ELK收集tomcat状态日志

1、先查看之前的状态日志输出格式：在logs/catalina.out这个文件中

最上面的日志格式我们可能不太习惯使用，所以能输出下面的格式是最好的，当然需要我们自定义日志格式，接下来看看如何修改

2、打开conf/loggind.proterties这个文件，按照如下所示修改

在此文件中添加如下内容

1catalina.org.apache.juli.AsyncFileHandler.formatter = java.util.logging.SimpleFormatter
java.util.logging.SimpleFormatter.format = %1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS.%1$tL [%4$s] [%3$s] %2$s %5$s %6$s%n

同时删除此行内容

java.util.logging.ConsoleHandler.formatter = org.apache.juli.OneLineFormatter

3、保存之后重启tomcat我们就可以在logs目录下的catalina.out日志文件中看到上面的比较友好的格式了。比如第一张图的第二个方框所示。

4、编写配置文件

input{
    redis {
        host =>"172.16.0.54"
        port => 6379
        data_type => "list"
        db => "5"
        password => "123456"
        key => "tomcat_accessstatus_filter_index"
        codec => "json"
        add_field => {
            "[@metadata][mytomcat]" => "tomcat_accessstatus_filter_log"
        }
    }
}
filter{
#    if [fields][log_topic] == "tomcatlogs_catalina" {
#             mutate {
#             add_field => [ "[zabbix_key]", "tomcatlogs_catalina" ]
#             add_field => [ "[zabbix_host]", "%{[host][name]}" ]
#             }
    grok {
             match => { "message" => "%{TIMESTAMP_ISO8601:access_time}s+[(?<loglevel>[sS]*)]s+[%{DATA:exception_info}](?<tomcatcontent>[sS]*)" }
        }
        date {
                match => [ "access_time","MMM  d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601"]

        }
        mutate {
            remove_field => "@version"
            remove_field => "message"
            #remove_field => "[fields][log_topic]"
            #remove_field => "fields"
            remove_field => "access_time"
        }

}

output{
stdout{}
}

接下来输入一些内容，你就能看到效果了

比如，输入如下内容：

2019-03-19 13:08:07.782 [INFO] [org.apache.coyote.ajp.AjpNioProtocol] org.apache.coyote.AbstractProtocol destroy Destroying ProtocolHandler ["ajp-nio-8009"]

看到下面的效果

{
        "@timestamp" => 2019-03-19T05:08:07.782Z,
            "source" => "/usr/local/tomcat/logs/catalina.out",
             "input" => {
        "type" => "log"
    },
              "beat" => {
        "hostname" => "ELK-chaofeng07",
         "version" => "6.5.2",
            "name" => "ELK-chaofeng07"
    },
            "offset" => 27466,
    "exception_info" => "org.apache.coyote.ajp.AjpNioProtocol",
              "host" => {
                   "id" => "95f33c1568b94503946976569d36ad32",
                   "os" => {
              "family" => "redhat",
            "codename" => "Core",
            "platform" => "centos",
             "version" => "7 (Core)"
        },
        "containerized" => true,
                 "name" => "ELK-chaofeng07",
         "architecture" => "x86_64"
    },
          "loglevel" => "INFO",
        "prospector" => {
        "type" => "log"
    },
     "tomcatcontent" => " org.apache.coyote.AbstractProtocol destroy Destroying ProtocolHandler ["ajp-nio-8009"] "
}

这里我只是演示了logstash的输出而已，至于输出到ES集群是比较好配置的。这里不再详述