ELK
Redis作为Broker,用户中央Logstash和其他Logstash agent的缓冲。
在中央Logstash上,Redis作为数据的输入来源,在其他Logstash agent上,Redis作为数据的输出。
Central
/data/app_platform/logstash/conf/central.conf
input {
redis {
host => "10.4.29.162"
type => "redis-input"
data_type => "list"
key => "logstash"
}
}
output {
stdout {}
elasticsearch {
cluster => "elasticsearch"
}
}
Agent or Shipper
/data/app_platform/logstash/conf/shipper.conf
input {
file {
type => "syslog"
path => ["/var/log/secure","/var/log/messages"]
exclude => ["*.gz","shipper.log"]
sincedb_path => "/dev/null"
}
}
output {
stdout {}
redis {
host => "10.4.29.162"
data_type => "list"
key => "logstash"
}
}
报错信息:
{:timestamp=>"2015-04-08T11:42:22.766000+0800", :message=>"Using milestone 2 input plugin 'file'. This plugin should be stable, but if you see strange behavior, please let us know! For more information on plugin milestones, see http://logstash.net/docs/1.4.2/plugin-milestones", :level=>:warn}
{:timestamp=>"2015-04-08T11:42:22.918000+0800", :message=>"Using milestone 2 output plugin 'redis'. This plugin should be stable, but if you see strange behavior, please let us know! For more information on plugin milestones, see http://logstash.net/docs/1.4.2/plugin-milestones", :level=>:warn}
{:timestamp=>"2015-04-08T11:42:25.793000+0800", :message=>"Registering file input", :path=>["/var/log/secure", "/var/log/messages"], :level=>:info}
{:timestamp=>"2015-04-08T11:42:25.795000+0800", :message=>"No SINCEDB_DIR or HOME environment variable set, I don't know where to keep track of the files I'm watching. Either set HOME or SINCEDB_DIR in your environment, or set sincedb_path in in your Logstash config for the file input with path '[\"/var/log/secure\", \"/var/log/messages\"]'", :level=>:error}
{:timestamp=>"2015-04-08T11:42:25.797000+0800", :message=>"+---------------------------------------------------------+\n| An unexpected error occurred. This is probably a bug. |\n| You can find help with this problem in a few places: |\n| |\n| * chat: #logstash IRC channel on freenode irc. |\n| IRC via the web: http://goo.gl/TI4Ro |\n| * email: [email protected] |\n| * bug system: https://logstash.jira.com/ |\n| |\n+---------------------------------------------------------+\nThe error reported is: \n "}
sincedb_path
Value type is string
There is no default value for this setting.
Where to write the sincedb database (keeps track of the current position of monitored log files). The default will write sincedb files to some path matching “$HOME/.sincedb*”
需要设置sincedb_path参数,跟踪被监控日志的当前位置
由于刚开始数据量比较小,使用LLEN logstash查看Redis数据的时候可能为空。
可以使用Redis的MONITOR命令查看Redis的数据接收情况
/data/app_platform/redis/bin/redis-cli monitor
$ /data/app_platform/redis/bin/redis-cli llen logstash (integer) 39990
查看Elasticsearch是否存有数据
curl 'http://localhost:9200/_search?q=type:syslog&pretty=true'
查看Kibana WEB显示
再看一个Apache日志的例子:
# tail -f /var/log/httpd/access_log 127.0.0.1 - - [09/Apr/2015:16:42:53 +0800] "GET /router.php HTTP/1.1" 404 285 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2" 127.0.0.1 - - [09/Apr/2015:16:42:53 +0800] "GET /router.php HTTP/1.1" 404 285 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2" 127.0.0.1 - - [09/Apr/2015:16:42:53 +0800] "GET /router.php HTTP/1.1" 404 285 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
从日志可以分析出访问Aapche的IP地址,请求方式,请求日期等信息。如果将这些信息直接发送给Logstash处理,所有信息都将显示在 message 字段,如下图所示。
可以对这些日志作进一步处理,便于分析,查找和过滤。
有三种方式:
1)在logstash agent端处理
2)在logstash central端处理
3)使Apache的日志以更友好的格式显示
三种方式各有利弊,在agent端处理格式,agengt需要维护特定的过滤格式,在central端处理,会增加CPU的处理负担。这里采用进一步格式化Apache日志格式。
LogFormat "{ \
\"host\":\"host.example.com\", \
\"path\":\"/var/log/httpd/logstash_access_log\", \
\"tags\":[\"wordpress\",\"www.example.com\"], \
\"message\": \"%h %l %u %t \\\"%r\\\" %>s %b\", \
\"timestamp\": \"%{%Y-%m-%dT%H:%M:%S%z}t\", \
\"useragent\": \"%{User-agent}i\", \
\"clientip\": \"%a\", \
\"duration\": %D, \
\"status\": %>s, \
\"request\": \"%U%q\", \
\"urlpath\": \"%U\", \
\"urlquery\": \"%q\", \
\"method\": \"%m\", \
\"bytes\": %B, \
\"vhost\": \"%v\" \
}" logstash_apache_json
CustomLog /var/log/httpd/logstash_access_log logstash_apache_json
重新启动Apache
修改logstash agent配置文件
file {
type => "apache"
path => "/var/log/httpd/logstash_access_log"
exclude => ["*.gz"]
sincedb_path => "/dev/null"
codec => "json"
}
可以指定条件进行过滤:
例如查找type为apache并且status为404的日志
参考资料:
《The Logstash Book》
http://logstashbook.com/code/
https://blog.pkhamre.com/logging-to-logstash-json-format-in-nginx/