ELK过滤Nginx日志和Java日志

已于 2022-06-06 11:15:50 修改
阅读量307 收藏
点赞数 1
分类专栏: 我的运维笔记 文章标签: ELK Logstash JAVA日志 Nginx错误日志 grok
于 2022-05-30 15:35:44 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/wangshui898/article/details/125047657
版权

日志样例

JAVA

固定格式

[2022-05-30T14:54:07.579+08:00] [INFO] [,] [cn.git.workflow.util.WorkFlowFactory] [ccms-test-17] [3.1.101.55] [workflow-server] [WorkFlowFactory.java,163,cn.git.workflow.util.WorkFlowFactory,getWebServiceProperties] [webService获取地址类型serviceType为[UAT],选择操作url地址为[http://6.1.14.86:9001/wfms/cxf/processWebService?wsdl]] ## ''
[2022-05-30T14:54:07.624+08:00] [INFO] [,] [cn.git.workflow.service.impl.WorkFlowServiceImpl] [ccms-test-17] [3.1.101.55] [workflow-server] [WorkFlowServiceImpl.java,414,cn.git.workflow.service.impl.WorkFlowServiceImpl,findProcessPic] [查看流程图发送参数: {"processId":"787169"}] ## ''

NGINX

access日志

直接配置nginx.conf, 配置为json格式,固定格式

    log_format json escape=json
      '{"@timestamp":"$time_iso8601",'
      '"host":"$hostname",'
      '"server_ip":"$server_addr",'
      '"client_ip":"$remote_addr",'
      '"xff":"$http_x_forwarded_for",'
      '"domain":"$host",'
      '"url":"$uri",'
      '"referer":"$http_referer",'
      '"args":"$args",'
      '"upstreamtime":"$upstream_response_time",'
      '"responsetime":"$request_time",'
      '"request_method":"$request_method",'
      '"status":"$status",'
      '"size":"$body_bytes_sent",'
#      '"request_body":"$request_body",'
      '"request_length":"$request_length",'
      '"protocol":"$server_protocol",'
      '"upstreamhost":"$upstream_addr",'
      '"upstreamtime":"$upstream_response_time",'
      '"upstreamstatus":"$upstream_status",'
      '"file_dir":"$request_filename",'
      '"http_user_agent":"$http_user_agent"'
    '}';

error日志

默认配置, 输出格式不固定

格式一

2022/05/30 14:48:45 [warn] 13#0: *87124 an upstream response is buffered to a te1/23/0000000231 while reading upstream, client: 3.2.26.199, server: 3.1.101.57, P/1.1", upstream: "http://3.1.101.56:11102/manage/common/syscodes/get", host: "3"

格式二

2022/05/30 10:37:03 [error] 13#0: *81714 connect() failed (111: Connection refused) while connecting to upstream, client: 3.2.26.154, server: 3.1.101.57, request: "GET /sysmanage/manage/organization/listps HTTP/1.1", upstream: "http://3.1.101.56:11102/manage/organization/listps", host: "3.1.101.57:8901", referrer: "http://3.1.101.57:8901/"

格式三

2022/05/30 15:12:33 [emerg] 1#0: unexpected end of file, expecting "}" in /usr/local/openresty/nginx/conf/nginx.conf:105

2022/05/30 22:41:12 [notice] 22802#0: signal process started

filebeat配置

###################### Filebeat Configuration Example #########################
filebeat.name: ccms-test-19
filebeat.idle_timeout: 5s
filebeat.spool_zie: 2048

#----------------------------------input form ccms servers--------------------------------#
filebeat.inputs:
- type: log
  enabled: true
  paths:
   - /opt/ccms-auto-deploy/credit-interface-converter/*/target/logs/*.log
   - /opt/ccms-auto-deploy/credit-gateway/target/logs/*.log
  fields:
    kafka_topic: topic-ccms-dev
    filebeat-server: 3.1.101.57    
  fields_under_root: true

  # filebeat 多行日志的处理
  multiline.pattern: '^\['
  multiline.negate: true
  multiline.match: after

  encoding: plain
  tail_files: false

  # 检测指定目录下文件更新时间
  scan_frequency: 3s
  # 每隔1s检测一下文件变化,如果连续检测2次之后文件还没有变化,下一次检测间隔时间变为5s
  backoff: 1s
  max_backoff: 5s
  backoff_factor: 2

#----------------------------------input form nginx access_log--------------------------------#
- type: log
  enabled: true
  paths:
   - /data/openresty-vts/nginx/logs/ccms-*.log
  fields:
    kafka_topic: topic-nginx-access
    filebeat-server: 3.1.101.57
  fields_under_root: true

  encoding: plain
  tail_files: false

  json.keys_under_root: true
  json.overwrite_keys: true
  json.add_error_key: false


  # 检测指定目录下文件更新时间
  scan_frequency: 3s
  # 每隔1s检测一下文件变化,如果连续检测2次之后文件还没有变化,下一次检测间隔时间变为5s
  backoff: 1s
  max_backoff: 5s
  backoff_factor: 2

#----------------------------------input form nginx error_log--------------------------------#
- type: log
  enabled: true
  paths:
   - /data/openresty-vts/nginx/logs/error.log
  fields:
    kafka_topic: topic-nginx-error
    filebeat-server: 3.1.101.57
  fields_under_root: true

  encoding: plain
  tail_files: false

  # 检测指定目录下文件更新时间
  scan_frequency: 3s
  # 每隔1s检测一下文件变化,如果连续检测2次之后文件还没有变化,下一次检测间隔时间变为5s
  backoff: 1s
  max_backoff: 5s
  backoff_factor: 2

#----------------------------------Kafka output--------------------------------#
output.kafka:
  enabled: true
  hosts: ['3.1.101.33:9092','3.1.101.34:9092','3.1.101.35:9092']
  topic: '%{[kafka_topic]}'

logstash配置

JAVA

input {
  beats {
    port => 5044
  }
}

input {
   kafka {
    topics_pattern => "topic-ccms-dev"
    bootstrap_servers => "3.1.101.33:9092,3.1.101.34:9092,3.1.101.35:9092"
    consumer_threads => 4
    decorate_events => true
    group_id => "kafka-elk-ccms"
    add_field => {"logstash-server" => "3.1.101.33"}
   }
}

filter {
    json {
      source => "message"
    }

    grok {
      match => { "message" => "\[%{TIMESTAMP_ISO8601:currentDateTime}\] \[%{LOGLEVEL:level}\] \[%{DATA:traceInfo}\] \[%{NOTSPACE:class}\] \[%{DATA:hostName}\] \[%{IP:hostIp}\] \[%{DATA:applicationName}\] \[%{DATA:location}\] \[%{DATA:messageInfo}\] ## %{QUOTEDSTRING:throwable}" }
    }

    mutate{
      enable_metric => "false"
      remove_field => ["ecs","tags","input","agent","@version","log","port","host","message"]
    }

    date {
      match => [ "currentDateTime", "ISO8601" ]
    }
}

output {
        elasticsearch {
        hosts => ["3.1.101.33:9200","3.1.101.34:9200","3.1.101.35:9200"]
        index => "index-ccms-dev_%{+YYY-MM-dd}"
        sniffing => true
        template_overwrite => true
    }
}

NGINX

access日志

input {
   kafka {
    topics_pattern => "topic-nginx-access"
    bootstrap_servers => "3.1.101.33:9092,3.1.101.34:9092,3.1.101.35:9092"
    codec => "json"
    consumer_threads => 4
    decorate_events => true
    group_id => "kafka-nginx-access"
    add_field => {"logstash-server" => "3.1.101.33"}
   }
}

filter {
  geoip {
      source => "client_ip"
      target => "geoip"
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
      remove_field => [ "[geoip][latitude]", "[geoip][longitude]", "[geoip][country_code2]","[geoip][country_code3]", "[geoip][timezone]", "[geoip][continent_code]", "[geoip][dma_code]", "[geoip][region_code]" ]
  }

  mutate {
    convert => [ "size", "integer" ]
    convert => [ "status", "integer" ]
    convert => [ "responsetime", "float" ]
    convert => [ "upstreamtime", "float" ]
    convert => [ "[geoip][coordinates]", "float" ]
    # 过滤 filebeat 没用的字段,这里过滤的字段要考虑好输出到es的,否则过滤了就没法做判断
    remove_field => [ "ecs","agent","host","cloud","@version","input","logs_type" ]
  }


  useragent {
    source => "http_user_agent"
    target => "ua"
    # 过滤useragent没用的字段
    remove_field => [ "[ua][minor]","[ua][major]","[ua][build]","[ua][patch]","[ua][os_minor]","[ua][os_major]" ]
  }

}

output {
        elasticsearch {
        hosts => ["3.1.101.33:9200","3.1.101.34:9200","3.1.101.35:9200"]
        index => "logstash-nginx-access_%{+YYY-MM-dd}"
        sniffing => true
        template_overwrite => true
    }
}

这里是为了适应grafana 11190模板, 将ES数据展示到grafana中, 实际可根据需求调整

error日志

input {
   kafka {
    topics_pattern => "topic-nginx-error"
    bootstrap_servers => "3.1.101.33:9092,3.1.101.34:9092,3.1.101.35:9092"
    consumer_threads => 4
    decorate_events => true
    group_id => "kafka-nginx-error"
    add_field => {"logstash-server" => "3.1.101.33"}
    enable_metric => true
   }
}

filter {
    json {
      source => "message"
    }

    grok {
      match => [
        "message", "%{DATESTAMP:currentDateTime}\s{1,}\[%{LOGLEVEL:level}\]\s{1,}(%{NUMBER:pid:int}#%{NUMBER}:\s{1,}\*%{NUMBER})\s{1,}(%{GREEDYDATA:messageInfo})(?:,\s{1,}client:\s{1,}(?<client>%{IP}|%{HOSTNAME}))(?:,\s{1,}server:\s{1,}%{IPORHOST:server})(?:, request: %{QS:request})?(?:, upstream: \"%{URI:endpoint}\")?(?:, host: \"%{HOSTPORT:host}\")?(?:, referrer: \"%{URI:referrer}\")?",
        "message", "%{DATESTAMP:currentDateTime}\s{1,}\[%{DATA:level}\]\s{1,}%{GREEDYDATA:messageInfo}"]
    }

    date{
      match => ["currentDateTime", "yy/MM/dd HH:mm:ss", "ISO8601"]
      timezone => "+08:00"
      target => "@timestamp"
    }

    mutate{
      enable_metric => "false"
      remove_field => [ "ecs","tags","input","agent","@version","log","port","host","message" ]
    }
}

output {
        elasticsearch {
        hosts => ["3.1.101.33:9200","3.1.101.34:9200","3.1.101.35:9200"]
        index => "logstash-nginx-error_%{+YYY-MM-dd}"
        sniffing => true
        template_overwrite => true
    }
}

配置解析:

json插件: 将message中所有字段信息提取到顶级目录, 包括filebeat中定义的字段
grok插件: 做了一个match匹配列表, 来适应nginx错误日志的多种情况
date: 
match: 将提取的currentDateTime时间转换为ISO8601
timezone: 调整时区, 到kibana里会加8小时
target: 将currentDateTime时间覆盖@timestamp时间戳
mutate: 
enable_metric: 关闭指标
remove_field: 删除无用字段

过滤结果

JAVA

{
"_index": "index-ccms-dev_2022-05-31",
"_type": "_doc",
"_id": "MliXF4EBEBn_sZq0n-NG",
"_version": 1,
"_score": 1,
"_source": {
    "class": "cn.git.collateral.manage.CollateralEsbApiImpl",
    "kafka_topic": "topic-ccms-dev",
    "logstash-server": "3.1.101.33",
    "level": "ERROR",
    "location": "CollateralEsbApiImpl.java,44,cn.git.collateral.manage.CollateralEsbApiImpl,esbOptionServer$original$rX5ytHc4",
    "@timestamp": "2022-05-31T00:50:14.741Z",
    "filebeat-server": "3.1.101.56",
    "hostIp": "3.1.101.56",
    "traceInfo": "TID: 97353afd28624015baa3f69c98ef23a7.93.16539582147090015",
    "hostName": "ccms-test-18",
    "currentDateTime": "2022-05-31T08:50:14.741+08:00",
    "throwable": "''",
    "messageInfo": "esb服务调用COLLATERAL模块异常,错误信息[nested exception is org.apache.ibatis.type.TypeException: Could not set parameters for mapping: ParameterMapping{property='colTpCd', mode=IN, javaType=class java.lang.Object, jdbcType=null, numericScale=null, resultMapId='null', jdbcTypeName='null', expression='null'}. Cause: org.apache.ibatis.type.TypeException: Error setting null for parameter #1 with JdbcType OTHER . Try setting a different JdbcType for this parameter or a different jdbcTypeForNull configuration property. Cause: java.sql.SQLException: 无效的列类型: 1111]",
    "applicationName": "collateral-server"
    }
}

NGINX

access

{
"_index": "logstash-nginx-access_2022-05-30",
"_type": "_doc",
"_id": "Q1RpEoEBEBn_sZq0ngYQ",
"_version": 1,
"_score": 1,
"_source": {
    "file_dir": "/opt/ccms-auto-deploy/front-bank-credit/static/js/app.eef69865.js",
    "log": {
        "offset": 2433145,
        "file": {
        "path": "/data/openresty-vts/nginx/logs/ccms-credit-access.log"
    }
    },
    "upstreamhost": "",
    "request_body": "",
    "logstash-server": "3.1.101.33",
    "geoip": {
    "postal_code": "98109",
    "region_name": "Washington",
    "location": {
        "lat": 47.6348,
        "lon": -122.3451
    },
    "city_name": "Seattle",
    "coordinates": [
        -122.3451
        ,
        47.6348
    ],
    "country_name": "United States",
    "ip": "3.2.26.243"
    },
    "referer": "http://3.1.101.57:8901/",
    "protocol": "HTTP/1.1",
    "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.62 Safari/537.36",
    "request_length": "448",
    "client_ip": "3.2.26.243",
    "server_ip": "3.1.101.57",
    "domain": "3.1.101.57",
    "kafka_topic": "topic-nginx-access",
    "url": "/static/js/app.eef69865.js",
    "@timestamp": "2022-05-30T00:41:56.000Z",
    "request_method": "GET",
    "status": 304,
    "responsetime": 0,
    "xff": "",
    "args": "",
    "upstreamtime": 0,
    "size": 0,
    "ua": {
        "name": "Chrome",
        "os_name": "Windows",
        "device": "Other",
        "os": "Windows"
    }
    }
}

error

{
"_index": "logstash-nginx-error_2022-05-30",
"_type": "_doc",
"_id": "d_vBE4EBA-RkhKPLS3nJ",
"_version": 1,
"_score": 1,
"_source": {
    "logstash-server": "3.1.101.34",
    "request": ""GET /sysmanage/manage/organization/tree HTTP/1.1"",
    "@timestamp": "2022-05-30T06:57:23.485Z",
    "messageInfo": "an upstream response is buffered to a temporary file /usr/local/openresty/nginx/proxy_temp/3/14/0000000143 while reading upstream",
    "kafka_topic": "topic-nginx-error",
    "level": "warn",
    "referrer": "http://3.1.101.57:8901/",
    "client": "3.2.26.91",
    "filebeat-server": "3.1.101.55",
    "pid": 13,
    "currentDateTime": "2022/05/28 09:57:46",
    "endpoint": "http://3.1.101.56:11102/manage/organization/tree",
    "server": "3.1.101.57"
    }
}
WAIT_TIME
关注
专栏目录
ELK 过滤器设置
chedan666的博客
08-15 810
2 插件配置 2.3 过滤器配置 2.3.1 date事件处理 @timestamp * ISO8601 * UNIX * UNIX_MS * TAI64N * Joda-Time 库 尽量统一使用UTC时间,存成long长整型数据,否则时区问题会很头疼 2.3.2 grok 正则捕获 grop 调试工具网址:http://grokdebug.herokuapp....
ELK 企业级日志分析系统及Logstash过滤模块
weixin_47622405的博客
12-09 1044
Linux
ELK filter过滤器来收集Nginx日志
weixin_34291004的博客
03-23 234
前面已经有ELK-Redis的安装,此处只讲在不改变日志格式的情况下收集Nginx日志. 1.Nginx端的日志格式设置如下: log_format access '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' ...
nginx访问日志过滤
qq_34953582的博客
09-12 596
nginx访问日志过滤
ELK使用filter收集nginx日志-07
weixin_34199405的博客
04-11 306
修改nginx日志格式 log_format hanye '$proxy_add_x_forwarded_for $remote_user [$time_local] "$request" $http_host' '[$body_bytes_sent] $request_body "$http_referer" "$http_user_agent" [$ssl_protocol] ...
elk(都是6.2.4重点-版本2-收集nginx日志-无filebeat
07-09
在这个场景中,我们将搭建 ELK Stack 6.2.4 版本,特别关注如何在没有 Filebeat 的情况下,通过 Logstash 直接收集 Nginx 日志,并利用 Redis 作为中间缓存,最终将日志数据写入 Elasticsearch 分析和绘图。...
elk(都是6.2.4重点-版本2-收集nginx日志-用filebeat
07-09
ELK Stack与Nginx日志收集】 ELK Stack,即Elasticsearch、Logstash、Kibana的组合,是一种流行的日志管理和分析工具。在这个场景中,我们使用的是ELK Stack的6.2.4版本,目的是为了收集Nginx服务器的日志并进行...
linux平台centos7系统 - ELK+logback+kafka+nginx 搭建分布式日志分析平台.doc
03-23
ELK栈(Elasticsearch、Logstash、Kibana)正是解决这一需求的开源解决方案,尤其适用于Java和其他开发语言的日志集成。本文将详细阐述如何在CentOS7系统上利用ELK、logback、kafka和nginx搭建分布式日志分析平台。 ...
ELK日志收集
Stephencurr的博客
01-09 5607
目录前言一、ELK 日志分析系统1. ELK 简介2. 组件说明2.1 ElasticSearch2.2 Logstash2.3 Kibana2.4 Filebeat3. 完整日志系统的基本特征4. ELK的工作原理二、部署 ELK 日志分析系统1. 服务器配置2. 关闭防火墙3. ElasticSearch集群部署(node1、node2)3.1 环境准备3.2 部署 ElasticSearch 软件3.2.1 安装 elasticsearch-rpm 包3.2.2 加载系统服务3.2.3 修改 elas
利用 ELK系统分析Nginx日志并对数据进行可视化展示
王树伦的博客
12-10 1588
一、写在前面   这篇文章介绍的是单独监控nginx 日志分析再进行可视化图形展示,并在用户前端使用nginx 来代理kibana的请求响应,访问权限方面暂时使用HTTP 基本认证加密用户登录。(关于elk权限控制,我所了解的还有一种方式-Shield),等以后有时间了去搞下。下面开始正文吧。。。   注意:环境默认和上一篇大致一样,默认安装好了E、L、K、3个软件即可。当然了,还有必需的ja...
日志查询系统
03-13
日志查询系统框架,使用js完成基本的操作功能
Ubuntu18.04+ELK架构(实现日志收集、过滤、可视化展现)
ksfbvv的博客
06-19 739
Ubuntu18.04+ELK架构(实现日志收集、过滤、可视化)
ELK日志分析系统
Liqi23的博客
12-11 2188
比如,你可以拥有某一个客户的文档,某一个产品的一个文档,当然,也可以拥有某个订单的一个文档。7、可视化多数据源。一个类型是你的索引的一个逻辑上的分类/分区,其语义完全由你来定。Elasticsearch是个开源分布式搜索引擎,它的特点有:分布式,零配置,自动发现,索引自动分片,索引副本(replicat)机制,restful风格接口,多数据源,自动搜索负载等。一个索引由一个名字来标识(必须全部是小写字母的),并且当我们要对对应于这个索引中的文档进行索引、搜索、更新和删除的时候,都要使用到这个名字。
ELK日志分析系统(2)--logstash文件输出、日志服务器伪装、多行过滤插件、grok过滤插件
但行好事
05-29 457
文章目录一、logstash文件输出二、logstash伪装成日志服务器1. Syslog输入插件的使用2.远程日志同步三、多行过滤插件1.示例2.采集完整日志信息查看目标文件信息指定匹配规则四、grok过滤插件1.内核参数优化2.grok过滤安装httpd,编辑测试页面做负载,产生日志grok过滤示例编辑apache.conf文件,并进行logstash日志采集试验 一、logstash文件输出 logstash在采集数据完成后会把进度保存到sincedb文件中,假如我们选择将数据输出到elastic中
ELK - Logstash - 过滤日志输出
chuckchen1222的博客
12-28 2603
通过Filebeat + ELK 可以部署一个日志过滤的程序。 可以将过滤出来的日志记录保存到任何地方,做保存、计算等用途。   实验开始了!我们过滤错误日志,再输出 ============================================================================== 日志格式: 2018-12-27 21:48:50...
ELK(Elasticsearch+Logstash+Kibana)日志分析系统
最新发布
十七拾的博客
04-11 5161
本文主要介绍了ELK日志文件系统的概念和部署过程,详细阐释了Elasticsearch、Logstash、Kibana三个开源的日志收集、存储、检索和可视化的工具
ELFK日志分析系统并使用Filter对日志数据进行处理
ll945608651的博客
05-29 1303
Filebeat是用于转发和集中日志数据的轻量级传送工具。Filebeat监视您指定的日志文件或位置,收集日志事件,并将它们转发到Elasticsearch或 Logstash进行索引。
elk环境构建及其应用日志收集
完颜振江
01-20 1405
elk环境构建及其应用日志收集
ELK+Wazuh搭建笔记
chensheng9055的博客
04-02 2082
本文借鉴https://www.cnblogs.com/backlion/p/10394369.html,在此谢谢大佬指明方向!! 本人又总结了wazuh界面上opencat,Vulnerabilities的后台配置情况,以及agent版本升级情况, 系统为:Centos7 建议搭...
详述ELK实时日志分析系统搭建步骤
文档还列出了在搭建过程中可能遇到的错误,如Master节点的HTTP页面映射问题、Kibana服务启动失败、SSL证书错误等,并提供了基本的排错逻辑,包括查看日志和解决中英文字符问题。 总体来说,ELK系统的搭建是一个涉及...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值