簡介
Logstash is an open source data collection engine with real-time pipelining capabilities。
簡單來說logstash就是一根具備實時數據傳輸能力的管道,負責將數據信息從管道的輸入端傳輸到管道的輸出端;與此同時這根管道還可以讓你根據自己的需求在中間加上濾網,Logstash提供里很多功能強大的濾網以滿足你的各種應用場景。
Logstash常用于日志關系系統中做日志采集設備,最常用于ELK(elasticsearch + logstash + kibane)中作為日志收集器使用。
logstash收集日志基本流程:
1
| input –> filter –> output
|
1
2
3
4
5
| input:從哪里收集日志
filter:對日志進行過濾
output:輸出哪里
|
![]()
![]()
版本匹配
網址:https://www.elastic.co/cn/support/matrix#matrix_compatibility
環境情況
- Java:1.8
- Elasticsearch:6.8.13
- Logstash:6.8.13
- 操作系統:centos7
- IP:192.168.43.128
安裝java和Elasticsearch6
網址:點擊
安裝Logstash
網址:https://www.elastic.co/cn/downloads/past-releases#logstash
1
2
3
4
5
| cd /data/temp
wget https://artifacts.elastic.co/downloads/logstash/logstash-6.8.13.rpm
rpm -ivh logstash-6.8.13.rpm
|
查詢logstash的安裝目錄:
顯示:
logstash: /etc/logstash /usr/share/logstash
1
2
3
| mkdir -p /usr/local/logstash/plugin-data
mkdir -p /usr/local/logstash/logs
|
創建用戶logstash:
1
2
3
4
5
6
7
8
9
10
11
12
13
| #創建用戶
useradd logstash
#創建組
groupadd logstash
#將用戶添加到組
useradd logstash -g logstash
#授權
chown -R logstash /usr/local/logstash/plugin-data
chown -R logstash /usr/local/logstash/logs
|
logstash的shell 是 “/sbin/nologin”,需要改成 “/bin/bash”,保存即可。
1
2
3
| cat /etc/passwd
vi /etc/passwd
|
1
2
3
| cp /etc/logstash/logstash.yml /etc/logstash/logstash.yml_bak
vi /etc/logstash/logstash.yml
|
修改內容:
1
2
3
4
5
6
7
8
9
10
11
12
13
| #設置節點名稱,一般寫主機名
node.name: logstash-test
#創建logstash 和插件使用的持久化目錄
path.data: /usr/local/logstash/plugin-data
path.logs: /usr/local/logstash/logs
#開啟配置文件自動加載
config.reload.automatic: true
#定義配置文件重載時間周期
config.reload.interval: 10s
#定義訪問主機名,一般為域名或IP
http.host: "192.168.43.128"
#端口
http.port: 9033
|
保存后退出。
防火墻配置,以 firewalld 為例,開放 5044 端口和 9033 端口:
1
2
3
4
5
6
7
8
9
| systemctl status firewalld.service
firewall-cmd --state
firewall-cmd --zone=public --add-port=5044/tcp --permanent
firewall-cmd --zone=public --add-port=9033/tcp --permanent
systemctl reload firewalld
|
安裝input-jdbc插件、input-beats插件、output-elasticsearch插件:
1
2
3
4
5
| /usr/share/logstash/bin/logstash-plugin install logstash-input-jdbc
/usr/share/logstash/bin/logstash-plugin install logstash-input-beats
/usr/share/logstash/bin/logstash-plugin install install logstash-output-elasticsearch
|
插件網址: https://www.elastic.co/guide/en/logstash/6.8/index.html
1
| vi /etc/logstash/conf.d/01-logstash-initial.conf
|
收集tomcat日志,內容如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
| input {
beats {
port => 5044
}
stdin{}
}
filter {
#過濾access 日志
if ( [source] =~ "localhost\_access\_log" ) {
grok {
match => {
message => [ "%{COMMONAPACHELOG}" ]
}
}
date {
match => [ "request_time", "ISO8601" ]
locale => "cn"
target => "request_time"
}
#過濾tomcat日志
} else if ( [source] =~ "catalina" ) {
#匹配內容到字段
grok {
match => {
message => [ "(?<webapp_name>\[\w+\])\s+(?<request_time>\d{4}\-\d{2}\-\d{2}\s+\w{2}\:\w{2}\:\w{2}\,\w{3})\s+(?<log_level>\w+)\s+(?<class_package>[^.^\s]+(?:\.[^.\s]+)+)\.(?<class_name>[^\s]+)\s+(?<message_cont
ent>.+)" ] }
}
#解析請求時間
date {
match => [ "request_time", "ISO8601" ]
locale => "cn"
target => "request_time"
}
} else {
drop {}
}
}
output {
if ( [source] =~ "localhost_access_log" ) {
elasticsearch {
hosts => ["192.168.43.128:9200"]
index => "access_log"
}
} else {
elasticsearch {
hosts => ["192.168.43.128:9200"]
index => "tomcat_log"
}
}
stdout { codec => rubydebug }
}
|
檢測配置文件語法是否有問題:
1
| /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/01-logstash-initial.conf -t
|
啟動:
1
| /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/01-logstash-initial.conf &
|
