阅读量:2
目录
一.ELK收集nginx日志
1.搭建好ELK+logstash+kibana架构
2.关闭防火墙和selinux
systemctl stop firewalld setenforce 03.安装nginx
[root@localhost ~]# yum install epel-release.noarch -y [root@localhost ~]# yum install nginx -y4.修改配置文件
修改nginx配置文件将nginx日志格式改为json格式
[root@localhost ~]# vim /etc/nginx/nginx.conf http { # 添加在 http 语句块中 log_format access_json '{"@timestamp":"$time_iso8601",' '"host":"$server_addr",' '"clientip":"$remote_addr",' '"size":$body_bytes_sent,' '"responsetime":$request_time,' '"upstreamtime":"$upstream_response_time",' '"upstreamhost":"$upstream_addr",' '"http_host":"$host",' '"url":"$uri",' '"domain":"$host",' '"xff":"$http_x_forwarded_for",' '"referer":"$http_referer",' '"status":"$status"}'; access_log /var/log/nginx/access.log access_json;'"status":"$status"}'; #修改默认 日志格式 systemctl restart nginx
5.添加 logstash 配置文件
[root@localhost ~]# vim /etc/logstash/conf.d/nginx-log.conf input{ file { path => "/var/log/nginx/access.log" type => "nginx" start_position => "beginning" stat_interval => "3" codec => "json" } } output { elasticsearch { hosts => [ "192.168.240.11:9200", "192.168.240.12:9200"] index => "nginx-%{+YYYY.MM.dd}" } }6.执行配置文件
logstash -f /etc/logstash/conf.d/nginx-log.conf
二.收集tomcat日志
1.安装tomcat 服务
#!/bin/bash #安装jdk install_jdk () { if [ -e jdk-8u201-linux-x64.rpm ] then rpm -ivh jdk-8u201-linux-x64.rpm &> /dev/null if [ $? -eq 0 ] then echo -e "\E[1;32m jdk 安装成功 \E[0m" else echo -e "\E[1;31m jdk 安装失败 \E[0m" fi else echo "无jdk包" fi } #修改环境变量 bl () { echo " export JAVA_HOME=/usr/java/jdk1.8.0_201-amd64 export CLASSPATH=\$JAVA_HOME/lib/tools.jar:\$JAVA_HOME/lib/dt.jar export PATH=\$JAVA_HOME/bin:\$PATH" >> /etc/profile source /etc/profile } install_jdk bl java -version if [ -e apache-tomcat-9.0.16.tar.gz ] then tar zxvf apache-tomcat-9.0.16.tar.gz &>/dev/null cp -r apache-tomcat-9.0.16 /usr/local/tomcat useradd -s /sbin/nologin tomcat chown tomcat:tomcat /usr/local/tomcat/ -R cat > /usr/lib/systemd/system/tomcat.service <<EOF [Unit] Description=Tomcat After=syslog.target network.target [Service] Type=forking ExecStart=/usr/local/tomcat/bin/startup.sh ExecStop=/usr/local/tomcat/bin/shutdown.sh RestartSec=3 PrivateTmp=true User=tomcat Group=tomcat [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl start tomcat if systemctl status tomcat &>/dev/null then echo -e "\E[1;32m tomcat 启动成功 \E[0m" else echo -e "\E[1;31m tomcat 启动失败 \E[0m" fi else echo "无tomcat 安装包" fi ln -s /usr/local/tomcat/bin/* /usr/bin
2. 修改tomcat 配置文件
[root@localhost data]# vim /usr/local/tomcat/conf/server.xml # 最后一行 <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="tomcat_access_log" suffix=".log" pattern="{"clientip":"%h","ClientUser":"%l","authenticated":"%u","AccessTime":"%t","method":"%r","status":"%s","SendBytes":"%b","Query?string":"%q","partner":"%{Referer}i","AgentVersion":"%{User-Agent}i"}"/> directory="logs" 存放目录可以不改 prefix 改成 tomcat 开头 suffix 改成 log 结尾 
3.重新启动tomcat服务,生成新的日志文件
tail -f /usr/local/tomcat/logs/tomcat_access_log.2024-07-17.log
4.编辑tomcat日志的logstash配置文件
[root@localhost ~]# vim /etc/logstash/conf.d/tomcat.conf input { file { path => "/usr/local/tomcat/logs/tomcat_access_log.*.log" type => "tomcat" start_position => "beginning" stat_interval => "3" codec => "json" }} output { elasticsearch { hosts => ["192.168.240.11:9200", "192.168.240.12:9200"] index => "tomcat-log-%{+YYYY.MM.dd}" }} 5.给予tomcat日志文件可读权限,并执行logstash配置文件
chmod +r /usr/local/tomcat/logs/* logstash -f /etc/logstash/conf.d/tomcat.conf
三.Filebeat
Filebeat:轻量级的开源日志文件数据搜集器。通常在需要采集数据的客户端安装 Filebeat,并指定目录与日志格式,Filebeat 就能快速收集数据,并发送给 logstash 进行解析,或是直接发给 Elasticsearch 存储,性能上相比运行于 JVM 上的 logstash 优势明显,是对它的替代。常应用于 EFLK 架构当中。
filebeat 结合 logstash 带来好处: 1)通过 Logstash 具有基于磁盘的自适应缓冲系统,该系统将吸收传入的吞吐量,从而减轻 Elasticsearch 持续写入数据的压力 2)从其他数据源(例如数据库,S3对象存储或消息传递队列)中提取 3)将数据发送到多个目的地,例如S3,HDFS(Hadoop分布式文件系统)或写入文件 4)使用条件数据流逻辑组成更复杂的处理管道
●缓存/消息队列(redis、kafka、RabbitMQ等):可以对高并发日志数据进行流量削峰和缓冲,这样的缓冲可以一定程度的保护数据不丢失,还可以对整个架构进行应用解耦。
Fliebeat+ELK部署
1.安装Filebeat
#上传软件包 filebeat-6.7.2-linux-x86_64.tar.gz 到/opt目录 tar zxvf filebeat-6.7.2-linux-x86_64.tar.gz mv filebeat-6.7.2-linux-x86_64/ /usr/local/filebeat2.修改配置文件
[root@apache opt]# cd /usr/local/filebeat/ [root@apache filebeat]# vim filebeat.yml enabled: ture 27 paths: 28 - /var/log/nginx/access.log 30 tags: ["filebeat"] 31 fields: 32 service_name: nginx 33 log_type: access 34 from: 192.168.240.13 注释以下行 151 #output.elasticsearch: 152 # Array of hosts to connect to. 153 # hosts: ["localhost:9200"] 164 output.logstash: 165 # The Logstash hosts 166 hosts: ["192.168.240.13:5044"] filebeat.inputs: - type: log #指定 log 类型,从日志文件中读取消息 enabled: true paths: - /var/log/messages #指定监控的日志文件 - /var/log/*.log tags: ["sys"] #设置索引标签 这两行注意对齐否则启动不了 fields: #可以使用 fields 配置选项设置一些参数字段添加到 output 中 service_name: filebeat log_type: syslog from: 192.168.80.13 --------------Elasticsearch output------------------- (全部注释掉) ----------------Logstash output--------------------- output.logstash: hosts: ["192.168.240.13:5044"] #指定 logstash 的 IP 和端口
3.启动配置文件
nohup ./filebeat -e -c filebeat.yml > filebeat.out & #-e:输出到标准输出,禁用syslog/文件输出 #-c:指定配置文件 #nohup:在系统后台不挂断地运行命令,退出终端不会影响程序的运行
4.对接logstash
cd /etc/logstash/conf.d vim filebeat.conf input{ beats { port => "5044"} } output { elasticsearch { hosts => [ "192.168.240.11:9200", "192.168.240.12:9200"] index => "system-%{+YYYY.MM.dd}" } stdout { codec => rubydebug } } #启动 logstash logstash -f filebeat.conf -t 检查语法 浏览器访问 http://192.168.240.13:5601 登录 Kibana logstash -f filebeat.conf
