企业项目实战---ELK日志分析平台之logstash数据采集(二)

最新推荐文章于 2024-06-02 02:45:00 发布
最新推荐文章于 2024-06-02 02:45:00 发布
阅读量615 收藏 2
点赞数 1
分类专栏: ELK日志分析平台 linux学习 文章标签: linux
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_42003848/article/details/119707077
版权

ELK日志分析平台

logstash数据采集

1.logstash简介

Logstash是一个开源的服务器端数据处理管道。

logstash拥有200多个插件,能够同时从多个来源采集数据,转换数据,然后将数据发送到您最喜欢的 “存储库” 中。(大多都是 Elasticsearch。)

Logstash管道有两个必需的元素,输入和输出,以及一个可选元素过滤器。
在这里插入图片描述

输入:采集各种样式、大小和来源的数据

  • Logstash 支持各种输入选择 ,同时从众多常用来源捕捉事件。
  • 能够以连续的流式传输方式,轻松地从您的日志、指标、Web 应用、数据存储以及各种 AWS 服务采集数据。

过滤器:实时解析和转换数据

  • 数据从源传输到存储库的过程中,Logstash 过滤器能够解析各个事件,识别已命名的字段以构建结构,并将它们转换成通用格式,以便更轻松、更快速地分析和实现商业价值。

    • 利用 Grok 从非结构化数据中派生出结构
    • 从 IP 地址破译出地理坐标
    • 将 PII 数据匿名化,完全排除敏感字段
    • 简化整体处理,不受数据源、格式或架构的影响

输出:选择您的存储库,导出您的数据

  • 尽管 Elasticsearch 是我们的首选输出方向,能够为我们的搜索和分析带来无限可能,但它并非唯一选择。
  • Logstash 提供众多输出选择,您可以将数据发送到您要指定的地方,并且能够灵活地解锁众多下游用例

2.Logstash安装

logstash安装

[root@server6 ~]# ls
anaconda-ks.cfg  jdk-8u171-linux-x64.rpm  logstash-7.6.1.rpm
[root@server6 ~]# rpm -ivh jdk-8u171-linux-x64.rpm
Preparing...                          ################################# [100%]
Updating / installing...
   1:jdk1.8-2000:1.8.0_171-fcs        ################################# [100%]
Unpacking JAR files...
	tools.jar...
	plugin.jar...
	javaws.jar...
	deploy.jar...
	rt.jar...
	jsse.jar...
	charsets.jar...
	localedata.jar...
[root@server6 ~]# rpm -ivh logstash-7.6.1.rpm
warning: logstash-7.6.1.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:logstash-1:7.6.1-1               ################################# [100%]
Using provided startup.options file: /etc/logstash/startup.options
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/pleaserun-0.0.30/lib/pleaserun/platform/base.rb:112: warning: constant ::Fixnum is deprecated
Successfully created system startup script for Logstash

logstash命令

[root@server6 ~]# cd /usr/share/logstash/
[root@server6 logstash]# ls
bin           Gemfile       LICENSE.txt               modules     vendor
CONTRIBUTORS  Gemfile.lock  logstash-core             NOTICE.TXT  x-pack
data          lib           logstash-core-plugin-api  tools
[root@server6 logstash]# cd bin/
[root@server6 bin]# ls
benchmark.sh         logstash               logstash.lib.sh      pqrepair
cpdump               logstash.bat           logstash-plugin      ruby
dependencies-report  logstash-keystore      logstash-plugin.bat  setup.bat
ingest-convert.sh    logstash-keystore.bat  pqcheck              system-install
[root@server6 bin]# pwd
/usr/share/logstash/bin
[root@server6 bin]# /usr/share/logstash/bin/logstash 
benchmark.sh           logstash-keystore      pqrepair
cpdump                 logstash-keystore.bat  ruby
dependencies-report    logstash.lib.sh        setup.bat
ingest-convert.sh      logstash-plugin        system-install
logstash               logstash-plugin.bat    
logstash.bat           pqcheck

3.标准输入到标准输出

 /usr/share/logstash/bin/logstash -e 'input { stdin { } } output { stdout {} }'

[root@server6 bin]# /usr/share/logstash/bin/logstash -e 'input { stdin { } } output { stdout {} }'
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2021-08-13 22:18:22.870 [main] writabledirectory - Creating directory {:setting=>"path.queue", :path=>"/usr/share/logstash/data/queue"}
[INFO ] 2021-08-13 22:18:22.898 [main] writabledirectory - Creating directory {:setting=>"path.dead_letter_queue", :path=>"/usr/share/logstash/data/dead_letter_queue"}
[WARN ] 2021-08-13 22:18:23.483 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2021-08-13 22:18:23.500 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"7.6.1"}
[INFO ] 2021-08-13 22:18:23.542 [LogStash::Runner] agent - No persistent UUID file found. Generating new UUID {:uuid=>"3ef2b8c0-2d53-4d04-b99a-e82f2699855f", :path=>"/usr/share/logstash/data/uuid"}
[INFO ] 2021-08-13 22:18:25.724 [Converge PipelineAction::Create<main>] Reflections - Reflections took 55 ms to scan 1 urls, producing 20 keys and 40 values 
[WARN ] 2021-08-13 22:18:27.485 [[main]-pipeline-manager] LazyDelegatingGauge - A gauge metric of an unknown type (org.jruby.RubyArray) has been create for key: cluster_uuids. This may result in invalid serialization.  It is recommended to log an issue to the responsible developer/development team.
[INFO ] 2021-08-13 22:18:27.487 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>1, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>125, "pipeline.sources"=>["config string"], :thread=>"#<Thread:0x5b034ce4 run>"}
[INFO ] 2021-08-13 22:18:28.949 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2021-08-13 22:18:28.989 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
The stdin plugin is now waiting for input:
[INFO ] 2021-08-13 22:18:29.573 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
hello world
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
      "@version" => "1",
          "host" => "server6",
       "message" => "hello world",
    "@timestamp" => 2021-08-14T02:18:47.164Z
}
lalal
{
      "@version" => "1",
          "host" => "server6",
       "message" => "lalal",
    "@timestamp" => 2021-08-14T02:18:51.972Z
}
^C[WARN ] 2021-08-13 22:18:55.198 [SIGINT handler] runner - SIGINT received. Shutting down.
[INFO ] 2021-08-13 22:18:55.457 [Converge PipelineAction::Stop<main>] javapipeline - Pipeline terminated {"pipeline.id"=>"main"}
[INFO ] 2021-08-13 22:18:55.555 [LogStash::Runner] runner - Logstash shut down.

4.标准输入到文件

执行文本,指定输出位置/tmp/testfile和输出格式

[root@server6 bin]# cat test.conf 
input {
	stdin {}
}

output {
 file {
   path => "/tmp/testfile"
   codec => line { format => "custom format: %{message}"}
 }
}

[root@server6 bin]# /usr/share/logstash/bin/logstash -f test.conf
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[WARN ] 2021-08-13 22:20:32.191 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2021-08-13 22:20:32.212 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"7.6.1"}
[INFO ] 2021-08-13 22:20:34.637 [Converge PipelineAction::Create<main>] Reflections - Reflections took 69 ms to scan 1 urls, producing 20 keys and 40 values 
[WARN ] 2021-08-13 22:20:35.445 [[main]-pipeline-manager] LazyDelegatingGauge - A gauge metric of an unknown type (org.jruby.RubyArray) has been create for key: cluster_uuids. This may result in invalid serialization.  It is recommended to log an issue to the responsible developer/development team.
[INFO ] 2021-08-13 22:20:35.467 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>1, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>125, "pipeline.sources"=>["/usr/share/logstash/bin/test.conf"], :thread=>"#<Thread:0x1126f599 run>"}
[INFO ] 2021-08-13 22:20:36.655 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2021-08-13 22:20:36.716 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
The stdin plugin is now waiting for input:
[INFO ] 2021-08-13 22:20:37.080 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
redhat
[INFO ] 2021-08-13 22:20:46.481 [[main]>worker0] file - Opening file {:path=>"/tmp/testfile"}
zhangyi
[INFO ] 2021-08-13 22:21:05.421 [[main]>worker0] file - Closing file /tmp/testfile
^C[WARN ] 2021-08-13 22:21:06.948 [SIGINT handler] runner - SIGINT received. Shutting down.
[INFO ] 2021-08-13 22:21:07.192 [Converge PipelineAction::Stop<main>] javapipeline - Pipeline terminated {"pipeline.id"=>"main"}
[INFO ] 2021-08-13 22:21:07.476 [LogStash::Runner] runner - Logstash shut down.

查看输出文件

[root@server6 bin]# cat /tmp/testfile 
custom format: redhat
custom format: zhangyi

5.标准输入到es主机

文本内容

[root@server6 bin]# cat es.conf 
input {
	stdin {}
}

output {
	stdout {}

	elasticsearch {
		hosts => ["172.25.3.3:9200"]    #输出到的ES主机与端口
		index => "logstash-%{+yyyy.MM.dd}"   #定制索引名称
	}
}

执行文件

[root@server6 bin]# /usr/share/logstash/bin/logstash -f es.conf 
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[WARN ] 2021-08-13 22:23:02.202 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2021-08-13 22:23:02.210 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"7.6.1"}
[INFO ] 2021-08-13 22:23:04.610 [Converge PipelineAction::Create<main>] Reflections - Reflections took 66 ms to scan 1 urls, producing 20 keys and 40 values 
[INFO ] 2021-08-13 22:23:06.522 [[main]-pipeline-manager] elasticsearch - Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://172.25.3.3:9200/]}}
[WARN ] 2021-08-13 22:23:06.842 [[main]-pipeline-manager] elasticsearch - Restored connection to ES instance {:url=>"http://172.25.3.3:9200/"}
[INFO ] 2021-08-13 22:23:07.153 [[main]-pipeline-manager] elasticsearch - ES Output version determined {:es_version=>7}
[WARN ] 2021-08-13 22:23:07.155 [[main]-pipeline-manager] elasticsearch - Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>7}
[INFO ] 2021-08-13 22:23:07.328 [[main]-pipeline-manager] elasticsearch - New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//172.25.3.3:9200"]}
[INFO ] 2021-08-13 22:23:07.459 [Ruby-0-Thread-6: :1] elasticsearch - Using default mapping template
[WARN ] 2021-08-13 22:23:07.485 [[main]-pipeline-manager] LazyDelegatingGauge - A gauge metric of an unknown type (org.jruby.specialized.RubyArrayOneObject) has been create for key: cluster_uuids. This may result in invalid serialization.  It is recommended to log an issue to the responsible developer/development team.
[INFO ] 2021-08-13 22:23:07.512 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>1, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>125, "pipeline.sources"=>["/usr/share/logstash/bin/es.conf"], :thread=>"#<Thread:0x798305c5 run>"}
[INFO ] 2021-08-13 22:23:07.569 [Ruby-0-Thread-6: :1] elasticsearch - Attempting to install template {:manage_template=>{"index_patterns"=>"logstash-*", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s", "number_of_shards"=>1}, "mappings"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"*", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}
[INFO ] 2021-08-13 22:23:07.637 [Ruby-0-Thread-6: :1] elasticsearch - Installing elasticsearch template to _template/logstash
[INFO ] 2021-08-13 22:23:09.064 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2021-08-13 22:23:09.122 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
The stdin plugin is now waiting for input:
[INFO ] 2021-08-13 22:23:09.518 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
hello
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
          "host" => "server6",
      "@version" => "1",
       "message" => "hello",
    "@timestamp" => 2021-08-14T02:23:14.157Z
}
zhangyi
{
          "host" => "server6",
      "@version" => "1",
       "message" => "zhangyi",
    "@timestamp" => 2021-08-14T02:23:18.376Z
}
^C[WARN ] 2021-08-13 22:24:26.428 [SIGINT handler] runner - SIGINT received. Shutting down.
[INFO ] 2021-08-13 22:24:26.707 [Converge PipelineAction::Stop<main>] javapipeline - Pipeline terminated {"pipeline.id"=>"main"}
[INFO ] 2021-08-13 22:24:27.415 [LogStash::Runner] runner - Logstash shut down.

head插件内查看输出
在这里插入图片描述

在这里插入图片描述

6.指定文件输入到es主机

指定输入文件/var/log/messages,输出到172.25.3.3:9200

/usr/share/logstash/bin/logstash -f  /etc/logstash/conf.d/file-es.conf

[root@server6 conf.d]# cat file-es.conf 
input {
	file {
               path => "/var/log/messages"
               start_position => "beginning"
      }
}

output {
	stdout {}

	elasticsearch {
		hosts => ["172.25.3.3:9200"]
		index => "logstash-%{+yyyy.MM.dd}"
	}
}

查看输出内容
在这里插入图片描述

7.sincedb

logstash如何区分设备、文件名、文件的不同版本

  • logstash会把进度保存到sincedb文件中
  • 想要从头重新输入,需要删除sincedb
# find / -name .sincedb*
/usr/share/logstash/data/plugins/inputs/file/.sincedb_45290
5a167cf4509fd08acb964fdb20c
# cd /usr/share/logstash/data/plugins/inputs/file/
# cat .sincedb_452905a167cf4509fd08acb964fdb20c
20297 0 64768 119226 1551859343.6468308
/var/log/messages
# ls -i /var/log/messages
20297 /var/log/messages

sincedb文件内容解释

 # cat .sincedb_452905a167cf4509fd08acb964fdb20c
20297 0 64768 119226 1551859343.6468308   /var/log/messages

sincedb文件一共6个字段

  1. inode编号
  2. 文件系统的主要设备号
  3. 文件系统的次要设备号
  4. 文件中的当前字节偏移量
  5. 最后一个活动时间戳(浮点数)
  6. 与此记录匹配的最后一个已知路径

8.远程日志输入

logstash可以伪装成日志服务器,直接接受远程日志

配置server3/4,开放514端口,指向172.25.3.6

$ModLoad imudp
$UDPServerRun 514
*.* @@172.25.3.6:514

systemctl  restart  rsyslog.service

查看514端口

[root@server6 ~]# netstat  -antlp|grep :514
tcp6       0      0 :::514                  :::*                    LISTEN      21934/java          
tcp6       0      0 172.25.3.6:514          172.25.3.4:43182        ESTABLISHED 21934/java          
tcp6       0      0 172.25.3.6:514          172.25.3.3:54166        ESTABLISHED 21934/java

log.conf 指定syslog输入

[root@server6 conf.d]# cat log.conf 
input {
         syslog {

            port => 514
    }
}

output {
	stdout {}

	elasticsearch {
		hosts => ["172.25.3.3:9200"]
		index => "syslog-%{+yyyy.MM.dd}"
	}
}

执行文件,查看syslog
在这里插入图片描述
在这里插入图片描述

9.多行过滤插件

输入信息一般一行为一段内容,但对于错误信息,需要多行归于一个日志信息

[2021-08-14T00:53:42,821][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [server3] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: Failed to parse value [fals] as only [true] or [false] are allowed.
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:174) ~[elasticsearch-7.6.1.jar:7.6.1]
	at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:161) ~[elasticsearch-7.6.1.jar:7.6.1]
	at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-7.6.1.jar:7.6.1]
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:125) ~[elasticsearch-cli-7.6.1.jar:7.6.1]
	at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-7.6.1.jar:7.6.1]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126) ~[elasticsearch-7.6.1.jar:7.6.1]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-7.6.1.jar:7.6.1]
Caused by: java.lang.IllegalArgumentException: Failed to parse value [fals] as only [true] or [false] are allowed.
	at org.elasticsearch.common.Booleans.parseBoolean(Booleans.java:73) ~[elasticsearch-core-7.6.1.jar:7.6.1]
	at org.elasticsearch.common.settings.Setting.parseBoolean(Setting.java:1279) ~[elasticsearch-7.6.1.jar:7.6.1]
	at org.elasticsearch.common.settings.Setting.lambda$boolSetting$24(Setting.java:1256) ~[elasticsearch-7.6.1.jar:7.6.1]
	at org.elasticsearch.common.settings.Setting.get(Setting.java:433) ~[elasticsearch-7.6.1.jar:7.6.1]
	at org.elasticsearch.common.settings.Setting.get(Setting.java:427) ~[elasticsearch-7.6.1.jar:7.6.1]
	at org.elasticsearch.cluster.node.DiscoveryNode.isDataNode(DiscoveryNode.java:69) ~[elasticsearch-7.6.1.jar:7.6.1]
	at org.elasticsearch.env.NodeEnvironment.<init>(NodeEnvironment.java:321) ~[elasticsearch-7.6.1.jar:7.6.1]
	at org.elasticsearch.node.Node.<init>(Node.java:277) ~[elasticsearch-7.6.1.jar:7.6.1]
	at org.elasticsearch.node.Node.<init>(Node.java:257) ~[elasticsearch-7.6.1.jar:7.6.1]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:221) ~[elasticsearch-7.6.1.jar:7.6.1]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:221) ~[elasticsearch-7.6.1.jar:7.6.1]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:349) ~[elasticsearch-7.6.1.jar:7.6.1]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:170) ~[elasticsearch-7.6.1.jar:7.6.1]

单行输入展示

[root@server6 conf.d]# cat es-log.conf 
input {
      file {
        path => "/var/log/my-es.log"
        start_position => "beginning"
          #codec => multiline {
            #pattern => "^\["
            #negate => "true"
            #what => "previous"
          #}
      }
}

output {
	stdout {}

	elasticsearch {
		hosts => ["172.25.3.3:9200"]
		index => "eslog-%{+yyyy.MM.dd}"
	}

}

 /usr/share/logstash/bin/logstash -f es-log.conf

在这里插入图片描述

在这里插入图片描述

添加多行过滤,再次执行

[root@server6 conf.d]# cat es-log.conf 
input {
      file {
        path => "/var/log/my-es.log"
        start_position => "beginning"
          codec => multiline {
            pattern => "^\["
            negate => "true"
            what => "previous"
          }
      }
}

output {
	stdout {}

	elasticsearch {
		hosts => ["172.25.3.3:9200"]
		index => "eslog-%{+yyyy.MM.dd}"
	}

}

在执行前要删除sincedb,重新录入


 
 [root@server6 file]# ls
[root@server6 file]# ls -a
.  ..  .sincedb_13f094911fdac7ab3fa6f4c93fee6639
[root@server6 file]# rm -rf .sincedb_13f094911fdac7ab3fa6f4c93fee6639
[root@server6 file]# pwd
/usr/share/logstash/data/plugins/inputs/file

 /usr/share/logstash/bin/logstash -f es-log.conf

查看多行过滤效果
在这里插入图片描述

10.grok过滤

grok过滤文本

[root@server6 conf.d]# cat grok.conf 
input {
	stdin {}
}

filter {
	grok {
	match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" }
	}
}

output {
	stdout {}
}

执行grok.conf

 /usr/share/logstash/bin/logstash -f grok.conf

输入内容,查看切片信息

55.3.244.1 GET /index.html 15824 0.043

/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
       "message" => "55.3.244.1 GET /index.html 15824 0.043",
        "client" => "55.3.244.1",
        "method" => "GET",
          "host" => "server6",
    "@timestamp" => 2021-08-14T05:53:23.078Z,
      "duration" => "0.043",
      "@version" => "1",
       "request" => "/index.html",
         "bytes" => "15824"
}

11.apache服务日志过滤实战

grok http过滤模块

[root@server6 conf.d]# cd /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-patterns-core-4.1.2/patterns
[root@server6 patterns]# ls
aws     bind  exim       grok-patterns  httpd  junos         maven        mcollective-patterns  nagios      rails  ruby
bacula  bro   firewalls  haproxy        java   linux-syslog  mcollective  mongodb               postgresql  redis  squid
[root@server6 patterns]# vim httpd 
[root@server6 patterns]# cat httpd 
HTTPDUSER %{EMAILADDRESS}|%{USER}
HTTPDERROR_DATE %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}

# Log formats
HTTPD_COMMONLOG %{IPORHOST:clientip} %{HTTPDUSER:ident} %{HTTPDUSER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)
HTTPD_COMBINEDLOG %{HTTPD_COMMONLOG} %{QS:referrer} %{QS:agent}

# Error logs
HTTPD20_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{LOGLEVEL:loglevel}\] (?:\[client %{IPORHOST:clientip}\] ){0,1}%{GREEDYDATA:message}
HTTPD24_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{WORD:module}:%{LOGLEVEL:loglevel}\] \[pid %{POSINT:pid}(:tid %{NUMBER:tid})?\]( \(%{POSINT:proxy_errorcode}\)%{DATA:proxy_message}:)?( \[client %{IPORHOST:clientip}:%{POSINT:clientport}\])?( %{DATA:errorcode}:)? %{GREEDYDATA:message}
HTTPD_ERRORLOG %{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}

# Deprecated
COMMONAPACHELOG %{HTTPD_COMMONLOG}
COMBINEDAPACHELOG %{HTTPD_COMBINEDLOG}

查看http access_log日志内容

[root@server6 conf.d]# cat /var/log/httpd/access_log 
172.25.3.6 - - [14/Aug/2021:01:56:11 -0400] "GET / HTTP/1.1" 200 11 "-" "curl/7.29.0"
172.25.3.6 - - [14/Aug/2021:01:56:12 -0400] "GET / HTTP/1.1" 200 11 "-" "curl/7.29.0"
172.25.3.6 - - [14/Aug/2021:01:56:13 -0400] "GET / HTTP/1.1" 200 11 "-" "curl/7.29.0"
172.25.3.6 - - [14/Aug/2021:01:56:27 -0400] "GET / HTTP/1.1" 200 11 "-" "curl/7.29.0"
172.25.3.6 - - [14/Aug/2021:01:56:28 -0400] "GET / HTTP/1.1" 200 11 "-" "curl/7.29.0"
172.25.3.6 - - [14/Aug/2021:01:56:28 -0400] "GET / HTTP/1.1" 200 11 "-" "curl/7.29.0"
172.25.3.6 - - [14/Aug/2021:01:56:43 -0400] "GET / HTTP/1.1" 200 11 "-" "curl/7.29.0"
172.25.3.6 - - [14/Aug/2021:01:56:48 -0400] "GET / HTTP/1.1" 200 11 "-" "curl/7.29.0"

为目录添加755权限

[root@server6 patterns]# chmod 755 /var/log/httpd/
[root@server6 patterns]#  ll -d  /var/log/httpd
drwxr-xr-x 2 root root 41 Aug 14 01:55 /var/log/httpd

apache.conf 内容

[root@server6 conf.d]# cat apache.conf 
input {
	file {
		path => "/var/log/httpd/access_log"
		start_position => "beginning"
	}

}

filter {
	grok {
	match => { "message" => "%{HTTPD_COMBINEDLOG}" }
	}
}

output {
	stdout {}

	elasticsearch {
		hosts => ["172.25.0.3:9200"]
		index => "apachelog-%{+yyyy.MM.dd}"
	}
	
}

执行

 /usr/share/logstash/bin/logstash -f apache.conf

查看切片内容

{
          "agent" => "\"curl/7.29.0\"",
           "auth" => "-",
           "host" => "server6",
       "@version" => "1",
       "referrer" => "\"-\"",
    "httpversion" => "1.1",
          "ident" => "-",
          "bytes" => "11",
           "verb" => "GET",
     "@timestamp" => 2021-08-14T06:08:50.340Z,
           "path" => "/var/log/httpd/access_log",
        "request" => "/",
        "message" => "172.25.3.6 - - [14/Aug/2021:01:56:48 -0400] \"GET / HTTP/1.1\" 200 11 \"-\" \"curl/7.29.0\"",
       "clientip" => "172.25.3.6",
      "timestamp" => "14/Aug/2021:01:56:48 -0400",
       "response" => "200"
}
张一不二
关注
专栏目录
企业运维实战--ELK日志分析平台之elasticsearch实战
Rabbit_hyl的博客
08-14 1507
2021-08-12 gitlab访问报错502 报错原因:8080端口被java占用 方法1:kill掉java进程,重载gitlab 方法2:修改gitlab配置文件vim /etc/gitlab/gitlab.rb 添加一个未使用的端口 external_url ‘http://172.25.9.2:8099’ gitlab-ctl restart jenkins添加agent节点 将server4配置成jenkins的agent端 server4安装jdk 节点管理----新建节点 测试,关闭mas
ELK日志分析平台(一)----elasticsearch实战
weixin_48353171的博客
03-16 719
elasticsearch1. 简介2. ES分布式安装与部署(用三台虚拟机,全部一样的配置,改一下主机名即可)2.1 修改配置文件,并启动服务2.2 查看日志排错3. 插件安装(一台做过即可,实现web界面控制)3.1 做免密 1. 简介 2. ES分布式安装与部署(用三台虚拟机,全部一样的配置,改一下主机名即可) 2.1 修改配置文件,并启动服务 2.2 查看日志排错 3. 插件安装(一台做过即可,实现web界面控制) 3.1 做免密 3.2 确保三个节点属于一个集群(uuid保持一致) 3.3 下载e
企业项目实战---ELK日志分析平台之kibana数据可视化(三)
qq_42003848的博客
08-16 389
kibana数据可视化一.kibana安装与配置.建立apache可视化三.启用xpack安全验证四.metricbeat监控插件安装 一.kibana安装与配置 kibana安装 # rpm -ivh kibana-7.6.1-x86_64.rpm kibana配置 vim /etc/kibana/kibana.yml server.port: 5601 服务端口 server.host: "172.25.3.6"
ELK RPM安装和分析系统日志配置
【CSDN官方推荐】
12-31 562
1. elasticsearch 安装及配置 elasticsearch 需要jdk环境 1.1 安装jdk 安装jdk [root@localhost elk]# rpm -ivh jdk-8u131-linux-x64_.rpm Preparing... ################################# [100%] Updating / installing... 1:jdk1.8.0_131-2000:1.8.0_131-f
ELKstack-日志收集案例
wang11876的博客
08-19 855
由于实验环境限制,将 filebeat 和 logstash 部署在 tomcat-server-nodeX,将 redis 和写 ES 集群的 logstash 部署在 redis-server,将 HAproxy 和 Keepalived 部署在将 Kibana 部署在 ES 集群主机。
企业运维实战--ELK日志分析平台logstash数据采集
Rabbit_hyl的博客
08-14 571
企业运维实战--ELK日志分析平台logstash数据采集前言--logstash简介logstash数据采集安装日志采集输出插件 前言–logstash简介 Logstash是一个开源数据收集引擎,具有实时管道功能。Logstash可以动态地将来自不同数据源的数据统一起来,并将数据标准化到你所选择的目的地。 logstash数据采集 安装 rpm -ivh jdk-8u171-linux-x64.rpm rpm -ivh logstash-7.6.1.rpm 日志采集输出插件 命令行数据采集并显示
Logstash日志数据采集ELK可视化分析实战
02-21
基于Logstash的日志数据采集ELK可视化海量日志分析平台实战(全套视频+课件+代码+讲义+工具),具体内容包括: 01 Logstash的架构及运行流程 02 Logstash数据采集案例(一) 03 Logstash数据采集案例() 04...
ELK日志分析平台——logstash数据采集(本地数据收集、远程ES节点数据收集、数据收集时的优化)
weixin_45792518的博客
06-12 1360
1.什么是logstashLogstash是一个开源的服务器端数据处理管道。 logstash拥有200多个插件,能够同时从多个来源采集数据,转换数据,然后将数据发送到您最喜欢的 “存储库” 中。(大多都是 Elasticsearch。) Logstash管道有两个必需的元素,输入和输出,以及一个可选元素过滤器。 2.logstash中的元素介绍 输入:采集各种样式、大小和来源的数据 Logstash 支持各种输入选择 ,同时从众多常用来源捕捉事件。 能够以连续的流式传输方式,轻松地从您的日志、指标、
企业运维实战--ELK日志分析平台之kibana数据可视化
Rabbit_hyl的博客
08-14 723
企业运维实战--ELK日志分析平台之kibana数据可视化前言--kibana简介kibana数据可视化内部采集插件采集metricbeatfilebeat 前言–kibana简介 kibana数据可视化 rpm -ivh kibana-7.6.1-x86_64.rpm vim /etc/kibana/kibana.yml server.port: 5601 server.host: "172.25.9.7" elasticsearch.hosts: ["http://172.25.9.4:9200"]
开源日志分析平台ELK实战应用
最新发布
m0_57021623的博客
06-02 1196
ELK 是一个开源的日志管理平台,由 Elasticsearch、Logstash 和 Kibana 三个组件组成。这个平台广泛用于实时日志处理和分析。下面简单介绍一下每个组件的作用以及如何搭建一个基本的 ELK 栈。
logstash启动报错
火云邪神的博客
11-29 5985
1.报错信息 Thread.exclusive is deprecated, use Thread::Mutex WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.sett...
记录nacos远程连接的坑: Waited 3000 milliseconds (plus 4100 nanoseconds delay)
qq_39411909的博客
03-16 3万+
:: BladeX 2.9.0.RELEASE :: inte-dmall:dev :: Running SpringBoot 2.3.12.RELEASE :: 2022-03-16 15:06:06.138 INFO 19224 — [ main] org.reflections.Reflections : Reflections took 45 ms to scan 1 urls, producing 3 keys and 6 values 2022-0
Logstash7.3 windows环境安装
Sail__的专栏
08-05 2927
Logstash安装 windows版本下载地址,当前是7.3的version https://www.elastic.co/cn/downloads/logstash https://artifacts.elastic.co/downloads/logstash/logstash-7.3.0.zip 解压完毕后,复制文件logstash-7.3.0\config\logstash-sam...
解决logstash报错[ERROR][logstash.config.sourceloader] No configuration found in the configured sources.
巨魔战将
11-07 1万+
在做产品研发环境部署是,发现一个错,记录下来,以给遇到同样问题的筒子们 报错信息: [troll@standalone logstash-6.4.3]$ bin/logstash -f data-conf/zipkin-server.conf Sending Logstash logs to /var/log/logstash which is now configured via log4j2...
马哥教育N36第十四周作业
me0607040211的博客
09-11 767
1、简述elasticsearch、logstash、kibana、filebeat的特点,并画图表述在elk里面的作用。 2、使用elasticsearch、logstash、kibana、filebeat搭建日志收集系统来收集nginx和tomcat日志。 3、分别使用lxc容器和docker容器搭建nginx服务,能够正常访问到容器内的web服务 4、简述docker网络模型,并实现桥接模式下不同宿主机之间的docker网络互通
Reflections工具包
guojch的博客
12-20 1107
工作中配合Google Guice的使用,用到了Reflections工具包,记录一下,备忘。 项目地址:[url]http://code.google.com/p/reflections/[/url] 从官方文档上,我们可以了解到它是一个用于Java运行时元数据分析,本着注解搜寻的精神。 用途: Reflections scans your classpath, inde...
Logstash启动遇到的几个问题
热门推荐
潇洒哥的读书笔记
06-22 3万+
1.Could not find any executable java binary. Please install java in your PATH or set JAVA_HOME.设置环境变量JAVA_HOME 或者 logstashlogstash.lib.sh 里面加上 export JAVA_HOME 就可以了2. Unable to find JRuby. If you
ELK笔记】ELK的安装,快速搭建一个ELK日志分析平台
艾希射日
03-19 2万+
ELK 是 ElasticSearch、 LogStash、 Kibana 三个开源工具的简称,现在还包括 Beats,其分工如下: LogStash/Beats: 负责数据的收集与处理 ElasticSearch: 一个开源的分布式搜索引擎,负责数据的存储、检索和分析 Kibana: 提供了可视化的界面。负责数据的可视化操作 基于 ELK Stack 可以构建日志分析平台、数据分析搜索平...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值