ELK实战之java日志收集

1、Java日志收集

使用codec的multiline插件实现多行匹配，这是一个可以将多行进行合并的插件，而且可以使用what指定将匹配到的行与前面的行合并还是和后面的行合并。
https://www.elastic.co/guide/en/logstash/6.0/plugins-codecs-multiline.html

语法例子：
input {
  stdin {
    codec => multiline {    #使用multiline插件
      pattern => "pattern, a regexp"   #正则匹配
      negate => "true" or "false"     #匹配是否成功
      what => "previous" or "next"   #和上面的还是和下面的内容合并
    }
  }
}
命令行测试输入输出
[root@linux-node1 ~]# /usr/share/logstash/bin/logstash -e 'input { stdin {codec => multiline { pattern => "^\[" negate => "true" what => "previous"} }} output { stdout {codec => rubydebug}}'
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
The stdin plugin is now waiting for input:
111111111
22222222222
333333333
[5555555555
{
      "@version" => "1",
          "host" => "linux-node1",
    "@timestamp" => 2017-12-28T03:06:11.663Z,
       "message" => "111111111\n22222222222\n333333333",   #会将[开头前面的进行合并
          "tags" => [
        [0] "multiline"
    ]
}
666666666666666666
77777777777777777
8888888888
[999999999
{
      "@version" => "1",
          "host" => "linux-node1",
    "@timestamp" => 2017-12-28T03:06:37.326Z,
       "message" => "[5555555555\n666666666666666666\n77777777777777777\n8888888888",
          "tags" => [
        [0] "multiline"
    ]
}

2、举例

（1）查看elk集群日志

elk集群日志上都是以"["开头并且每一个信息都是如此，寻找规律

[root@linux-node1 ~]# tailf /data/logs/elk-cluster.log 
[2017-12-28T09:36:58,486][INFO ][o.e.c.s.MasterService    ] [elk-node1] zen-disco-node-join[{elk-node2}{CcF5fl9sRqCAGYYpT3scuw}{ncgZ1UsPRq-iz6zWHPl7PQ}{192.168.56.12}{192.168.56.12:9300}], reason: added {{elk-node2}{CcF5fl9sRqCAGYYpT3scuw}{ncgZ1UsPRq-iz6zWHPl7PQ}{192.168.56.12}{192.168.56.12:9300},}
[2017-12-28T09:36:59,297][INFO ][o.e.c.s.ClusterApplierService] [elk-node1] added {{elk-node2}{CcF5fl9sRqCAGYYpT3scuw}{ncgZ1UsPRq-iz6zWHPl7PQ}{192.168.56.12}{192.168.56.12:9300},}, reason: apply cluster state (from master [master {elk-node1}{Ulw9eIPlS06sl8Z6zQ_z4g}{HgJRMEAcQcqFOTn5ehHPdw}{192.168.56.11}{192.168.56.11:9300} committed version [87] source [zen-disco-node-join[{elk-node2}{CcF5fl9sRqCAGYYpT3scuw}{ncgZ1UsPRq-iz6zWHPl7PQ}{192.168.56.12}{192.168.56.12:9300}]]])
[2017-12-28T09:36:59,310][WARN ][o.e.d.z.ElectMasterService] [elk-node1] value for setting "discovery.zen.minimum_master_nodes" is too low. This can result in data loss! Please set it to at least a quorum of master-eligible nodes (current value: [-1], total number of master-eligible nodes used for publishing in this round: [2])
[2017-12-28T09:37:06,580][INFO ][o.e.c.r.a.AllocationService] [elk-node1] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.kibana][0]] ...]).
[2017-12-28T09:52:11,090][INFO ][o.e.c.m.MetaDataCreateIndexService] [elk-node1] [logstash-tomcat5612-accesslog-2017.12.28] creating index, cause [auto(bulk api)], templates [logstash], shards [5]/[1], mappings [_default_]
[2017-12-28T09:52:11,433][INFO ][o.e.c.m.MetaDataMappingService] [elk-node1] [logstash-tomcat5612-accesslog-2017.12.28/YY4yqUQJRHa2mRUwmd2Y8g] create_mapping [tomcat-accesslog]
[2017-12-28T09:52:13,389][INFO ][o.e.c.r.a.AllocationService] [elk-node1] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[logstash-tomcat5612-accesslog-2017.12.28][4]] ...]).

（2）配置logstash

[root@linux-node1 ~]# vim /etc/logstash/conf.d/java.conf
input {
        file{
                path => "/data/logs/elk-cluster.log"
                type => "elasticsearch-java-log"
                start_position => "beginning"
                stat_interval => "2"
                code => multiline {
                        pattern => "^\["    #以"["开头进行正则匹配
                        negate => "true"  #正则匹配成功
                        what => "previous"  #和前面的内容进行合并
                }
        }
}

output {
        if [type] == "elasticsearch-java-log" {
                elasticsearch {
                        hosts => ["192.168.56.11:9200"]
                        index => "elasticsearch-jva-log-%{+YYYY.MM.dd}"
                }
        }
}
[root@linux-node1 ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/java.conf -t
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
Configuration OK
[root@linux-node1 ~]# systemctl restart logstash

（3）elasticsearch的head插件查看

数据浏览：

（4）添加到Kibana

可以看到以“[”开头的信息都合并了，如图：

版权声明：原创作品，谢绝转载。否则将追究法律责任

本文转自 IT_外卖小哥  51CTO博客，原文链接:http://blog.51cto.com/jinlong/2055424