一、总结ELK 各组件的主要功能
elasticsearch:负责数据存储及检索
Elasticsearch简介:
1、Elasticsearch使用Java语言开发,是建立在全文搜索引擎Apache Lucene基础之上的搜索引擎,https://lucene.apache.org。
2、是一个高度可扩展的开源全文搜索和分析引擎,可实现数据的近实时(Near Real Time、NRT)全文检索。
3、支持分布式以实现集群高可用。
4、高性能、可以处理大规模业务数据。
5、数据以json文档格式存储,基于API接口进行数据读写。
6、对数据实现跨主机分片、分片复制以实现数据跨主机的高可用。
logstash:是一个具有实时传输能力的数据收集与处理组件,其可以通过插件实现各场景的日志收集、日志过滤、日志处理及日志输出,支持普通log、json格式等格式的日志解析,处理完成后把日志发送给elasticsearch cluster进行存储。
kibana:负责从ES读取数据进行可视化展示及数据管理,Kibana为elasticsearch提供一个查看数据的web界面,其主要是通过elasticsearch的API接口进行数据查找,并进行前端数据可视化的展现,另外还可以针对特定格式的数据生成相应的表格、柱状图、饼图等。
二、部署ES cluster,并实现XPACK认证
# 配置主机名解析
root@es-node1:~# vim /etc/hosts
172.18.10.170 es-node1
172.18.10.171 es-node2
172.18.10.172 es-node3
# 内核参数优化
root@es-node1:~# vim /etc/sysctl.conf
vm.max_map_count=262144
# 资源limit优化
root@es-node1:~# vim /etc/security/limits.conf
root soft core unlimited
root hard core unlimited
root soft nproc 1000000
root hard nproc 1000000
root soft nofile 1000000
root hard nofile 1000000
root soft memlock 32000
root hard memlock 32000
root soft msgqueue 8192000
root hard msgqueue 8192000
* soft core unlimited
* hard core unlimited
* soft nproc 1000000
* hard nproc 1000000
* soft nofile 1000000
* hard nofile 1000000
* soft memlock 32000
* hard memlock 32000
* soft msgqueue 8192000
* hard msgqueue 8192000
# 创建普通用户运行环境
root@es-node1:~# groupadd -g 2888 elasticsearch
root@es-node1:~# useradd -u 2888 -g 2888 -r -m -s /bin/bash elasticsearch
root@es-node1:~# passwd elasticsearch
# 部署elasticsearch集群
root@es-node1:~# mkdir /apps
root@es-node1:~# cd /apps/
root@es-node1:/apps# tar -xvf elasticsearch-8.5.1-linux-x86_64.tar.gz
root@es-node1:/apps# ln -sv /apps/elasticsearch-8.5.1 /apps/elasticsearch
root@es-node1:/apps# reboot
# xpack认证签发环境
root@es-node1:~# chown -R elasticsearch.elasticsearch /apps/elasticsearch*
root@es-node1:~# su - elasticsearch
elasticsearch@es-node1:~$ cd /apps/elasticsearch
elasticsearch@es-node1:/apps/elasticsearch$ vim instances.yml
instances:
- name: "es1.example.com"
ip:
- "172.18.10.170"
- name: "es2.example.com"
ip:
- "172.18.10.171"
- name: "es3.example.com"
ip:
- "172.18.10.172"
#生成CA私钥,默认名字为elastic-stack-ca.p12
elasticsearch@es-node1:/apps/elasticsearch$ bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.p12]: # 使用默认名字,直接回车
Enter password for elastic-stack-ca.p12 : # 不使用密码
# 生成CA公钥,默认名称为elastic-certificates.p12
elasticsearch@es-node1:/apps/elasticsearch$ bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 # 不使用密码。回车默认即可
# 签发elasticsearch集群主机证书
elasticsearch@es-node1:/apps/elasticsearch$ bin/elasticsearch-certutil cert --silent --in instances.yml --out certs.zip --pass magedu123 --ca elastic-stack-ca.p12
elasticsearch@es-node1:/apps/elasticsearch$ ll
total 2256
drwxr-xr-x 9 elasticsearch elasticsearch 4096 11月 7 22:04 ./
drwxr-xr-x 3 root root 4096 11月 7 21:46 ../
drwxr-xr-x 2 elasticsearch elasticsearch 4096 11月 10 2022 bin/
-rw------- 1 elasticsearch elasticsearch 11581 11月 7 22:04 certs.zip
drwxr-xr-x 3 elasticsearch elasticsearch 4096 11月 7 21:46 config/
-rw------- 1 elasticsearch elasticsearch 3596 11月 7 22:01 elastic-certificates.p12
lrwxrwxrwx 1 elasticsearch elasticsearch 25 11月 7 21:46 elasticsearch-8.5.1 -> /apps/elasticsearch-8.5.1/
-rw------- 1 elasticsearch elasticsearch 2672 11月 7 21:59 elastic-stack-ca.p12
-rw-rw-r-- 1 elasticsearch elasticsearch 191 11月 7 21:56 instances.yml
drwxr-xr-x 8 elasticsearch elasticsearch 4096 11月 10 2022 jdk/
drwxr-xr-x 5 elasticsearch elasticsearch 4096 11月 10 2022 lib/
-rw-r--r-- 1 elasticsearch elasticsearch 3860 11月 10 2022 LICENSE.txt
drwxr-xr-x 2 elasticsearch elasticsearch 4096 11月 10 2022 logs/
drwxr-xr-x 67 elasticsearch elasticsearch 4096 11月 10 2022 modules/
-rw-r--r-- 1 elasticsearch elasticsearch 2235851 11月 10 2022 NOTICE.txt
drwxr-xr-x 2 elasticsearch elasticsearch 4096 11月 10 2022 plugins/
-rw-r--r-- 1 elasticsearch elasticsearch 8107 11月 10 2022 README.asciidoc
# 证书分发
# 本机(es-node1证书)
elasticsearch@es-node1:/apps/elasticsearch$ unzip certs.zip
elasticsearch@es-node1:/apps/elasticsearch$ mkdir config/certs
elasticsearch@es-node1:/apps/elasticsearch$ cp -rp es1.example.com/es1.example.com.p12 config/certs/
# (es-node2证书)
root@es-node2:~# su - elasticsearch
elasticsearch@es-node2:~$ cd /apps/elasticsearch
elasticsearch@es-node2:/apps/elasticsearch$ mkdir config/certs
elasticsearch@es-node1:/apps/elasticsearch$ scp -rp es2.example.com elasticsearch@172.18.10.171:/apps/elasticsearch/config/certs/
# (es-node3证书)
root@es-node3:~# su - elasticsearch
elasticsearch@es-node3:~$ cd /apps/elasticsearch
elasticsearch@es-node3:/apps/elasticsearch$ mkdir config/certs
elasticsearch@es-node1:/apps/elasticsearch$ scp -rp es3.example.com elasticsearch@172.18.10.172:/apps/elasticsearch/config/certs/
# 生成keystore文件(keystore是保存了证书密码的认证文件magedu123)
elasticsearch@es-node1:/apps/elasticsearch$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
Enter value for xpack.security.transport.ssl.keystore.secure_password: # 密码magedu123
elasticsearch@es-node1:/apps/elasticsearch$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
Enter value for xpack.security.transport.ssl.truststore.secure_password: # 密码magedu123
# 分发认证文件
elasticsearch@es-node1:/apps/elasticsearch/config$ scp /apps/elasticsearch/config/elasticsearch.keystore 172.18.10.172:/apps/elasticsearch/config/elasticsearch.keystore
elasticsearch@es-node1:/apps/elasticsearch/config$ scp /apps/elasticsearch/config/elasticsearch.keystore 172.18.10.172:/apps/elasticsearch/config/elasticsearch.keystore
# node2分发认证文件
elasticsearch@es-node1:/apps/elasticsearch$ scp -rp es2.example.com/es3.example.com.p12 172.18.10.172:/apps/elasticsearch/config/certs/
# node3分发认证文件
elasticsearch@es-node1:/apps/elasticsearch$ scp -rp es3.example.com/es3.example.com.p12 172.18.10.172:/apps/elasticsearch/config/certs/
# 编辑配置文件
# node1
elasticsearch@es-node1:/apps/elasticsearch$ grep -Ev "^#|^$" config/elasticsearch.yml
cluster.name: magedu-es-cluster
node.name: node1
path.data: /data/esdata
path.logs: /data/eslogs
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["172.18.10.170", "172.18.10.171", "172.18.10.172"]
cluster.initial_master_nodes: ["172.18.10.170", "172.18.10.171", "172.18.10.172"]
action.destructive_requires_name: true
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: /apps/elasticsearch/config/certs/es1.example.com.p12
xpack.security.transport.ssl.truststore.path: /apps/elasticsearch/config/certs/es1.example.com.p12
root@es-node1:~# mkdir -p /data/eslogs
root@es-node1:~# mkdir -p /data/esdata
root@es-node1:/# chown -R elasticsearch.elasticsearch /data/*
# node2 配置文件
elasticsearch@es-node2:/apps/elasticsearch$ grep -Ev "^#|^$" config/elasticsearch.yml
cluster.name: magedu-es-cluster
node.name: node2
path.data: /data/esdata
path.logs: /data/eslogs
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["172.18.10.170", "172.18.10.171", "172.18.10.172"]
cluster.initial_master_nodes: ["172.18.10.170", "172.18.10.171", "172.18.10.172"]
action.destructive_requires_name: true
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: /apps/elasticsearch/config/certs/es2.example.com.p12
xpack.security.transport.ssl.truststore.path: /apps/elasticsearch/config/certs/es2.example.com.p12
root@es-node2:~# mkdir -p /data/eslogs
root@es-node2:~# mkdir -p /data/esdata
root@es-node2:/# chown -R elasticsearch.elasticsearch /data/*
# node3 配置文件
elasticsearch@es-node3:/apps/elasticsearch$ grep -Ev "^#|^$" config/elasticsearch.yml
cluster.name: magedu-es-cluster
node.name: node3
path.data: /data/esdata
path.logs: /data/eslogs
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["172.18.10.170", "172.18.10.171", "172.18.10.172"]
cluster.initial_master_nodes: ["172.18.10.170", "172.18.10.171", "172.18.10.172"]
action.destructive_requires_name: true
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: /apps/elasticsearch/config/certs/es3.example.com.p12
xpack.security.transport.ssl.truststore.path: /apps/elasticsearch/config/certs/es3.example.com.p12
root@es-node3:~# mkdir -p /data/eslogs
root@es-node3:~# mkdir -p /data/esdata
root@es-node3:/# chown -R elasticsearch.elasticsearch /data/*
# 配置service文件
root@es-node1:/# vim /lib/systemd/system/elasticsearch.service
[Unit]
Description=Elasticsearch
Documentation=http://www.elastic.co
Wants=network-online.target
After=network-online.target
[Service]
RuntimeDirectory=elasticsearch
Environment=ES_HOME=/apps/elasticsearch
Environment=ES_PATH_CONF=/apps/elasticsearch/config
Environment=PID_DIR=/apps/elasticsearch
WorkingDirectory=/apps/elasticsearch
User=elasticsearch
Group=elasticsearch
ExecStart=/apps/elasticsearch/bin/elasticsearch --quiet
# StandardOutput is configured to redirect to journalctl since
# some error messages may be logged in standard output before
# elasticsearch logging system is initialized. Elasticsearch
# stores its logs in /var/log/elasticsearch and does not use
# journalctl by default. If you also want to enable journalctl
# logging, you can simply remove the "quiet" option from ExecStart.
StandardOutput=journal
StandardError=inherit
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536
# Specifies the maximum number of processes
LimitNPROC=4096
# Specifies the maximum size of virtual memory
LimitAS=infinity
# Specifies the maximum file size
LimitFSIZE=infinity
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0
# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM
# Send the signal only to the JVM rather than its control group
KillMode=process
# Java process is never killed
SendSIGKILL=no
# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143
[Install]
WantedBy=multi-user.target
root@es-node1:/# scp /lib/systemd/system/elasticsearch.service root@172.18.10.171:/lib/systemd/system/elasticsearch.service
root@es-node1:/# scp /lib/systemd/system/elasticsearch.service root@172.18.10.172:/lib/systemd/system/elasticsearch.service
root@es-node1:/# systemctl daemon-reload && systemctl start elasticsearch.service && systemctl enable elasticsearch.service
root@es-node2:~# systemctl daemon-reload && systemctl start elasticsearch.service && systemctl enable elasticsearch.service
root@es-node3:~# systemctl daemon-reload && systemctl start elasticsearch.service && systemctl enable elasticsearch.service
# 批量修改默认账号密码 123456
elasticsearch@es-node1:/apps/elasticsearch$ bin/elasticsearch-setup-passwords interactive
******************************************************************************
Note: The 'elasticsearch-setup-passwords' tool has been deprecated. This command will be removed in a future release.
******************************************************************************
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana_system]:
Reenter password for [kibana_system]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
# 创建超级管理员账户
elasticsearch@es-node1:/apps/elasticsearch$ ./bin/elasticsearch-users useradd magedu -p 123456 -r superuser
# 验证
三、掌握ES 插件head的基本使使用
连接和概览:
数据浏览:
查询:
四、掌握Logstash部署、配置文件编写及收集多个日志文件,并写入到ES不同的index中
# 基于logstash收集本地日志文件
# 安装logstash
root@elk-logstash:/apps# dpkg -i logstash-8.5.1-amd64.deb
# 配置日志收集案例,监控syslog日志
root@elk-logstash:~# cat /etc/logstash/conf.d/syslog-to-es.conf
input {
file {
path => "/var/log/syslog"
type => "systemlog"
start_position => "beginning"
stat_interval => "1"
}
}
output {
if [type] == "systemlog" {
elasticsearch {
hosts => ["172.18.10.170:9200"]
index => "magedu-systemlog-%{+YYYY.MM.dd}"
password => "123456"
user => "magedu"
}
}
}
root@elk-logstash:~# systemctl restart logstash
root@elk-logstash:~# chmod 777 /var/log/syslog
# 验证
# 收集auth.log日志
root@elk-logstash:~# vim /etc/logstash/conf.d/syslog-to-es.conf
input {
file {
path => "/var/log/syslog"
type => "systemlog"
start_position => "beginning"
stat_interval => "1"
}
file {
path => "/var/log/auth.log"
type => "authlog"
start_position => "beginning"
stat_interval => "1"
}
}
output {
if [type] == "systemlog" {
elasticsearch {
hosts => ["172.18.10.170:9200"]
index => "magedu-systemlog-%{+YYYY.MM.dd}"
password => "123456"
user => "magedu"
}
}
if [type] == "authlog"{
elasticsearch {
hosts => ["172.18.10.170:9200"]
index => "magedu-authlog-%{+YYYY.MM.dd}"
password => "123456"
user => "magedu"
}
}
}
# 检查
root@elk-logstash:~# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/syslog-to-es.conf -t
root@elk-logstash:~# chmod 777 /var/log/auth.log
root@elk-logstash:~# systemctl restart logstash
# 验证
五、Kibana的安装及使用、heartbeat和metricbeat的安装使用
# Kibana安装使用
[root@redis-2 apps]# rpm -ivh kibana-8.5.1-x86_64.rpm
root@elk-logstash:/apps# grep -Ev "^$|^#" /etc/kibana/kibana.yml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://172.18.10.170:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "123456"
i18n.locale: "zh-CN"
logging:
appenders:
file:
type: file
fileName: /var/log/kibana/kibana.log
layout:
type: json
root:
appenders:
- default
- file
pid.file: /run/kibana/kibana.pid
[root@redis-2 apps]# systemctl restart kibana.service
[root@redis-2 apps]# systemctl enable kibana.service
[root@redis-2 apps]# lsof -i:5601
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
node 3012 kibana 19u IPv4 50629 0t0 TCP localhost:esmagent (LISTEN)
[root@redis-2 apps]# tail -f /var/log/kibana/kibana.log
# 登录界面,使用ES的用户登录即可
索引管理
创建索引视图
查看视图索引
# metricbeat的安装使用
root@elk-logstash:/apps# dpkg -i metricbeat-8.5.1-amd64.deb
root@elk-logstash:/apps# grep -v "#" /etc/metricbeat/metricbeat.yml |grep -v "^$"
metricbeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
index.codec: best_compression
setup.kibana:
host: "172.18.10.173:5601"
setup_kibana_username: "magedu"
setup_kibana_password: "123456"
output.elasticsearch:
hosts: ["172.18.10.170:9200"]
username: "magedu"
password: "123456"
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
root@elk-logstash:/apps# systemctl restart metricbeat.service
# heartbeat的安装使用
root@elk-logstash:/apps# dpkg -i heartbeat-8.5.1-amd64.deb
root@elk-logstash:/apps# grep -v "#" /etc/heartbeat/heartbeat.yml | grep -v "^$"
heartbeat.config.monitors:
path: ${path.config}/monitors.d/*.yml
reload.enabled: false
reload.period: 5s
heartbeat.monitors:
- type: http
enabled: true
id: http-monitor
name: http-domain-Monitor
urls: ["http://www.magedu.com","http://www.baidu.com"]
schedule: '@every 10s'
- type: icmp
enabled: true
id: icmp-monitor
name: icmp-ip-monitor
schedule: '*/1 * * * * * *'
hosts: ["172.18.10.170","172.18.10.173"]
setup.template.settings:
index.number_of_shards: 1
index.codec: best_compression
setup.kibana:
host: "172.18.10.173:5601"
setup_kibana_username: "magedu"
setup_kibana_password: "123456"
output.elasticsearch:
hosts: ["172.18.10.170:9200"]
username: "magedu"
password: "123456"
processors:
- add_observer_metadata:root@elk-logstash:/apps# grep -v "#" /etc/heartbeat/heartbeat.yml | grep -v "^$"
heartbeat.config.monitors:
path: ${path.config}/monitors.d/*.yml
reload.enabled: false
reload.period: 5s
heartbeat.monitors:
- type: http
enabled: true
id: http-monitor
name: http-domain-Monitor
urls: ["http://www.magedu.com","http://www.baidu.com"]
schedule: '@every 10s'
- type: icmp
enabled: true
id: icmp-monitor
name: icmp-ip-monitor
schedule: '*/1 * * * * * *'
hosts: ["172.18.10.170","172.18.10.173"]
setup.template.settings:
index.number_of_shards: 1
index.codec: best_compression
setup.kibana:
host: "172.18.10.173:5601"
setup_kibana_username: "magedu"
setup_kibana_password: "123456"
output.elasticsearch:
hosts: ["172.18.10.170:9200"]
username: "magedu"
password: "123456"
processors:
- add_observer_metadata:
root@elk-logstash:/apps# systemctl restart heartbeat-elastic.service
六、基于Logstash Filter总结,并基于Gork解析Nginx默认格式的访问日志及错误日志为JSON格式、并写入Elasticsearch并在Kibana展示;
# 安装nginx
root@elk-logstash:/apps# tar -xf nginx-1.14.2.tar.gz
root@elk-logstash:/apps/nginx-1.14.2# ./configure --prefix=/apps/nginx
root@elk-logstash:/apps/nginx-1.14.2# make
root@elk-logstash:/apps/nginx-1.14.2# make install
root@elk-logstash:/apps/nginx# /apps/nginx/sbin/nginx
root@elk-logstash:/var/log/logstash# vim /etc/logstash/conf.d/nginx-log-to-es.conf
input {
file {
path => "/apps/nginx/logs/access.log"
type => "nginx-accesslog"
stat_interval => "1"
start_position => "beginning"
}
file {
path => "/apps/nginx/logs/error.log"
type => "nginx-errorlog"
stat_interval => "1"
start_position => "beginning"
}
}
filter {
if [type] == "nginx-accesslog" {
grok {
match => { "message" => ["%{IPORHOST:clientip} - %{DATA:username} \[%{HTTPDATE:request-time}\] \"%{WORD:request-method} %{DATA:request-uri} HTTP/%{NUMBER:http_version}\" %{NUMBER:response_code} %{NUMBER:body_sent_bytes} \"%{DATA:referrer}\" \"%{DATA:useragent}\""] }
remove_field => "message"
add_field => { "project" => "magedu"}
}
mutate {
convert => [ "[response_code]", "integer"]
}
}
if [type] == "nginx-errorlog" {
grok {
match => { "message" => ["(?<timestamp>%{YEAR}[./]%{MONTHNUM}[./]%{MONTHDAY} %{TIME}) \[%{LOGLEVEL:loglevel}\] %{POSINT:pid}#%{NUMBER:threadid}\: \*%{NUMBER:connectionid} %{GREEDYDATA:message}, client: %{IPV4:clientip}, server: %{GREEDYDATA:server}, request: \"(?:%{WORD:request-method} %{NOTSPACE:request-uri}(?: HTTP/%{NUMBER:httpversion}))\", host: %{GREEDYDATA:domainname}"]}
remove_field => "message"
}
}
}
output {
if [type] == "nginx-accesslog" {
elasticsearch {
hosts => ["172.18.10.170:9200"]
index => "magedu-nginx-accesslog-%{+yyyy.MM.dd}"
user => "magedu"
password => "123456"
}}
if [type] == "nginx-errorlog" {
elasticsearch {
hosts => ["172.18.10.170:9200"]
index => "magedu-nginx-errorlog-%{+yyyy.MM.dd}"
user => "magedu"
password => "123456"
}}
}
root@elk-logstash:/var/log/logstash# systemctl restart logstash
七、基于logstash收集Nginx JSON格式访问日志
# 修改nginx日志格式
root@elk-logstash:/etc/logstash/conf.d# vim /apps/nginx/conf/nginx.conf
log_format logstash_json '{ "@timestamp": "$time_local", '
'"@fields": { '
'"remote_addr": "$remote_addr", '
'"remote_user": "$remote_user", '
'"body_bytes_sent": "$body_bytes_sent", '
'"request_time": "$request_time", '
'"status": "$status", '
'"request": "$request", '
'"request_method": "$request_method", '
'"http_referrer": "$http_referer", '
'"body_bytes_sent":"$body_bytes_sent", '
'"http_x_forwarded_for": "$http_x_forwarded_for", '
'"http_user_agent": "$http_user_agent" } }';
access_log logs/access.log logstash_json;
# 重启nginx
root@elk-logstash:/apps/nginx/conf# /apps/nginx/sbin/nginx -s reload
root@elk-logstash:/etc/logstash/conf.d# vim /etc/logstash/conf.d/nginx-json-log-to-es.conf
input {
file {
path => "/apps/nginx/logs/access.log"
start_position => "end"
type => "nginx-json-accesslog"
stat_interval => "1"
codec => json
}
}
output {
if [type] == "nginx-json-accesslog" {
elasticsearch {
hosts => ["172.18.10.170:9200"]
index => "nginx-accesslog-json-%{+YYYY.MM.dd}"
user => "magedu"
password => "123456"
}}
}
root@elk-logstash:/etc/logstash/conf.d# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/nginx-json-log-to-es.conf -t
root@elk-logstash:/etc/logstash/conf.d# systemctl restart logstash
# 验证