簡介
Logstash is an open source data collection engine with real-time pipelining capabilities。
簡單來說logstash就是一根具備實時數據傳輸能力的管道,負責將數據信息從管道的輸入端傳輸到管道的輸出端;與此同時這根管道還可以讓你根據自己的需求在中間加上濾網,Logstash提供里很多功能強大的濾網以滿足你的各種應用場景。
Logstash常用于日志關系系統中做日志采集設備,最常用于ELK(elasticsearch + logstash + kibane)中作為日志收集器使用。
logstash收集日志基本流程:
1
| input –> filter –> output
|
1 2 3 4 5
| input:從哪里收集日志
filter:對日志進行過濾
output:輸出哪里
|
版本匹配
網址:https://www.elastic.co/cn/support/matrix#matrix_compatibility
環境情況
- Java:1.8
- Elasticsearch:6.8.13
- Logstash:6.8.13
- 操作系統:centos7
- IP:192.168.43.128
安裝java和Elasticsearch6
網址:點擊
安裝Logstash
網址:https://www.elastic.co/cn/downloads/past-releases#logstash
1 2 3 4 5
| cd /data/temp
wget https://artifacts.elastic.co/downloads/logstash/logstash-6.8.13.rpm
rpm -ivh logstash-6.8.13.rpm
|
查詢logstash的安裝目錄:
顯示:
logstash: /etc/logstash /usr/share/logstash
1 2 3
| mkdir -p /usr/local/logstash/plugin-data
mkdir -p /usr/local/logstash/logs
|
創建用戶logstash:
1 2 3 4 5 6 7 8 9 10 11 12 13
| #創建用戶 useradd logstash
#創建組 groupadd logstash
#將用戶添加到組 useradd logstash -g logstash
#授權 chown -R logstash /usr/local/logstash/plugin-data
chown -R logstash /usr/local/logstash/logs
|
logstash的shell 是 “/sbin/nologin”,需要改成 “/bin/bash”,保存即可。
1 2 3
| cat /etc/passwd
vi /etc/passwd
|
1 2 3
| cp /etc/logstash/logstash.yml /etc/logstash/logstash.yml_bak
vi /etc/logstash/logstash.yml
|
修改內容:
1 2 3 4 5 6 7 8 9 10 11 12 13
| #設置節點名稱,一般寫主機名 node.name: logstash-test #創建logstash 和插件使用的持久化目錄 path.data: /usr/local/logstash/plugin-data path.logs: /usr/local/logstash/logs #開啟配置文件自動加載 config.reload.automatic: true #定義配置文件重載時間周期 config.reload.interval: 10s #定義訪問主機名,一般為域名或IP http.host: "192.168.43.128" #端口 http.port: 9033
|
保存后退出。
防火墻配置,以 firewalld 為例,開放 5044 端口和 9033 端口:
1 2 3 4 5 6 7 8 9
| systemctl status firewalld.service
firewall-cmd --state
firewall-cmd --zone=public --add-port=5044/tcp --permanent
firewall-cmd --zone=public --add-port=9033/tcp --permanent
systemctl reload firewalld
|
安裝input-jdbc插件、input-beats插件、output-elasticsearch插件:
1 2 3 4 5
| /usr/share/logstash/bin/logstash-plugin install logstash-input-jdbc
/usr/share/logstash/bin/logstash-plugin install logstash-input-beats
/usr/share/logstash/bin/logstash-plugin install install logstash-output-elasticsearch
|
插件網址: https://www.elastic.co/guide/en/logstash/6.8/index.html
1
| vi /etc/logstash/conf.d/01-logstash-initial.conf
|
收集tomcat日志,內容如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
| input { beats { port => 5044 } stdin{} } filter { #過濾access 日志 if ( [source] =~ "localhost\_access\_log" ) { grok { match => { message => [ "%{COMMONAPACHELOG}" ] } } date { match => [ "request_time", "ISO8601" ] locale => "cn" target => "request_time" } #過濾tomcat日志 } else if ( [source] =~ "catalina" ) { #匹配內容到字段 grok { match => { message => [ "(?<webapp_name>\[\w+\])\s+(?<request_time>\d{4}\-\d{2}\-\d{2}\s+\w{2}\:\w{2}\:\w{2}\,\w{3})\s+(?<log_level>\w+)\s+(?<class_package>[^.^\s]+(?:\.[^.\s]+)+)\.(?<class_name>[^\s]+)\s+(?<message_cont ent>.+)" ] } } #解析請求時間 date { match => [ "request_time", "ISO8601" ] locale => "cn" target => "request_time" } } else { drop {} } }
output { if ( [source] =~ "localhost_access_log" ) { elasticsearch { hosts => ["192.168.43.128:9200"] index => "access_log" } } else { elasticsearch { hosts => ["192.168.43.128:9200"] index => "tomcat_log" } } stdout { codec => rubydebug } }
|
檢測配置文件語法是否有問題:
1
| /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/01-logstash-initial.conf -t
|
啟動:
1
| /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/01-logstash-initial.conf &
|