ELK分析tomcat 业务日志

日志格式示例

tomcat错误日志示例

[ERROR] [production] [modle] [18.18.18.18] [a7fabc92afb8479590c85f88c7db939] 2017-05-04 14:45:45.916 (BaseAPI.java:236) api error
org.apache.thrift.transport.TTransportException: java.net.SocketTimeoutException: Read timed out
    at org.apache.thrift.transport.THttpClient.flushUsingHttpClient(THttpClient.java:297)
    at com.huofu.api.base.BaseAPI.processRequest(BaseAPI.java:344)
    at sun.reflect.GeneratedMethodAccessor36.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:749)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
Caused by: java.net.SocketTimeoutException: Read timed out
    at java.net.SocketInputStream.socketRead0(Native Method)
    at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
    at java.net.SocketInputStream.read(SocketInputStream.java:170)
    at java.net.SocketInputStream.read(SocketInputStream.java:141)
    at org.apache.http.impl.conn.ManagedClientConnectionImpl.receiveResponseHeader(ManagedClientConnectionImpl.java:191)
    at org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:300)
    at org.apache.thrift.transport.THttpClient.flushUsingHttpClient(THttpClient.java:251)

配置logstash

logstash 配置文件

input {
  beats {
    port => 5044
  }
}
filter {
    grok {
      patterns_dir => ["/etc/logstash/patterns"]
      match => {
          "message" => "%{TOMCAT_SERVICE_LOG}"
      }
    }
    date {
      match => ["timestamp", "yyyy-MM-dd HH:mm:ss.SSS"]
    }
}
output {
    elasticsearch {
        hosts => ["127.0.0.1:9200"]
      }
}

添加pattern_dir /etc/logstash/patterns/tomcat 文件

TOMCAT_SERVICE_LOG \[%{LOGLEVEL:level}\] \[%{WORD:env}\] \[%{NOTSPACE:module}\] \[%{IP:server_ip}|\] \[%{GREEDYDATA:request_id}|\] %{TIMESTAMP_ISO8601:timestamp} %{GREEDYDATA:logmessage}

配置filebeat

tomcat日志多行日志合并

filebeat.prospectors:
      - input_type: log
      multiline:
        pattern: '^\['
        negate: true
        match: after
    paths:
      - /data/logs/info.log

配置完成后可以分析类似格式的tomcat日志。

使用docker快速搭建elk

ELK分析tomcat 业务日志

日志格式示例

配置logstash

配置filebeat

你可能感兴趣的:(ELK分析tomcat 业务日志)