filebeat模块收集日志和kibana制作图表
1. 收集nginx日志
官网的地址
https://www.elastic.co/guide/en/beats/filebeat/6.6/filebeat-module-elasticsearch.html
1.1 最基础的默认配置
filebeat的配置文件
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: true
setup.kibana:
host: "192.168.80.40:5601"
output.elasticsearch:
hosts: ["localhost:9200"]
启动filebeat的nginx的模块
查看module使用情况
filebeat modules list
开启nginx模块
filebeat modules enable nginx
查看nginx的模块的配置
cd /etc/filebeat/modules.d
vim nginx.yml
- module: nginx
# Access logs
access:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
var.paths: ["/var/log/nginx/access.log"]
# Error logs
error:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
var.paths: ["/var/log/nginx/error.log"]
==========================
修改的地方
var.paths: ["/var/log/nginx/access.log"]
var.paths: ["/var/log/nginx/error.log"]
修改nginx的日志格式为普通的日志格式
cd /etc/nginx
vim nginx.conf
access_log /var/log/nginx/access.log main;
> /var/log/nginx/access.log
systemctl restart nginx
重启filebeat
systemctl restart filebeat
报错
lhost:9200)): Connection marked as failed because the onConnect callback failed: Error loading pipeline for fileset nginx/access: This module requires the following Elasticsearch plugins: ingest-user-agent, ingest-geoip. You can install them by running the following commands on all the Elasticsearch nodes:
sudo bin/elasticsearch-plugin install ingest-user-agent
sudo bin/elasticsearch-plugin install ingest-geoip
安装软件
注意:6.7之后这两个插件默认集成到了elasticsearch,不需要单独安装了
我这里用的是6.6的版本
ingest-user-agent
ingest-geoip
下载的地址
https://www.elastic.co/guide/en/elasticsearch/plugins/6.6/ingest.html
下载完成上传安装
/usr/share/elasticsearch/bin/elasticsearch-plugin install file:///opt/elk/ingest-geoip-6.6.0.zip
/usr/share/elasticsearch/bin/elasticsearch-plugin install file:///opt/elk/ingest-user-agent-6.6.0.zip
systemctl restart filebeat
1.2 正确日志和错误日志分开
filebeat的配置文件
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: true
setup.kibana:
host: "192.168.80.40:5601"
output.elasticsearch:
hosts: ["localhost:9200"]
indices:
- index: "nginx_access-%{[beat.version]}-%{+yyyy.MM.dd}"
when.contains:
fileset.name: "access"
- index: "nginx_error-%{[beat.version]}-%{+yyyy.MM.dd}"
when.contains:
fileset.name: "error"
setup.template.name: "nginx"
setup.template.pattern: "nginx_*"
setup.template.enabled: false
setup.template.overwrite: true
删除es-head数据,重启
systemctl restart filebeat
kibana添加日志需要注意
数据过滤产看
2. kibana画图
默认如果使用filbeat模版导入视图会把所有的服务都导入进去,而我们实际上并不需要这么多视图,
而且默认的视图模版只能匹配filebeat-*开头的索引,所以这里我们有2个需要需要解决:
1.通过一定处理只导入我们需要的模版
2.导入的视图模版索引名称可以自定义
解决方法:
1.备份一份filebeat的kibana视图,删除不需要的视图模版文件
2.修改视图文件里默认的索引名称为我们需要的索引名称
2.1 配置
cp -a /usr/share/filebeat/kibana /root
cd ~
cd kibana
rm -rf 5
只留下跟nginx有关的
cd /root/kibana/6/dashboard
find . -type f ! -name "*nginx*"|xargs rm -rf
rm -f ml-nginx-access-remote-ip-count-explorer.json
rm -f ml-nginx-remote-ip-url-explorer.json
默认的是filebeat-* 要替换为nginx
sed -i 's#filebeat\-\*#nginx\-\*#g' Filebeat-nginx-overview.json
sed -i 's#filebeat\-\*#nginx\-\*#g' Filebeat-nginx-logs.json
cd /root/kibana/6/index-pattern
sed -i 's#filebeat\-\*#nginx\-\*#g' filebeat.json
服务都起来之后在做
替换索引名称
filebeat setup --dashboards -E setup.dashboards.directory=/root/kibana/
filebeat的配置文件
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
setup.template.settings:
index.number_of_shards: 3
setup.kibana:
host: "192.168.80.40:5601"
output.elasticsearch:
hosts: ["localhost:9200"]
indices:
- index: "nginx-access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "access"
- index: "nginx-error-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "error"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true
nginx的配置文件,access.log改成json的模式
vim /etc/nginx/nginx.conf
log_format json '{ "time_local": "$time_local", '
'"remote_addr": "$remote_addr", '
'"referer": "$http_referer", '
'"request": "$request", '
'"status": $status, '
'"bytes": $body_bytes_sent, '
'"agent": "$http_user_agent", '
'"x_forwarded": "$http_x_forwarded_for", '
'"up_addr": "$upstream_addr",'
'"up_host": "$upstream_http_host",'
'"upstream_time": "$upstream_response_time",'
'"request_time": "$request_time"'
' }';
access_log /var/log/nginx/access.log json;
systemctl start elasticsearch
systenmctl start kibana
systemctl start filebeat
systemctl start nginx
模拟一些日志就行了
浏览器访问,或者导入一些都行
192.168.80.40
es-head查看
2.2 kibana的操作
数据完成
2.3 kibana图表的制作
2.3.1 区域图 Area
保存点击右上角save
查看
2.3.2 data table
2.3.3 pie 饼状图
显示比例的信息
2.3.4 guage 显示范围内的次数
2.3.5 Markdown 一些运维人员信息
2.4 全部图的整合
下一步
添加完成
拖动单独的就可以调整位置
上班点击这个面板就可以查看最新的数据变化
4986
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
