部署
新建一台虚拟机elk4部署logstash
[root@elk4 ~]# yum install -y jdk-11.0.15_linux-x64_bin.rpm
[root@elk4 ~]# yum install -y logstash-7.6.1.rpm
命令方式
[root@elk4 bin]# /usr/share/logstash/bin/logstash -e 'input { stdin { } } output { stdout {} }'
elasticsearch输出插件
[root@elk4 conf.d]# pwd
[root@elk4 conf.d]# vim test.conf
input {
stdin { }
}
output {
stdout {}
elasticsearch {
hosts => "192.168.92.31:9200"
index => "logstash-%{+YYYY.MM.dd}"
}
}
[root@elk4 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
启动成功后录入数据,ctrl+c退出
elasticsearch-head插件
安装依赖
[root@k8s1 ~]# yum install -y bzip2
[root@k8s1 ~]# tar jxf phantomjs-2.1.1-linux-x86_64.tar.bz2
[root@k8s1 ~]# cd phantomjs-2.1.1-linux-x86_64
[root@k8s1 phantomjs-2.1.1-linux-x86_64]# cp bin/phantomjs /usr/local/bin/
[root@k8s1 ~]# yum install -y fontconfig
[root@k8s1 ~]# phantomjs
安装插件
[root@k8s1 ~]# rpm -ivh nodejs-9.11.2-1nodesource.x86_64.rpm
[root@k8s1 ~]# yum install -y unzip
[root@k8s1 ~]# unzip elasticsearch-head-master.zip
[root@k8s1 ~]# cd elasticsearch-head-master/
[root@k8s1 elasticsearch-head-master]# npm install --registry=https://registry.npm.taobao.org
[root@k8s1 elasticsearch-head-master]# vim _site/app.js
启动服务
[root@k8s1 elasticsearch-head-master]# npm run start &
[root@k8s1 elasticsearch-head-master]# netstat -antlp|grep :9100
修改es配置
[root@elk1 ~]# vim /etc/elasticsearch/elasticsearch.yml
http.cors.enabled: true
http.cors.allow-origin: "*"
[root@elk1 ~]# systemctl restart elasticsearch.service
访问:192.168.92.11:9100
file输入插件
[root@elk4 conf.d]# vim es.conf
input {
#file {
# path => "/var/log/messages"
# start_position => "beginning"
# }
syslog {}
}
output {
stdout {}
elasticsearch {
hosts => "192.168.92.31:9200"
index => "rsyslog-%{+YYYY.MM.dd}"
}
}
[root@elk4 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
.sincedb文件保存文件读取进度,避免数据冗余读取
[root@elk4 file]# pwd
[root@elk4 file]# l.
sincedb文件一共6个字段
- inode编号
- 文件系统的主要设备号
- 文件系统的次要设备号
- 文件中的当前字节偏移量
- 最后一个活动时间戳(浮点数)
- 与此记录匹配的最后一个已知路径
删除后重新读取
[root@elk4 file]# rm -f .sincedb_452905a167cf4509fd08acb964fdb20c
syslog 插件
logstash伪装成日志服务器
[root@elk4 conf.d]# vim test.conf
input {
syslog {}
}
output {
stdout {}
elasticsearch {
hosts => "192.168.92.31:9200"
index => "syslog-%{+YYYY.MM.dd}"
}
}
[root@elk4 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
配置客户端日志输出
[root@server1 ~]# vim /etc/rsyslog.conf
去掉以下行的注释
[root@elk1 ~]# systemctl restart rsyslog.service
多行过滤插件
从server1拷贝模板文件
[root@elk1 elasticsearch]# pwd
[root@elk1 elasticsearch]# scp my-es.log elk4:/var/log/
[root@elk4 conf.d]# vim my-es-log.conf
input {
file {
path => "/var/log/my-es.log"
start_position => "beginning"
codec => multiline {
pattern => "^\["
negate => true
what => previous
}
}
}
output {
stdout {}
elasticsearch {
hosts => "192.168.92.31:9200"
index => "myeslog-%{+YYYY.MM.dd}"
}
}
[root@elk4 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
grok过滤
[root@elk4 ~]# yum install -y httpd
[root@elk4 ~]# systemctl enablel --now httpd
[root@elk4 ~]# echo www.westos.org > /var/www/html/index.html
访问此站点生成日志信息
ab -c 1 -n 500 http://192.168.92.34/index.html
编写文件
[root@elk4 conf.d]# vim grok.conf
input {
file {
path => "/var/log/httpd/access_log"
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => "%{HTTPD_COMBINEDLOG}" }
}
}
output {
stdout {}
elasticsearch {
hosts => "192.168.92.31:9200"
index => "apachelog-%{+YYYY.MM.dd}"
}
}
[root@elk4 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/grok.conf
