ELK企业级日志分析平台——logstash

部署

新建一台虚拟机elk4部署logstash

复制代码
[root@elk4 ~]# yum install -y jdk-11.0.15_linux-x64_bin.rpm

[root@elk4 ~]# yum install -y logstash-7.6.1.rpm

命令方式

复制代码
[root@elk4 bin]# /usr/share/logstash/bin/logstash -e 'input { stdin { } } output { stdout {} }'

elasticsearch输出插件

复制代码
[root@elk4 conf.d]# pwd

[root@elk4 conf.d]# vim test.conf

input {
        stdin { }
}

output {
        stdout {}

        elasticsearch {
                hosts => "192.168.92.31:9200"
                index => "logstash-%{+YYYY.MM.dd}"
        }
}
复制代码
[root@elk4 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf

启动成功后录入数据,ctrl+c退出

elasticsearch-head插件

安装依赖

复制代码
[root@k8s1 ~]# yum install -y bzip2

[root@k8s1 ~]# tar jxf phantomjs-2.1.1-linux-x86_64.tar.bz2

[root@k8s1 ~]# cd phantomjs-2.1.1-linux-x86_64

[root@k8s1 phantomjs-2.1.1-linux-x86_64]# cp bin/phantomjs /usr/local/bin/

[root@k8s1 ~]# yum install -y fontconfig

[root@k8s1 ~]# phantomjs

安装插件

复制代码
[root@k8s1 ~]# rpm -ivh nodejs-9.11.2-1nodesource.x86_64.rpm

[root@k8s1 ~]# yum install -y unzip

[root@k8s1 ~]# unzip elasticsearch-head-master.zip

[root@k8s1 ~]# cd elasticsearch-head-master/

[root@k8s1 elasticsearch-head-master]# npm install  --registry=https://registry.npm.taobao.org

[root@k8s1 elasticsearch-head-master]# vim _site/app.js

启动服务

复制代码
[root@k8s1 elasticsearch-head-master]# npm run start &
复制代码
[root@k8s1 elasticsearch-head-master]# netstat -antlp|grep :9100

修改es配置

复制代码
[root@elk1 ~]# vim /etc/elasticsearch/elasticsearch.yml

http.cors.enabled: true
http.cors.allow-origin: "*"

[root@elk1 ~]# systemctl  restart elasticsearch.service

访问:192.168.92.11:9100

file输入插件

复制代码
[root@elk4 conf.d]# vim es.conf

input {
      #file {
      #       path => "/var/log/messages"
      #       start_position => "beginning"
      #  }

      syslog {}

}


output {
        stdout {}

        elasticsearch {
                hosts => "192.168.92.31:9200"
                index => "rsyslog-%{+YYYY.MM.dd}"
        }
}
复制代码
[root@elk4 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf

.sincedb文件保存文件读取进度,避免数据冗余读取

复制代码
[root@elk4 file]# pwd

[root@elk4 file]# l.

sincedb文件一共6个字段

  1. inode编号
  2. 文件系统的主要设备号
  3. 文件系统的次要设备号
  4. 文件中的当前字节偏移量
  5. 最后一个活动时间戳(浮点数)
  6. 与此记录匹配的最后一个已知路径

删除后重新读取

复制代码
[root@elk4 file]# rm -f .sincedb_452905a167cf4509fd08acb964fdb20c

syslog 插件

logstash伪装成日志服务器

复制代码
[root@elk4 conf.d]# vim test.conf

input {
        syslog {}
}

output {
         stdout {}

        elasticsearch {
                hosts => "192.168.92.31:9200"
                index => "syslog-%{+YYYY.MM.dd}"
        }

}

[root@elk4 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf

配置客户端日志输出

root@server1 \~\]# vim /etc/rsyslog.conf 去掉以下行的注释 ![](https://file.jishuzhan.net/article/1728208243299192833/202cad9543ce5fac85d33aee767e4ba9.webp) ![](https://file.jishuzhan.net/article/1728208243299192833/530f76b891c7bc2e4b38c3f0e29b29db.webp) [root@elk1 ~]# systemctl restart rsyslog.service ![](https://file.jishuzhan.net/article/1728208243299192833/d9a10229926c98c973f5bfa1fb4b77cd.webp) ## **多行过滤插件** 从server1拷贝模板文件 [root@elk1 elasticsearch]# pwd [root@elk1 elasticsearch]# scp my-es.log elk4:/var/log/ ![](https://file.jishuzhan.net/article/1728208243299192833/4a0fe320b79526f828609b0dbdbecab0.webp) [root@elk4 conf.d]# vim my-es-log.conf input { file { path => "/var/log/my-es.log" start_position => "beginning" codec => multiline { pattern => "^\[" negate => true what => previous } } } output { stdout {} elasticsearch { hosts => "192.168.92.31:9200" index => "myeslog-%{+YYYY.MM.dd}" } } ![](https://file.jishuzhan.net/article/1728208243299192833/5ac38c64cd74c557a91750aff1a35ff8.webp) [root@elk4 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf ![](https://file.jishuzhan.net/article/1728208243299192833/7c51d6dfc363d8f043efd416703a2555.webp) ## **grok过滤** [root@elk4 ~]# yum install -y httpd [root@elk4 ~]# systemctl enablel --now httpd [root@elk4 ~]# echo www.westos.org > /var/www/html/index.html 访问此站点生成日志信息 ab -c 1 -n 500 http://192.168.92.34/index.html 编写文件 [root@elk4 conf.d]# vim grok.conf input { file { path => "/var/log/httpd/access_log" start_position => "beginning" } } filter { grok { match => { "message" => "%{HTTPD_COMBINEDLOG}" } } } output { stdout {} elasticsearch { hosts => "192.168.92.31:9200" index => "apachelog-%{+YYYY.MM.dd}" } } ![](https://file.jishuzhan.net/article/1728208243299192833/807d7db64243a104176e7003585894e6.webp) [root@elk4 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/grok.conf ![](https://file.jishuzhan.net/article/1728208243299192833/053b7cb66f0ab37bc55aae7bade987b4.webp)

相关推荐
云偶13 小时前
从零搭建 Jenkins Android 自动发包体系
jenkins
LH_R20 小时前
OneTerm开源堡垒机实战(四):访问授权与安全管控
运维·后端·安全
Raymond运维20 小时前
MariaDB源码编译安装(二)
运维·数据库·mariadb
libraG2 天前
Jenkins打包问题
前端·npm·jenkins
JuiceFS2 天前
从 MLPerf Storage v2.0 看 AI 训练中的存储性能与扩展能力
运维·后端
chen9452 天前
mysql 3节点mgr集群部署
运维·后端
LH_R2 天前
OneTerm开源堡垒机实战(三):功能扩展与效率提升
运维·后端·安全
dessler2 天前
Hadoop HDFS-高可用集群部署
linux·运维·hdfs
少妇的美梦3 天前
logstash教程
运维
chen9453 天前
k8s集群部署vector日志采集器
运维