zoukankan      html  css  js  c++  java
  • 第八章 filebeat收集日志与kibana画图

    一、filebeat收集单日志到本地文件

    1.配置

    #编辑Filebeat配置文件
    [root@web01 ~]# vim /etc/filebeat/filebeat.yml
    filebeat.inputs:
    - type: log
      enabled: true
      paths:
        - /var/log/nginx/access.log
    
    output.file:
      path: "/tmp/"
      filename: "filebeat_nginx.log"
    

    2.启动

    #启动Filebeat(CentOS6)
    [root@web01 ~]# /etc/init.d/filebeat start
    
    #启动Filebeat(CentOS7)
    [root@web01 ~]# systemctl start filebeat
    
    #检测进程
    [root@web01 ~]# ps -ef|grep filebeat
    root      10881      1  0 01:06 pts/1    00:00:00 /usr/share/filebeat/bin/filebeat-god -r / -n -p /var/run/filebeat.pid -- /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
    root      10882  10881  0 01:06 pts/1    00:00:00 /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
    

    3.验证文件

    [root@web01 ~]# ll /tmp/
    -rw------- 1 root root   3760 Dec  8 17:47 filebeat_nginx.log
    

    二、filebeat收集单日志到ES

    1.配置

    [root@web01 ~]# vim /etc/filebeat/filebeat.yml 
    filebeat.inputs:
    - type: log
      enabled: true
      paths:
        - /var/log/nginx/access.log
    
    output.elasticsearch:
      hosts: ["http://10.0.0.71:9200"]
    

    2.启动

    [root@web01 ~]# systemctl restart filebeat.service
    

    三、filebeat收集单日志json格式到ES

    1.配置nginx的json格式日志

    [root@web01 ~]# cat /etc/nginx/nginx.conf
    http {
    	... ...
    	log_format json '{ "time_local": "$time_local", '
                              '"remote_addr": "$remote_addr", '
                              '"referer": "$http_referer", '
                              '"request": "$request", '
                              '"status": $status, '
                              '"bytes": $body_bytes_sent, '
                              '"agent": "$http_user_agent", '
                              '"x_forwarded": "$http_x_forwarded_for", '
                              '"up_addr": "$upstream_addr",'
                              '"up_host": "$upstream_http_host",'
                              '"upstream_time": "$upstream_response_time",'
                              '"request_time": "$request_time" }';
    
        access_log  /var/log/nginx/access.log  json;
     ... ...
    

    2.配置收集日志

    [root@web01 ~]# vim /etc/filebeat/filebeat.yml 
    filebeat.inputs:
    - type: log
      enabled: true
      paths:
        - /var/log/nginx/access.log
      json.keys_under_root: true
      json.overwrite_keys: true
    
    output.elasticsearch:
      hosts: ["http://10.0.0.71:9200"]
    

    3.启动

    [root@web01 ~]# systemctl restart nginx
    [root@web01 ~]# systemctl restart filebeat.service 
    

    四、自定义ES索引名称

    1.配置

    [root@web01 ~]# vim /etc/filebeat/filebeat.yml 
    filebeat.inputs:
    - type: log
      enabled: true
      paths:
        - /var/log/nginx/access.log
      json.keys_under_root: true
      json.overwrite_keys: true
    
    output.elasticsearch:
      hosts: ["http://10.0.0.71:9200"]
      index: "nginx_json_log_%yyyy-MM-dd}"
    setup.template.name: "filebeat-*"
    setup.template.pattern: "filebeat-*"
    
    #注意:配置索引模板需要顶头写,模板名称与指定索引名字无关
    

    2.启动

    [root@web01 ~]# systemctl restart filebeat.service 
    

    五、filebeat收集单日志到redis

    1.配置

    [root@web01 ~]# vim /etc/filebeat/filebeat.yml 
    filebeat.inputs:
    - type: log
      enabled: true
      paths:
        - /var/log/nginx/access.log
      json.keys_under_root: true
      json.overwrite_keys: true
    
    output.redis:
      hosts: ["10.0.0.81:6379"]
      key: "nginx_log"
      db: 0
      
    [root@redis01 ~]# vim /etc/redis
    bind  10.0.0.81 172.16.1.81 127.0.0.1
    

    2.启动

    [root@web01 ~]# systemctl restart filebeat.service 
    [root@redis01 ~]# systemctl  restart redis
    

    3.redis查看数据

    127.0.0.1:6379> keys *
    1) "nginx_log"
    127.0.0.1:6379> LLEN nginx_log
    (integer) 33
    

    六、filebeat收集单日志到logstash

    1.配置

    [root@web01 ~]# vim /etc/filebeat/filebeat.yml 
    filebeat.inputs:
    - type: log
      enabled: true
      paths:
        - /var/log/nginx/access.log
      json.keys_under_root: true
      json.overwrite_keys: true
    
    output.logstash:
      hosts: ["10.0.0.81:7890"]
    

    2.启动

    [root@web01 ~]# systemctl restart filebeat.service
    

    3.配置logstash

    [root@redis01 ~]# vim /etc/logstash/conf.d/filebeat_logstash_es.conf
    input {
      beats {
        port => "7890"
      }
    }
    
    output {
      elasticsearch {
        hosts => ["10.0.0.71:9200"]
        index => "filebeat_logstash_%{+YYYY-MM-dd}"
      }
    }
    
    [root@redis01 ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/filebeat_logstash_es.conf &
    

    七、filebeat收集多日志到ES

    1.方法一:

    [root@web01 ~]# vim /etc/filebeat/filebeat.yml 
    
    filebeat.inputs:
    - type: log
      enabled: true
      paths:
        - /var/log/nginx/access.log
        - /var/log/nginx/error.log
      json.keys_under_root: true
      json.overwrite_keys: true
    
    output.elasticsearch:
      hosts: ["http://10.0.0.71:9200"]
      index: "nginx_json_%{+yyyy-MM-dd}"
    setup.template.name: "filebeat-*"
    setup.template.pattern: "filebeat-*"
    

    2.方法二:

    [root@web01 ~]# cat /etc/filebeat/filebeat.yml 
    filebeat.inputs:
    - type: log
      enabled: true
      paths:
        - /var/log/nginx/access.log
      json.keys_under_root: true
      json.overwrite_keys: true
    
    - type: log
      enabled: true
      paths:
        - /var/log/nginx/error.log
    
    output.elasticsearch:
      hosts: ["http://10.0.0.71:9200"]
      index: "nginx_json_%{+yyyy-MM-dd}"
    setup.template.name: "filebeat-*"
    setup.template.pattern: "filebeat-*"
    

    八、filebeat收集多日志到多个ES索引

    1.方法一:

    [root@web01 ~]# cat !$
    cat /etc/filebeat/filebeat.yml
    filebeat.inputs:
    - type: log
      enabled: true
      paths:
        - /var/log/nginx/access.log
      json.keys_under_root: true
      json.overwrite_keys: true
    
    - type: log
      enabled: true
      paths:
        - /var/log/nginx/error.log
    
    output.elasticsearch:
      hosts: ["http://10.0.0.71:9200"]
      indices:
        - index: "nginx_access_%{+yyyy-MM-dd}"
          when.contains:
            source: "/var/log/nginx/access.log"
        - index: "nginx_error_%{+yyyy-MM-dd}"
          when.contains:
            source: "/var/log/nginx/error.log"
    setup.template.name: "filebeat-*"
    setup.template.pattern: "filebeat-*"
    

    2.方法二

    [root@web01 ~]# cat /etc/filebeat/filebeat.yml 
    filebeat.inputs:
    - type: log
      enabled: true
      paths:
        - /var/log/nginx/access.log
      json.keys_under_root: true
      json.overwrite_keys: true
      tags: ["access"]
    
    - type: log
      enabled: true
      paths:
        - /var/log/nginx/error.log
      tags: ["error"]
    
    output.elasticsearch:
      hosts: ["http://10.0.0.71:9200"]
      indices:
        - index: "nginx_access_%{+yyyy-MM-dd}"
          when.contains:
            tags: "access"
        - index: "nginx_error_%{+yyyy-MM-dd}"
          when.contains:
            tags: "error"
    setup.template.name: "filebeat-*"
    setup.template.pattern: "filebeat-*"
    

    九、filebeat收集java的报错日志

    1.配置收集tomcat日志

    [root@web01 ~]# vim /etc/filebeat/filebeat.yml 
    filebeat.inputs:
    - type: log
      enabled: true
      paths:
        - /usr/local/tomcat/logs/tomcat_access_json.*.log
      json.keys_under_root: true
      json.overwrite_keys: true
    
    output.elasticsearch:
      hosts: ["http://10.0.0.71:9200"]
      index: "tomcat_access_%{+yyyy-MM-dd}"
    setup.template.name: "filebeat-*"
    setup.template.pattern: "filebeat-*"
    

    2.配置收集java报错日志

    [root@web01 ~]# cat /etc/filebeat/filebeat.yml 
    filebeat.inputs:
    - type: log
      enabled: true
      paths:
        - /usr/local/tomcat/logs/localhost_access_log.*.txt
      multiline.pattern: '^['
      multiline.negate: true
      multiline.match: after
      json.keys_under_root: true
      json.overwrite_keys: true
      json.message_key: log
    
    output.elasticsearch:
      hosts: ["http://10.0.0.71:9200"]
      index: "tomcat_access_%{+yyyy-MM-dd}"
    setup.template.name: "filebeat-*"
    setup.template.pattern: "filebeat-*"
    

    十、kibana画图统计客户端IP

    1.安装geoip

    [root@web01 ~]# cd /etc/logstash/
    [root@web01 /etc/logstash]# rz
    [root@web01 /etc/logstash]# ll
    -rw-r--r-- 1 root root 33255554 May 26  2020 ingest-geoip-6.6.0.zip
    
    [root@web01 /etc/logstash]# unzip ingest-geoip-6.6.0.zip
    
    [root@web01 /etc/logstash]# ll config/
    total 65816
    -rw-rw-r-- 1 root root  6173457 Jan 24  2019 GeoLite2-ASN.mmdb
    -rw-rw-r-- 1 root root 57784030 Jan 24  2019 GeoLite2-City.mmdb
    -rw-rw-r-- 1 root root  3428908 Jan 24  2019 GeoLite2-Country.mmdb
    

    2.配置

    #进入Logstash配置文件目录
    [root@web01 logstash]# cd /etc/logstash/conf.d/
    
    #编辑Logstash配置文件
    [root@web01 conf.d]# vim nginx_es_ip.conf
    input {
      file {
        path => "/var/log/nginx/access.log"
        codec => "json"
      }
    }
    
    filter {
      geoip {
    	source => "clientip"
    	target => "geoip"
    	database => "/etc/logstash/config/GeoLite2-City.mmdb"
    	add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
    	add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
      }
      mutate {
    	convert => [ "[geoip][coordinates]", "float"]
      }
    }
    
    output {
        elasticsearch {
          hosts => ["10.0.0.71:9200"]
          index => "logstash-%{type}-%{+YYYY.MM.dd}"
        }
    }
    
    #启动Logstash
    [root@elkstack03 ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/redis_es_ip.conf &
    

    3.写入数据

    {"@timestamp":"2021-04-11T20:27:25+08:00","host":"222.28.0.112","clientip":"222.28.0.112","size":0,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"www.elk.com","url":"/index.html","domain":"www.elk.com","xff":"10.0.0.1","referer":"-","status":"304"}
    
    {"@timestamp":"2021-04-11T20:40:24+08:00","host":" 124.225.0.13","clientip":"124.225.0.13","size":0,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"www.elk.com","url":"/index.html","domain":"www.elk.com","xff":"10.0.0.1","referer":"-","status":"304"}
    
    {"@timestamp":"2021-04-11T20:45:24+08:00","host":" 124.234.0.12","clientip":"124.234.0.12","size":0,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"www.elk.com","url":"/index.html","domain":"www.elk.com","xff":"10.0.0.1","referer":"-","status":"304"}
    
    {"@timestamp":"2021-04-11T20:46:24+08:00","host":" 123.164.0.18","clientip":"123.164.0.18","size":0,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"www.elk.com","url":"/index.html","domain":"www.elk.com","xff":"10.0.0.1","referer":"-","status":"304"}
    
  • 相关阅读:
    蛤玮学计网 -- 简单的判断ip
    修路方案 Kruskal 之 次小生成树
    单词拼接 ----- 深搜
    KMP 算法
    城市平乱 ---- Dijkstra
    最少换乘
    ubuntu-vnc
    sshpass----------------sshfs--sftp(sublime)
    snmp ubuntu/centos--
    erlang ssl
  • 原文地址:https://www.cnblogs.com/jhno1/p/14237676.html
Copyright © 2011-2022 走看看