ELK、nginx安装方式:rpm
https://www.elastic.co/guide/en/elasticsearch/reference/current/rpm.html
其他的类似
nginx的配置:
1 # 主要增加日志的格式以及与Tomcat的连接
2 log_format main '{"@timestamp":"$time_iso8601",'
3 '"host":"$server_addr",'
4 '"clientip":"$remote_addr",'
5 '"size":$body_bytes_sent,'
6 '"responsetime":$request_time,'
7 '"upstreamtime":"$upstream_response_time",'
8 '"upstreamhost":"$upstream_addr",'
9 '"http_host":"$host",'
10 '"url":"$uri",'
11 '"xff":"$http_x_forwarded_for",'
12 '"referer":"$http_referer",'
13 '"agent":"$http_user_agent",'
14 '"status":"$status"}';
15 server {
16 listen 80;
17 server_name localhost;
18
19 #charset koi8-r;
20
21 #access_log logs/host.access.log main;
22
23 location / {
24 root html;
25 index index.html index.htm;
26 proxy_pass http://localhost:8080/;
27 }
28 }
随后,logstash创建一个配置文件nginxlog2ex.conf放到config目录下
1 input {
2 file {
3 type => "nginx_access"
4 path => "/usr/local/nginx/logs/access.log"
5 codec => "json"
6 }
7 }
8
9 filter {
10 if [type] == "nginx_access" {
11
12 geoip {
13 source => "ip"
14 target => "geoip"
15 #database => "/etc/logstash/GeoLiteCity.dat" ##可要可不要
16 add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
17 add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
18 }
19 mutate {
20 convert => [ "[geoip][coordinates]", "float"]
21 }
22 }
23 }
24 output {
25 stdout { codec => rubydebug }
26 elasticsearch {
27 hosts => ["192.168.47.138:9200"]
28 index => "logstash-%{type}-%{+YYYY.MM.dd}"
29 document_type => "%{type}"
30 flush_size => 20000
31 idle_flush_time => 10
32 sniffing => true
33 template_overwrite => true
34 }
35 }
启动tomcat:bin/startup.sh
启动nginx:sbin/nginx
启动elasticsearch: systemctl start elasticsearch.service
启动kibana: systemctl start kibana.service
启动logstash:bin/logstash -f config/nginxlog2es.conf
各种图,自己折腾吧
地图,记得选上两个选项:
地图如下:
使用的是虚拟机,有时候主机无妨访问虚拟机ip:9200等,网上说将elk的network.host都改为0.0.0.0,测试无效,将防火墙挂壁也无效,即将network.host改为centos的ip,成功访问。