目录
一.ELK收集nginx日志
1.搭建好ELK+logstash+kibana架构
2.关闭防火墙和selinux
systemctl stop firewalld
setenforce 0
3.安装nginx
[root@localhost ~]# yum install epel-release.noarch -y
[root@localhost ~]# yum install nginx -y
4.修改配置文件
修改nginx配置文件将nginx日志格式改为json格式
cpp
[root@localhost ~]# vim /etc/nginx/nginx.conf
http {
# 添加在 http 语句块中
log_format access_json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"size":$body_bytes_sent,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamhost":"$upstream_addr",'
'"http_host":"$host",'
'"url":"$uri",'
'"domain":"$host",'
'"xff":"$http_x_forwarded_for",'
'"referer":"$http_referer",'
'"status":"$status"}';
access_log /var/log/nginx/access.log access_json;'"status":"$status"}';
#修改默认 日志格式
systemctl restart nginx
5.添加 logstash 配置文件
cpp
[root@localhost ~]# vim /etc/logstash/conf.d/nginx-log.conf
input{
file {
path => "/var/log/nginx/access.log"
type => "nginx"
start_position => "beginning"
stat_interval => "3"
codec => "json"
}
}
output {
elasticsearch {
hosts => [ "192.168.240.11:9200", "192.168.240.12:9200"]
index => "nginx-%{+YYYY.MM.dd}"
}
}
6.执行配置文件
cpp
logstash -f /etc/logstash/conf.d/nginx-log.conf
二.收集tomcat日志
1.安装tomcat 服务
bash
#!/bin/bash
#安装jdk
install_jdk () {
if [ -e jdk-8u201-linux-x64.rpm ]
then
rpm -ivh jdk-8u201-linux-x64.rpm &> /dev/null
if [ $? -eq 0 ]
then
echo -e "\E[1;32m jdk 安装成功 \E[0m"
else
echo -e "\E[1;31m jdk 安装失败 \E[0m"
fi
else
echo "无jdk包"
fi
}
#修改环境变量
bl () {
echo "
export JAVA_HOME=/usr/java/jdk1.8.0_201-amd64
export CLASSPATH=\$JAVA_HOME/lib/tools.jar:\$JAVA_HOME/lib/dt.jar
export PATH=\$JAVA_HOME/bin:\$PATH" >> /etc/profile
source /etc/profile
}
install_jdk
bl
java -version
if [ -e apache-tomcat-9.0.16.tar.gz ]
then
tar zxvf apache-tomcat-9.0.16.tar.gz &>/dev/null
cp -r apache-tomcat-9.0.16 /usr/local/tomcat
useradd -s /sbin/nologin tomcat
chown tomcat:tomcat /usr/local/tomcat/ -R
cat > /usr/lib/systemd/system/tomcat.service <<EOF
[Unit]
Description=Tomcat
After=syslog.target network.target
[Service]
Type=forking
ExecStart=/usr/local/tomcat/bin/startup.sh
ExecStop=/usr/local/tomcat/bin/shutdown.sh
RestartSec=3
PrivateTmp=true
User=tomcat
Group=tomcat
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl start tomcat
if systemctl status tomcat &>/dev/null
then
echo -e "\E[1;32m tomcat 启动成功 \E[0m"
else
echo -e "\E[1;31m tomcat 启动失败 \E[0m"
fi
else
echo "无tomcat 安装包"
fi
ln -s /usr/local/tomcat/bin/* /usr/bin
- 修改tomcat 配置文件
bash
[root@localhost data]# vim /usr/local/tomcat/conf/server.xml
# 最后一行
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="tomcat_access_log" suffix=".log"
pattern="{"clientip":"%h","ClientUser":"%l","authenticated":"%u","AccessTime":"%t","method":"%r","status":"%s","SendBytes":"%b","Query?string":"%q","partner":"%{Referer}i","AgentVersion":"%{User-Agent}i"}"/>
directory="logs" 存放目录可以不改
prefix 改成 tomcat 开头
suffix 改成 log 结尾
3.重新启动tomcat服务,生成新的日志文件
bash
tail -f /usr/local/tomcat/logs/tomcat_access_log.2024-07-17.log
4.编辑tomcat日志的logstash配置文件
bash
[root@localhost ~]# vim /etc/logstash/conf.d/tomcat.conf
input {
file {
path => "/usr/local/tomcat/logs/tomcat_access_log.*.log"
type => "tomcat"
start_position => "beginning"
stat_interval => "3"
codec => "json"
}}
output {
elasticsearch {
hosts => ["192.168.240.11:9200", "192.168.240.12:9200"]
index => "tomcat-log-%{+YYYY.MM.dd}"
}}
5.给予tomcat日志文件可读权限,并执行logstash配置文件
bash
chmod +r /usr/local/tomcat/logs/*
logstash -f /etc/logstash/conf.d/tomcat.conf
三.Filebeat
Filebeat:轻量级的开源日志文件数据搜集器。通常在需要采集数据的客户端安装 Filebeat,并指定目录与日志格式,Filebeat 就能快速收集数据,并发送给 logstash 进行解析,或是直接发给 Elasticsearch 存储,性能上相比运行于 JVM 上的 logstash 优势明显,是对它的替代。常应用于 EFLK 架构当中。
filebeat 结合 logstash 带来好处: 1)通过 Logstash 具有基于磁盘的自适应缓冲系统,该系统将吸收传入的吞吐量,从而减轻 Elasticsearch 持续写入数据的压力 2)从其他数据源(例如数据库,S3对象存储或消息传递队列)中提取 3)将数据发送到多个目的地,例如S3,HDFS(Hadoop分布式文件系统)或写入文件 4)使用条件数据流逻辑组成更复杂的处理管道
●缓存/消息队列(redis、kafka、RabbitMQ等):可以对高并发日志数据进行流量削峰和缓冲,这样的缓冲可以一定程度的保护数据不丢失,还可以对整个架构进行应用解耦。
Fliebeat+ELK部署
1.安装Filebeat
cpp
#上传软件包 filebeat-6.7.2-linux-x86_64.tar.gz 到/opt目录
tar zxvf filebeat-6.7.2-linux-x86_64.tar.gz
mv filebeat-6.7.2-linux-x86_64/ /usr/local/filebeat
2.修改配置文件
cpp
[root@apache opt]# cd /usr/local/filebeat/
[root@apache filebeat]# vim filebeat.yml
enabled: ture
27 paths:
28 - /var/log/nginx/access.log
30 tags: ["filebeat"]
31 fields:
32 service_name: nginx
33 log_type: access
34 from: 192.168.240.13
注释以下行
151 #output.elasticsearch:
152 # Array of hosts to connect to.
153 # hosts: ["localhost:9200"]
164 output.logstash:
165 # The Logstash hosts
166 hosts: ["192.168.240.13:5044"]
filebeat.inputs:
- type: log #指定 log 类型,从日志文件中读取消息
enabled: true
paths:
- /var/log/messages #指定监控的日志文件
- /var/log/*.log
tags: ["sys"] #设置索引标签 这两行注意对齐否则启动不了
fields: #可以使用 fields 配置选项设置一些参数字段添加到 output 中
service_name: filebeat
log_type: syslog
from: 192.168.80.13
--------------Elasticsearch output-------------------
(全部注释掉)
----------------Logstash output---------------------
output.logstash:
hosts: ["192.168.240.13:5044"] #指定 logstash 的 IP 和端口
3.启动配置文件
cpp
nohup ./filebeat -e -c filebeat.yml > filebeat.out &
#-e:输出到标准输出,禁用syslog/文件输出
#-c:指定配置文件
#nohup:在系统后台不挂断地运行命令,退出终端不会影响程序的运行
4.对接logstash
cpp
cd /etc/logstash/conf.d
vim filebeat.conf
input{
beats { port => "5044"}
}
output {
elasticsearch {
hosts => [ "192.168.240.11:9200", "192.168.240.12:9200"]
index => "system-%{+YYYY.MM.dd}"
}
stdout {
codec => rubydebug
}
}
#启动 logstash
logstash -f filebeat.conf -t 检查语法
浏览器访问 http://192.168.240.13:5601 登录 Kibana
logstash -f filebeat.conf