highlight: a11y-dark
theme: juejin
logstash收集日志并写入redis
用一台服务器按照部署redis服务,专门用于日志缓存使用,用于web服务器产生大量日志的场景,例如下面的服务器内存即将被使用完毕,查看是因为redis服务保存了大量的数据没有被读取而占用了大量的内存空间。
redis(104)
安装redis
apt install redis -y
修改redis配置文件
vim /etc/redis/redis.conf
#监听地址
bind 0.0.0.0
#打开此项
save ""
#注释掉下面三项
#save 900 1
#save 300 10
#save 60 10000
#AOF
appendonly no
#redis密码
requirepass 123456
重启服务
systemctl restart redis
测试
~# redis-cli
127.0.0.1:6379> AUTH 123456
OK
127.0.0.1:6379> KEYS *
(empty list or set)
web1(106)
pwd
/etc/logstash/conf.d
vim log-to-redis.conf
input {
stdin {
}
}
output {
redis {
host => "192.168.37.104"
port => "6379"
password => "123456"
key => "logstash-log-37-106"
data_type => "list"
db => 1
}
stdout {
codec => "rubydebug"
}
}
检查
/usr/share/logstash/bin/logstash -f log-to-redis.conf -t
停服务
systemctl stop logstash
启动、输入信息
/usr/share/logstash/bin/logstash -f log-to-redis.conf
...省略中间部分
#输入信息
2023-05-13 INFO started nginx
{
"@version" => "1",
"host" => "web1",
"message" => "2023-05-13 INFO started nginx",
"@timestamp" => 2023-05-13T13:28:27.594Z
}
redis(104)
可以看到刚刚添加了一条消息
#切换数据库
127.0.0.1:6379> SELECT 1
OK
#查看key
127.0.0.1:6379[1]> KEYS *
1) "logstash-log-37-106"
#查看数据格式
127.0.0.1:6379[1]> TYPE logstash-log-37-106
list
#查看列表中有多少数据
127.0.0.1:6379[1]> LLEN logstash-log-37-106
(integer) 1
wb1(106)
#输入信息
start tomcat
{
"@timestamp" => 2023-05-13T13:29:59.310Z,
"message" => "start tomcat",
"host" => "web1",
"@version" => "1"
}
redis(104)
127.0.0.1:6379[1]> LLEN logstash-log-37-106
(integer) 2
127.0.0.1:6379[1]> LPOP logstash-log-37-106
"{\"message\":\"start tomcat\",\"@timestamp\":\"2023-05-13T13:29:59.310Z\",\"@version\":\"1\",\"host\":\"web1\"}
#删除
127.0.0.1:6379[1]> DEL logstash-log-37-106
(integer) 1
wb1(106)
修改文件
cat log-to-redis.conf
input {
file {
path => "/var/log/access.log"
type => "nginx-access-log"
start_position => "beginning"
}
}
output {
if [type] == "nginx-access-log" {
redis {
host => "192.168.37.104"
port => "6379"
password => "123456"
key => "logstash-log-37-106"
data_type => list
db => 1
}}
}
重启logstash
systemctl restart logstash
启动nginx
/apps/nginx/sbin/nginx
访问页面、生成新的日志
redis(104)
json格式在线转换: https://www.sojson.com/
127.0.0.1:6379[1]> KEYS *
1) "logstash-log-37-106"
#可以复制下来在json格式转换看一下
127.0.0.1:6379[1]> LPOP logstash-log-37-106
"{\"message\":\"{\\\"@timestamp\\\":\\\"2023-05-15T09:41:08+08:00\\\",\\\"host\\\":\\\"192.168.37.106\\\",\\\"clientip\\\":\\\"192.168.37.1\\\",\\\"size\\\":0,\\\"responsetime\\\":0.000,\\\"upstreamtime\\\":\\\"-\\\",\\\"upstreamhost\\\":\\\"-\\\",\\\"http_host\\\":\\\"192.168.37.106\\\",\\\"uri\\\":\\\"/index.html\\\",\\\"domain\\\":\\\"192.168.37.106\\\",\\\"xff\\\":\\\"-\\\",\\\"referer\\\":\\\"-\\\",\\\"status\\\":\\\"304\\\"}\",\"type\":\"nginx-access-log\",\"@timestamp\":\"2023-05-15T01:41:09.279Z\",\"@version\":\"1\",\"path\":\"/var/log/access.log\",\"host\":\"web1\"}"
logstash(103)
cd /etc/logstash/conf.d/
vim redis-to-es.conf
input {
redis {
host => "192.168.37.104"
port => "6379"
password => "123456"
key => "logstash-log-37.106"
data_type => list
db => 1
}
}
output {
stdout {
codec => "rubydebug"
}
}
停服务
systemctl stop logstash
测试
/usr/share/logstash/bin/logstash -f redis-to-es.conf -t
启动
/usr/share/logstash/bin/logstash -f redis-to-es.conf
编辑文件
vim redis-to-es.conf
input {
redis {
host => "192.168.37.104"
port => "6379"
password => "123456"
key => "logstash-log-37-106"
data_type => list
db => 1
#日志json格式
codec => "json"
}
}
output {
if [type] == "nginx-access-log" {
elasticsearch {
#101或102都可以
hosts => ["http://192.168.37.101:9200"]
index => "logstash-nginx-access-log-37-106-%{+YYYY.MM.dd}"
}}
}
启服务
systemctl restart logstash
web1(106)
#添加codec => "json"
cat log-to-redis.conf
input {
file {
path => "/var/log/access.log"
type => "nginx-access-log"
start_position => "beginning"
codec => "json"
}
}
output {
if [type] == "nginx-access-log" {
redis {
host => "192.168.37.104"
port => "6379"
password => "123456"
key => "logstash-log-37-106"
data_type => list
db => 1
}}
}
重启服务
systemctl restart logstash
删除旧的: http://192.168.37.101:5601--->管理--->索引管理--->
重新访问
如果页面还有别的、说明
103主机
'/etc/logstash/conf.d'中还有别的日志文件(如图)
添加索引模式
创建可视化
通过logstash收集多个不同日志
web1(106)
cat log-to-redis.conf
input {
file {
path => "/var/log/access.log"
type => "nginx-access-log"
start_position => "beginning"
codec => "json"
}
file {
path => "/var/log/syslog"
type => "syslog-37-106"
start_position => "beginning"
}
}
output {
if [type] == "nginx-access-log" {
redis {
host => "192.168.37.104"
port => "6379"
password => "123456"
key => "logstash-log-37-106"
data_type => list
db => 1
}}
if [type] == "syslog-37-106" {
redis {
host => "192.168.37.104"
port => "6379"
password => "123456"
key => "syslog-37-106"
data_type => list
db => 2
}}
}
重启服务
systemctl restart logstash
redis(104)
刷新页面
查看是否有日志
127.0.0.1:6379[2]> SELECT 2
OK
127.0.0.1:6379[2]> KEYS *
1) "syslog-37-106"
127.0.0.1:6379[2]> LPOP syslog-37-106
"{\"@timestamp\":\"2023-05-15T08:12:56.380Z\",\"type\":\"syslog-37-106\",\"host\":\"web1\",\"path\":\"/var/log/syslog\",\"@version\":\"1\",\"message\":\"May 13 15:47:32 web1 logstash[1971]: \\\"@timestamp\\\" => 2023-05-13T07:47:32.733Z,\"}"
logstach(103)
#当前所在目录
pwd
/etc/logstash/conf.d
#配置信息
cat redis-to-es.conf
input {
redis {
host => "192.168.37.104"
port => "6379"
password => "123456"
key => "logstash-log-37-106"
data_type => list
codec => "json"
db => 1
}
redis {
host => "192.168.37.104"
port => "6379"
password => "123456"
key => "syslog-37-106"
data_type => list
db => 2
}
}
output {
if [type] == "nginx-access-log" {
elasticsearch {
hosts => ["http://192.168.37.101:9200"]
index => "logstash-nginx-access-log-37-106-%{+YYYY.MM.dd}"
}}
if [type] == "syslog-37-106" {
elasticsearch {
hosts => ["http://192.168.37.101:9200"]
index => "logstash-log-37-106-%{+YYYY.MM.dd}"
}}
}
重启服务
systemctl stop logstash
检查
/usr/share/logstash/bin/logstash -f redis-to-es.conf -t
启动
systemctl restart logstash
添加到kibana