四、logstash收集tomcat日志
在企业中,我们看到tomcat日志遇到异常(exception)一条日志可能是几行或者十几行甚至几十行,
组成的,那么,我们需要将多行日志变成一行日志,来收集
1.tomcat日志收集方式
这里我们有几种方式可以实现:
1.将日志改成Json格式
在企业中,想要将java日志改成json格式,并没有那么容易。
因为将日志改成Json格式,查看起来会很难受,有些开发人员不希望将日志格式改成Json的,
所以,在改日志格式之前需要跟开发人员进行沟通,那么将tomcat日志格式改成Json格式也有两种方式。
1)开发自己更改,通过程序代码,或者log4j
2)运维修改tomcat的server配置文件
2.通过logstash的mutiline模块实现多行匹配
2.安装tomcat
1)安装java环境
2)安装tomcat
1.上传代码包
[root@web01 ~]# rz
[root@web01 ~]# ll
-rw-r--r-- 1 root root 11026056 2020-12-04 18:04 apache-tomcat-9.0.30.tar.gz
2.解压tomcat包
[root@web01 ~]# tar xf apache-tomcat-9.0.30.tar.gz
3.将安装包移动并改名
[root@web01 ~]# mv apache-tomcat-9.0.30 /usr/local/tomcat-9.0.30
4.做软连接
[root@web01 ~]# ln -s /usr/local/tomcat-9.0.30 /usr/local/tomcat
3)配置站点
1.写一个测试页面到站点目录下的index.html文件中
[root@web01 ~]# echo 'TEST elk' > /usr/local/tomcat/webapps/ROOT/index.html
2.启动tomcat
[root@web01 ~]# /usr/local/tomcat/bin/startup.sh
3.检测tomcat端口是否启动
[root@web01 ~]# netstat -lntup|grep 8080
tcp 0 0 :::8080 :::* LISTEN 12569/java
4)访问测试
http://10.0.0.7:8080/
3.配置logstash收集tomcat日志
1)配置
[root@web01 ~]# vim /etc/logstash/conf.d/tomcat_log_es.conf
input {
file {
path => "/usr/local/tomcat/logs/localhost_access_log.*.txt"
start_position => "end"
type => "tomcat_log"
}
}
output {
elasticsearch {
hosts => ["10.0.0.71:9200"]
index => "tomcat_log_%{+YYYY-MM-dd}"
}
}
2)启动
[root@web01 ~]# logstash -f /etc/logstash/conf.d/tomcat_log_es.conf
4.收集tomcat的json格式日志方式一:
1)修改tomcat日志格式
[root@web01 ~]# vim /usr/local/tomcat/conf/server.xml
<!-- 注释掉原来的日志格式配置 -->
160 <!--Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
161 prefix="localhost_access_log" suffix=".txt"
162 pattern="%h %l %u %t "%r" %s %b" /-->
<!-- 添加新的日志格式配置 -->
163 <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
164 prefix="tomcat_access_json" suffix=".log"
165 pattern="{"clientip":"%h","ClientUser":"%l","authenticated":"%u","AccessT ime":"%t","method":"%r","status":"%s","SendBytes":"%b","Query?string" ;:"%q","partner":"%{Referer}i","AgentVersion":"%{User-Agent}i"}"/>
166
167 </Host>
168 </Engine>
169 </Service>
170 </Server>
2)重启Tomcat
[root@web01 ~]# /usr/local/tomcat/bin/shutdown.sh
[root@web01 ~]# /usr/local/tomcat/bin/startup.sh
3)查看新的日志
[root@web01 ~]# tail -f /usr/local/tomcat/logs/tomcat_access_json.2020-12-07.log
{"clientip":"10.0.0.1","ClientUser":"-","authenticated":"-","AccessTime":"[07/Dec/2020:22:51:25 +0800]","method":"GET / HTTP/1.1","status":"200","SendBytes":"9","Query?string":"","partner":"-","AgentVersion":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"}
4)配置logstash收集新的日志
[root@web01 ~]# vim /etc/logstash/conf.d/tomcat_log_es.conf
input {
file {
path => "/usr/local/tomcat/logs/tomcat_access_json.*.log"
start_position => "end"
type => "tomcat_log"
}
}
output {
elasticsearch {
hosts => ["10.0.0.71:9200"]
index => "tomcat_json_log_%{+YYYY-MM-dd}"
}
}
5)启动服务
[root@web01 ~]# logstash -f /etc/logstash/conf.d/tomcat_log_es.conf
5.方式二:使用multiline插件收集java日志
使用codec的multiline插件实现多行匹配,这是一个可以将多行进行合并的插件,
而且可以使用what指定将匹配到的行与前面的行合并还是和后面的行合并
帮助文档:
https://www.elastic.co/guide/en/logstash/current/plugins-codecs-multiline.html
因为目前tomcat日志中没有exception,所以,我们把Logstash部署在ES上,收集一下ES的java日志。
1)测试多行匹配
[root@web01 ~]# vim /etc/logstash/conf.d/stdin_stdout.conf
input {
stdin {
codec => multiline {
pattern => "^["
negate => "true"
what => "previous"
}
}
}
output {
stdout {}
}
2)启动
[root@web01 ~]# logstash -f /etc/logstash/conf.d/stdin_stdout.conf
3)测试
#测试输入一堆内容,并没有打印,只有当输入一个以 [ 开头的时候才会结束并输出
jhvc
jkhv
jhv
jc
[
{
"message" => "jhvc
jkhv
jhv
jc",
"@timestamp" => 2020-12-07T15:15:49.182Z,
"@version" => "1",
"tags" => [
[0] "multiline"
],
"host" => "web01"
}
4)收集java日志写入ES
[root@web01 ~]# cat /etc/logstash/conf.d/java_es.conf
input {
file {
path => "/usr/local/tomcat/logs/tomcat_access_json.2020-12-07.log"
start_position => "end"
codec => multiline {
pattern => "^["
negate => "true"
what => "previous"
}
}
}
output {
elasticsearch {
hosts => ['10.0.0.71:9200']
index => "tomcat_json_log_%{+YYYY-MM-DD}"
}
}
5)启动
[root@web01 ~]# logstash -f /etc/logstash/conf.d/java_es.conf &
6)测试收集日志
[root@web01 ~]# cat tomcat.log >> /usr/local/tomcat/logs/tomcat_access_json.2020-12-07.log
7)去页面查看