA:timestamp}\\|%{IP:serverIp}\\|%{IP:clientIp}\\|%{DATA:reqUrl}\\|%{DATA:device}\\|\\|"}
}
geoip {
source => "clientIp"
}
useragent {
source => "device"
target => "userDevice"
}
}
output {
stdout{
codec => rubydebug{}
}
file {
path => "/var/log/test/test1.log"
codec => line { format => "custom format: %{message}"}
}
elasticsearch {
hosts => "192.168.254.161"
index => "logstash_test"
}
}
# 终端输入数据
查询索引
查询logstash过来的数据
# curl -X GET http://localhost:9200/logstash_test/doc/_search
# docker运行 kibana
# docker run --name some-kibana -e ELASTICSEARCH_URL=http://192.168.254.161:9200 -p 5601:5601 -d docker.elastic.co/kibana/kibana:6.2.4
# 发现无法访问kibana,于是查看docker中运行的 kibana 日志
# docker logs -f some-kibana
{"type":"log","@timestamp":"2021-05-15T01:42:37Z","tags":["warning","elasticsearch","admin"],"pid":1,"message":"Unable to revive connection: http://192.168.254.161:9200/"}
# 发现被防火墙挡住了
# iptables -A INPUT -p ALL -i docker0 -j ACCEPT
索引的通配符要想创建成功,必须es中有这个索引
实际案例:
通过logstash获取生产环境nginx的日志,存储到elasticsearch中,并通过kibana展示
# 修改nginx日志格式为json
log_format log_json '{ "@timestamp": "$time_iso8601", '
'"time": "$time_iso8601", '
'"remote_addr": "$remote_addr", '
'"remote_user": "$remote_user", '
'"body_bytes_sent": "$body_bytes_sent", '
'"request_time": "$request_time", '
'"status": "$status", '
'"host": "$host", '
'"request": "$request", '
'"request_method": "$request_method", '
'"uri": "$uri", '
'"http_referer": "$http_referer", '
'"body_bytes_sent":"$body_bytes_sent", '
'"http_x_forwarded_for": "$http_x_forwarded_for", '
'"http_user_agent": "$http_user_agent" '
'}';
# 应用json_log到具体的vhost的域名中
# 编写logstash收集nginx日志的配置
# vi /usr/local/elk/logstash-6.2.4/config/nginx.conf
input {
file {
path => "/data/www/logs/nginx_log/access/www.edrawsoft.com_access.log"
codec => "json"
start_position => "beginning"
stat_interval => "10"
}
}
filter{
}
output {
elasticsearch {
hosts => "192.168.254.161:9200"
index => "edrawsoft-logstash-nginx-access-log-%{+YYYY.MM.dd}"
#index => "edrawsoft-logstash-nginx-access-log"
}
stdout {
codec => json_lines
}
}
# 启动logstash后,可以看到索引创建成功
# 通过kibana查询
获取客户端ip的城市
