0%

Logstash

简介

Logstash is an open source data collection engine with real-time pipelining capabilities。

简单来说logstash就是一根具备实时数据传输能力的管道,负责将数据信息从管道的输入端传输到管道的输出端;与此同时这根管道还可以让你根据自己的需求在中间加上滤网,Logstash提供里很多功能强大的滤网以满足你的各种应用场景。

Logstash常用于日志关系系统中做日志采集设备,最常用于ELK(elasticsearch + logstash + kibane)中作为日志收集器使用。

logstash收集日志基本流程:

1
input –> filter –> output
1
2
3
4
5
input:从哪里收集日志

filter:对日志进行过滤

output:输出哪里

版本匹配

网址:https://www.elastic.co/cn/support/matrix#matrix_compatibility

环境情况

  • Java:1.8
  • Elasticsearch:6.8.13
  • Logstash:6.8.13
  • 操作系统:centos7
  • IP:192.168.43.128

安装java和Elasticsearch6

网址:点击

安装Logstash

网址:https://www.elastic.co/cn/downloads/past-releases#logstash

1
2
3
4
5
cd /data/temp

wget https://artifacts.elastic.co/downloads/logstash/logstash-6.8.13.rpm

rpm -ivh logstash-6.8.13.rpm

查询logstash的安装目录:

1
whereis  logstash

显示:

logstash: /etc/logstash /usr/share/logstash

1
2
3
mkdir -p /usr/local/logstash/plugin-data

mkdir -p /usr/local/logstash/logs

创建用户logstash:

1
2
3
4
5
6
7
8
9
10
11
12
13
#创建用户
useradd logstash

#创建组
groupadd logstash

#将用户添加到组
useradd logstash -g logstash

#授权
chown -R logstash /usr/local/logstash/plugin-data

chown -R logstash /usr/local/logstash/logs

logstash的shell 是 “/sbin/nologin”,需要改成 “/bin/bash”,保存即可。

1
2
3
cat /etc/passwd

vi /etc/passwd
1
2
3
cp /etc/logstash/logstash.yml    /etc/logstash/logstash.yml_bak

vi /etc/logstash/logstash.yml

修改内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
#设置节点名称,一般写主机名
node.name: logstash-test
#创建logstash 和插件使用的持久化目录
path.data: /usr/local/logstash/plugin-data
path.logs: /usr/local/logstash/logs
#开启配置文件自动加载
config.reload.automatic: true
#定义配置文件重载时间周期
config.reload.interval: 10s
#定义访问主机名,一般为域名或IP
http.host: "192.168.43.128"
#端口
http.port: 9033

保存后退出。

防火墙配置,以 firewalld 为例,开放 5044 端口和 9033 端口:

1
2
3
4
5
6
7
8
9
systemctl status firewalld.service

firewall-cmd --state

firewall-cmd --zone=public --add-port=5044/tcp --permanent

firewall-cmd --zone=public --add-port=9033/tcp --permanent

systemctl reload firewalld

安装input-jdbc插件、input-beats插件、output-elasticsearch插件:

1
2
3
4
5
/usr/share/logstash/bin/logstash-plugin install  logstash-input-jdbc

/usr/share/logstash/bin/logstash-plugin install logstash-input-beats

/usr/share/logstash/bin/logstash-plugin install install logstash-output-elasticsearch

插件网址: https://www.elastic.co/guide/en/logstash/6.8/index.html

1
vi /etc/logstash/conf.d/01-logstash-initial.conf

收集tomcat日志,内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
input {
beats {
port => 5044
}
stdin{}
}
filter {
#过滤access 日志
if ( [source] =~ "localhost\_access\_log" ) {
grok {
match => {
message => [ "%{COMMONAPACHELOG}" ]
}
}
date {
match => [ "request_time", "ISO8601" ]
locale => "cn"
target => "request_time"
}
#过滤tomcat日志
} else if ( [source] =~ "catalina" ) {
#匹配内容到字段
grok {
match => {
message => [ "(?<webapp_name>\[\w+\])\s+(?<request_time>\d{4}\-\d{2}\-\d{2}\s+\w{2}\:\w{2}\:\w{2}\,\w{3})\s+(?<log_level>\w+)\s+(?<class_package>[^.^\s]+(?:\.[^.\s]+)+)\.(?<class_name>[^\s]+)\s+(?<message_cont
ent>.+)" ] }
}
#解析请求时间
date {
match => [ "request_time", "ISO8601" ]
locale => "cn"
target => "request_time"
}
} else {
drop {}
}
}

output {
if ( [source] =~ "localhost_access_log" ) {
elasticsearch {
hosts => ["192.168.43.128:9200"]
index => "access_log"
}
} else {
elasticsearch {
hosts => ["192.168.43.128:9200"]
index => "tomcat_log"
}
}
stdout { codec => rubydebug }
}

检测配置文件语法是否有问题:

1
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/01-logstash-initial.conf -t

启动:

1
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/01-logstash-initial.conf &
layicr 微信

微信

layicr 支付宝

支付宝