简介
Logstash is an open source data collection engine with real-time pipelining capabilities。
简单来说logstash就是一根具备实时数据传输能力的管道,负责将数据信息从管道的输入端传输到管道的输出端;与此同时这根管道还可以让你根据自己的需求在中间加上滤网,Logstash提供里很多功能强大的滤网以满足你的各种应用场景。
Logstash常用于日志关系系统中做日志采集设备,最常用于ELK(elasticsearch + logstash + kibane)中作为日志收集器使用。
logstash收集日志基本流程:
1
| input –> filter –> output
|
1 2 3 4 5
| input:从哪里收集日志
filter:对日志进行过滤
output:输出哪里
|
版本匹配
网址:https://www.elastic.co/cn/support/matrix#matrix_compatibility
环境情况
- Java:1.8
- Elasticsearch:6.8.13
- Logstash:6.8.13
- 操作系统:centos7
- IP:192.168.43.128
安装java和Elasticsearch6
网址:点击
安装Logstash
网址:https://www.elastic.co/cn/downloads/past-releases#logstash
1 2 3 4 5
| cd /data/temp
wget https://artifacts.elastic.co/downloads/logstash/logstash-6.8.13.rpm
rpm -ivh logstash-6.8.13.rpm
|
查询logstash的安装目录:
显示:
logstash: /etc/logstash /usr/share/logstash
1 2 3
| mkdir -p /usr/local/logstash/plugin-data
mkdir -p /usr/local/logstash/logs
|
创建用户logstash:
1 2 3 4 5 6 7 8 9 10 11 12 13
| #创建用户 useradd logstash
#创建组 groupadd logstash
#将用户添加到组 useradd logstash -g logstash
#授权 chown -R logstash /usr/local/logstash/plugin-data
chown -R logstash /usr/local/logstash/logs
|
logstash的shell 是 “/sbin/nologin”,需要改成 “/bin/bash”,保存即可。
1 2 3
| cat /etc/passwd
vi /etc/passwd
|
1 2 3
| cp /etc/logstash/logstash.yml /etc/logstash/logstash.yml_bak
vi /etc/logstash/logstash.yml
|
修改内容:
1 2 3 4 5 6 7 8 9 10 11 12 13
| #设置节点名称,一般写主机名 node.name: logstash-test #创建logstash 和插件使用的持久化目录 path.data: /usr/local/logstash/plugin-data path.logs: /usr/local/logstash/logs #开启配置文件自动加载 config.reload.automatic: true #定义配置文件重载时间周期 config.reload.interval: 10s #定义访问主机名,一般为域名或IP http.host: "192.168.43.128" #端口 http.port: 9033
|
保存后退出。
防火墙配置,以 firewalld 为例,开放 5044 端口和 9033 端口:
1 2 3 4 5 6 7 8 9
| systemctl status firewalld.service
firewall-cmd --state
firewall-cmd --zone=public --add-port=5044/tcp --permanent
firewall-cmd --zone=public --add-port=9033/tcp --permanent
systemctl reload firewalld
|
安装input-jdbc插件、input-beats插件、output-elasticsearch插件:
1 2 3 4 5
| /usr/share/logstash/bin/logstash-plugin install logstash-input-jdbc
/usr/share/logstash/bin/logstash-plugin install logstash-input-beats
/usr/share/logstash/bin/logstash-plugin install install logstash-output-elasticsearch
|
插件网址: https://www.elastic.co/guide/en/logstash/6.8/index.html
1
| vi /etc/logstash/conf.d/01-logstash-initial.conf
|
收集tomcat日志,内容如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
| input { beats { port => 5044 } stdin{} } filter { #过滤access 日志 if ( [source] =~ "localhost\_access\_log" ) { grok { match => { message => [ "%{COMMONAPACHELOG}" ] } } date { match => [ "request_time", "ISO8601" ] locale => "cn" target => "request_time" } #过滤tomcat日志 } else if ( [source] =~ "catalina" ) { #匹配内容到字段 grok { match => { message => [ "(?<webapp_name>\[\w+\])\s+(?<request_time>\d{4}\-\d{2}\-\d{2}\s+\w{2}\:\w{2}\:\w{2}\,\w{3})\s+(?<log_level>\w+)\s+(?<class_package>[^.^\s]+(?:\.[^.\s]+)+)\.(?<class_name>[^\s]+)\s+(?<message_cont ent>.+)" ] } } #解析请求时间 date { match => [ "request_time", "ISO8601" ] locale => "cn" target => "request_time" } } else { drop {} } }
output { if ( [source] =~ "localhost_access_log" ) { elasticsearch { hosts => ["192.168.43.128:9200"] index => "access_log" } } else { elasticsearch { hosts => ["192.168.43.128:9200"] index => "tomcat_log" } } stdout { codec => rubydebug } }
|
检测配置文件语法是否有问题:
1
| /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/01-logstash-initial.conf -t
|
启动:
1
| /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/01-logstash-initial.conf &
|