1.kafka
kafka命令所在路径:
/ssd1/kafka/bin
kafka配置文件:
egrep -v "^#|^$" server.properties
broker.id=1 ###全局唯一
num.network.threads=3
num.io.threads=8
socket.send.buffer.bytes=102400
socket.receive.buffer.bytes=102400
socket.request.max.bytes=104857600
log.dirs=/ssd1/kafka/data ####数据目录
num.partitions=3
num.recovery.threads.per.data.dir=1
offsets.topic.replication.factor=1
transaction.state.log.replication.factor=1
transaction.state.log.min.isr=1
log.retention.hours=72
log.segment.bytes=1073741824
log.retention.check.interval.ms=300000
zookeeper.connect=xxxxxxxxxxxxxxxxxxxxx ##zk地址
zookeeper.connection.timeout.ms=18000
group.initial.rebalance.delay.ms=0
kafka常用命令:
elk所使用的topic和消费者组:
new_gc所使用的topic:logs
new_gc所使用的消费则组:log
kafka的start和stop:
./kafka-server-start.sh -daemon /app/tools/kafka/config/server.properties
./kafka-server-stop.sh
kafka重启风险:
如果消息堆积多,可能会出现起不来的现象
确认需要重启前查看消费情况
2.logstash
logstash启动命令和关闭命令:
启动命令路径:
cd /usr/share/logstash/bin/
启动参数:
./logstash -f /etc/logstash/conf.d/logstash.conf &
端口默认为9600
ss -lntup|grep 9600
tcp 0 50 127.0.0.1:9600 *:* users:(("java",71718,82))
停止:
kill `ps -ef|grep logstash|grep -v grep|awk '{print $2}'`
logstash重启风险:
三台机器上的logstash同时消费kafka的消息,短时间的重启一台logstash不会对日志收集产生影响
logstash的配置文件详解:
cat /etc/logstash/conf.d/logstash.conf
input{ #输入模块
kafka{
# bootstrap_servers => "xxxxxxxxx:9092"
bootstrap_servers => "xxxxxxxxxxxxxxxxxxxxxx" #kafka地址
client_id => "log"
group_id => "log" #消费者组
auto_offset_reset => "latest"
consumer_threads => "1"
decorate_events => true
topics => ["logs"]。 ##topic主题
}
#logstash也可以实现日志的采集
# file{
# path => "/var/log/linwei_all/*.log"
# type => "log"
# }
}
filter { #清洗模块
grok { #grok匹配字段
break_on_match => true #匹配成功规则后不继续向下匹配
#规则
match =>
{ "message" => "%{LEN}%{IP:remote_addr} -\[%{DATA:time_local}\] -\[%{USER:host}\] \\\"%{NOTSPACE:method} %{NOTSPACE:request} %{NOTSPACE} %{INT:status} %{INT:body_bytes_sent} \\\"%{NOTSPACE:http_referer}%{LAN:http_user_agent} \\\"%{IP:http_x_forwarded_for}\\\" request_time\[%{DATA:request_time}\] upstream_response_time\[%{DATA:upstream_response_time}\] upstream_addr\[%{DATA:upstream_addr}\] logId\[%{INT:http_x_logid}\] imid\[%{DATA:http_imid}\] statistic\[%{DATA:statistic}\] Bfe_logid\[%{INT:http_bfe_logid}\] CLIENTIP\[%{IP:http_clientip}\] device_id\[%{DATA:cookie_device_id}\] X-Deviceid\[%{DATA:http_x_deviceid}\] route\[%{DATA:http_route}\] product\[%{DATA:http_product}\] subsys\[%{DATA:http_subsys}\]%{GREEDYDATA}"}
# "message","%{LEN}%{TIME:remote_addr} \[%{DATA:warn}\] %{NOTSPACE:lin} %{NOTSPACE:ln} \[%{DATA:ls}\] utility.lua:%{INT:mm}: log_warn(%{DATA:lnn}): logid: \[%{DATA:vv}\] found data in cache cache_key:%{BASE16NUM:kss}, client: %{IP:hass}, server:%{SHEN:kkss}request: %{SHHH:method} %{NOTSPACE:request} HTTP/1.1\\\", host: \\%{SJSNS:kksssiin}%{GREEDYDATA}"
}
#微云推送的时候其中包含err.log,格式不一样且信息中access.log都包括,所以要给他drop掉
if ([message] =~".*[#].*") {
drop {}
}
#对字段进行运算
# ruby {
# code => "event.set('request_time', event.get('request_time').to_i * 1000)"
# }
# ruby {
# code => "event.set('upstream_response_time', event.get('upstream_response_time').to_i * 1000)"
# }
#格式转换,grok匹配后,所有的字段默认是字符串类型。对字段的类型进行转换
mutate {
convert => {"status" => "integer"}
convert => {"request_time" => "float"}
convert => {"upstream_response_time" => "float"}
}
}
output { #输出模块
elasticsearch {
hosts => ["http://xxxxxx:9200/","http://xxxxxxxx:9200/","http://xxxxxxxxxxxx:9200/"] #es地址
user => "" #es账号
password => "" #es密码
# hosts => "http://kafkahost:9200"
index => "" #输出到es的索引
timeout => 300
}
}
logstash的gork自定义正则配置:
cat /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-patterns-core-4.1.2/patterns/grok-patterns
USERNAME [a-zA-Z0-9._-]+
USER %{USERNAME}
EMAILLOCALPART [a-zA-Z][a-zA-Z0-9_.+-=:]+
EMAILADDRESS %{EMAILLOCALPART}@%{HOSTNAME}
INT (?:[+-]?(?:[0-9]+))
BASE10NUM (?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))
NUMBER (?:%{BASE10NUM})
BASE16NUM (?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+))
BASE16FLOAT \b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\.[0-9A-Fa-f]*)?)|(?:\.[0-9A-Fa-f]+)))\b
POSINT \b(?:[1-9][0-9]*)\b
NONNEGINT \b(?:[0-9]+)\b
WORD \b\w+\b
NOTSPACE \S+
SPACE \s*
DATA .*?
GREEDYDATA .*
QUOTEDSTRING (?>(?<!\\)(?>"(?>\\.|[^\\"]+)+"|""|(?>'(?>\\.|[^\\']+)+')|''|(?>`(?>\\.|[^\\`]+)+`)|``))
UUID [A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}
# URN, allowing use of RFC 2141 section 2.3 reserved characters
URN urn:[0-9A-Za-z][0-9A-Za-z-]{0,31}:(?:%[0-9a-fA-F]{2}|[0-9A-Za-z()+,.:=@;$_!*'/?#-])+
# Networking
MAC (?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})
CISCOMAC (?:(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4})
WINDOWSMAC (?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})
COMMONMAC (?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})
IPV6 ((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?
IPV4 (?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])
IP (?:%{IPV6}|%{IPV4})
HOSTNAME \b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b)
IPORHOST (?:%{IP}|%{HOSTNAME})
HOSTPORT %{IPORHOST}:%{POSINT}
# paths
PATH (?:%{UNIXPATH}|%{WINPATH})
UNIXPATH (/([\w_%!$@:.,+~-]+|\\.)*)+
TTY (?:/dev/(pts|tty([pq])?)(\w+)?/?(?:[0-9]+))
WINPATH (?>[A-Za-z]+:|\\)(?:\\[^\\?*]*)+
URIPROTO [A-Za-z]([A-Za-z0-9+\-.]+)+
URIHOST %{IPORHOST}(?::%{POSINT:port})?
# uripath comes loosely from RFC1738, but mostly from what Firefox
# doesn't turn into %XX
URIPATH (?:/[A-Za-z0-9$.+!*'(){},~:;=@#%&_\-]*)+
#URIPARAM \?(?:[A-Za-z0-9]+(?:=(?:[^&]*))?(?:&(?:[A-Za-z0-9]+(?:=(?:[^&]*))?)?)*)?
URIPARAM \?[A-Za-z0-9$.+!*'|(){},~@#%&/=:;_?\-\[\]<>]*
URIPATHPARAM %{URIPATH}(?:%{URIPARAM})?
URI %{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?
# Months: January, Feb, 3, 03, 12, December
MONTH \b(?:[Jj]an(?:uary|uar)?|[Ff]eb(?:ruary|ruar)?|[Mm](?:a|ä)?r(?:ch|z)?|[Aa]pr(?:il)?|[Mm]a(?:y|i)?|[Jj]un(?:e|i)?|[Jj]ul(?:y)?|[Aa]ug(?:ust)?|[Ss]ep(?:tember)?|[Oo](?:c|k)?t(?:ober)?|[Nn]ov(?:ember)?|[Dd]e(?:c|z)(?:ember)?)\b
MONTHNUM (?:0?[1-9]|1[0-2])
MONTHNUM2 (?:0[1-9]|1[0-2])
MONTHDAY (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])
# Days: Monday, Tue, Thu, etc...
DAY (?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)
# Years?
YEAR (?>\d\d){1,2}
HOUR (?:2[0123]|[01]?[0-9])
MINUTE (?:[0-5][0-9])
# '60' is a leap second in most time standards and thus is valid.
SECOND (?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)
TIME (?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])
# datestamp is YYYY/MM/DD-HH:MM:SS.UUUU (or something like it)
DATE_US %{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}
DATE_EU %{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}
ISO8601_TIMEZONE (?:Z|[+-]%{HOUR}(?::?%{MINUTE}))
ISO8601_SECOND (?:%{SECOND}|60)
TIMESTAMP_ISO8601 %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?
DATE %{DATE_US}|%{DATE_EU}
DATESTAMP %{DATE}[- ]%{TIME}
TZ (?:[APMCE][SD]T|UTC)
DATESTAMP_RFC822 %{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}
DATESTAMP_RFC2822 %{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE}
DATESTAMP_OTHER %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}
DATESTAMP_EVENTLOG %{YEAR}%{MONTHNUM2}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}
# Syslog Dates: Month Day HH:MM:SS
SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
PROG [\x21-\x5a\x5c\x5e-\x7e]+
SYSLOGPROG %{PROG:program}(?:\[%{POSINT:pid}\])?
SYSLOGHOST %{IPORHOST}
SYSLOGFACILITY <%{NONNEGINT:facility}.%{NONNEGINT:priority}>
HTTPDATE %{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}
# Shortcuts
QS %{QUOTEDSTRING}
# Log formats
SYSLOGBASE %{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:
# Log Levels
LOGLEVEL ([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)
#my log
LEN .*message":"
LAN \\\".........*?\\\"
LV .*\\\"
TIME ..../../.. ..:..:..
SHEN .*_,
SHHH \\\"\S+
SJSNS .*com\\\"
SHSBBX \\\".*\\\"
3.elasticsearch
-
elasticsearch用户信息:
用户名和密码:
user:"xxxxx" #es账号
password :"xxxxxxx" #es密码
-
es路径:
数据路径:/ssd2/esdata
es日志路径:/home/disk1/elklogs/eslogs
-
es启动:
service elasticsearch start
chkconfig elasticsearch on
-
es重启风险:
-
es的索引和数据部分是存储在内存中
-
-
es配置
cluster.name: xxxxxxxx
node.name: xxxxxxxxx
path.data: /ssd2/esdata
path.logs: /ssd2/eslogs
network.host: xxxxxxxx
http.port: 9200
discovery.seed_hosts: ["xxxxx", "xxxxxxx", "xxxxxxxx"]
cluster.initial_master_nodes: ["xxxxxxxx", "xxxxxxxx", "xxxxxxxx"]
#xpack配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
4.kibana
-
kibana所在机器:
xxxxxxx/25 内网地址,机器没公网
默认端口:5601
-
所在路径:
kabana的配置文件目录:/etc/kibana/kibana.yml
kabana的启动命令地址:/etc/init.d/kibana
-
启动命令:
service kibana start
chkconfig kibana on
-
重启风险:
-
可能会出现数据初始化错误,无法连接es集群等问题
-
-
kibana配置文件:
cat /etc/kibana/kibana.yml
server.port: 8089
server.host: "xxxxxxx"
elasticsearch.hosts: ["http://xxxxxxx:9200/","http://xxxxxxx:9200/","http://xxxxxxx:9200/"]
elasticsearch.username: "xxxxxx"
elasticsearch.password: "xxxxxxxx"
#elasticsearch.hosts: [ "http://xxxxxxx:9200" ]
kibana.index: ".kibana"
logging.dest: /var/log/kibana/kibana.log
logging.quiet: false
i18n.locale: "zh-CN"