ELK之-redis(错误,警告)日志使用filebeat收集

处理redis日志展示

ELK之-redis(错误,警告)日志使用filebeat收集_第1张图片

收集redis警告和错误日志即可

filebeat
   include_lines: ["WARNING","ERROR"]
         include_lines 一个正则表达式的列表,以匹配您希望Filebeat包含的行。Filebeat仅导出与列表中正则表达式匹配的行。默认情况下,导出所有行。
   参考:https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html

kibana展示效果

ELK之-redis(错误,警告)日志使用filebeat收集_第2张图片

filebeat安装配置

[root@elk-node01 var]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.6.0-x86_64.rpm
[root@elk-node01 var]# yum install filebeat-6.6.0-x86_64.rpm
    [root@elk-node01 var]# cat /etc/filebeat/filebeat.yml
       #主要通过log_type来判断
    filebeat.prospectors:
    - input_type: log
      paths:
       - /data/wwwlogs/access_nginx.log
      fields:
        log_source: nginx
        log_type: nginx
    - input_type: log
      paths:
       - /var/log/messages
      fields:
        log_source: messages
        log_type: messages
    - input_type: log
      paths:
       - /usr/local/redis/var/redis.log
      include_lines: ["WARNING","ERROR"]
      fields:
        log_source: redis
        log_type: redis
    output.redis:
       hosts: ["127.0.0.1:6379"]
       key: "defaul_list"
       db: 5
       timeout: 5        

logstash配置

 input {
    redis {
      key => "defaul_list"
      data_type => "list"
      db => "5"
      host => "127.0.0.1"
      port => "6379"
      threads => "5"
      codec => "json"
    }
 }
 filter {
    if [fields][log_type]  == "redis" {
       grok {
       patterns_dir => "/data/elk-services/logstash/patterns.d"
       match => { "message" => "%{REDISLOG}" }
     }
    mutate {
       gsub => [
        "loglevel", "\.", "debug",
        "loglevel", "\-", "verbose",
        "loglevel", "\*", "notice",
        "loglevel", "\#", "warring",
        "role","X","sentinel",
        "role","C","RDB/AOF writing child",
        "role","S","slave",
        "role","M","master"
       ]
     }
     date {
      match => [ "timestamp" , "dd MMM HH:mm:ss.SSS" ]
        target => "@timestamp"
        remove_field => [ "timestamp" ]
     }
   }
  if [fields][log_type] == "nginx" {
     grok {
         patterns_dir => [ "/data/elk-services/logstash/patterns.d" ]
         match => { "message" => "%{NGINXACCESS}" }
         overwrite => [ "message" ]
         }
     geoip {
         source => "clent_ip"
         target => "geoip"
         database => "/data/soft/GeoLite2-City_20190409/GeoLite2-City.mmdb"
          }
     useragent {
         source => "User_Agent"
         target => "userAgent"
         }
     urldecode {
         all_fields => true
         }
      mutate {
             gsub => ["User_Agent","[\"]",""]        #将user_agent中的 " 换成空
             convert => [ "response","integer" ]
             convert => [ "body_bytes_sent","integer" ]
             convert => [ "bytes_sent","integer" ]
             convert => [ "upstream_response_time","float" ]
             convert => [ "upstream_status","integer" ]
             convert => [ "request_time","float" ]
             convert => [ "port","integer" ]
        }
     date {
     match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
         }
   } 
 }
 output {
 if [fields][log_type]  == "redis" {
    elasticsearch {
      hosts => ["192.168.1.252:9200"]
      index => "252-redis-%{+YYYY.MM.dd}"
      action => "index"
    }
 }
 if [fields][log_type]  == "nginx" {
     elasticsearch {
      hosts => ["192.168.1.252:9200"]
      index => "252-nginx-%{+YYYY.MM.dd}"
      action => "index"
    }
  }
 }

查看nginx和redis的patterns

[root@elk-node01 var]# cat /data/elk-services/logstash/patterns.d/redis 
     EDISTIMESTAMP %{MONTHDAY} %{MONTH} %{TIME}
     REDISLOG %{POSINT:pid}\:%{WORD:role} %{REDISTIMESTAMP:timestamp} %{DATA:loglevel} %{GREEDYDATA:msg}
[root@elk-node01 var]# cat /data/elk-services/logstash/patterns.d/nginx
    NGUSERNAME [a-zA-Z\.\@\-\+_%]+
    NGUSER %{NGUSERNAME}
    NGINXACCESS %{IP:clent_ip} (?:-|%{USER:ident}) \[%{HTTPDATE:log_date}\] \"%{WORD:http_verb} (?:%{PATH:baseurl}\?%{NOTSPACE:params}(?: HTTP/%{NUMBER:http_version})?|%{DATA:raw_http_request})\" (%{IPORHOST:url_domain}|%{URIHOST:ur_domain}|-)\[(%{BASE16FLOAT:request_time}|-)\] %{NOTSPACE:request_body} %{QS:referrer_rul} %{GREEDYDATA:User_Agent} \[%{GREEDYDATA:ssl_protocol}\] \[(?:%{GREEDYDATA:ssl_cipher}|-)\]\[%{NUMBER:time_duration}\] \[%{NUMBER:http_status_code}\] \[(%{BASE10NUM:upstream_status}|-)\] \[(%{NUMBER:upstream_response_time}|-)\] \[(%{URIHOST:upstream_addr}|-)\]

nginx的配置参考:https://blog.51cto.com/9025736/2377352

启动检查数据

[root@elk-node01 config]# /etc/init.d/filebeat restart 
 Restarting filebeat (via systemctl):                       [  OK  ]
[root@elk-node01 config]# ../bin/logstash -f filebeat-nginx-redis.yml 

ELK之-redis(错误,警告)日志使用filebeat收集_第3张图片
ELK之-redis(错误,警告)日志使用filebeat收集_第4张图片

你可能感兴趣的:(ELK之-redis(错误,警告)日志使用filebeat收集)