zoukankan      html  css  js  c++  java

  • ELKStack之操作深入(中)

    ELKStack之操作深入(中)

    链接:https://pan.baidu.com/s/1V2aYpB86ZzxL21Hf-AF1rA
    提取码:7izv
    复制这段内容后打开百度网盘手机App,操作更方便哦

    1. 企业级Elasticsearch使用详解

    1.1 基本概念

    Elasticsearch MySQL
    Index Database
    Type Table
    Document Row
    Field Column

    • Node:运行单个ES实例的服务器
    • Cluster:一个或多个节点构成集群
    • Index:索引是多个文档的集合(必须是小写字母)
    • Document:Index里每条记录称为Document,若干文档构建一个Index
    • Type:一个Index可以定义一种或多种类型,将Document逻辑分组
    • Field:ES存储的最小单元
    • Shards:ES将Index分为若干份,每一份就是一个分片。
    • Replicas:Index的一份或多份副本

    1.2 实验环境说明

    主机名 主机IP 用途
    ES1 192.168.200.16 elasticsearch-node1
    ES2 192.168.200.17 elasticsearch-node2
    ES3 192.168.200.18 elasticsearch-node3
    Logstash-Kibana 192.168.200.19 日志可视化服务器 
    #安装环境
[root@ES1 ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core) 
[root@ES1 ~]# uname -r
3.10.0-957.12.1.el7.x86_64
[root@ES1 ~]# systemctl stop firewalld
[root@ES1 ~]# setenforce 0
setenforce: SELinux is disabled

    #更换亚洲时区
[root@ES1 ~]# /bin/cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

#安装时间同步
[root@ES1 ~]# yum -y install ntpdate
[root@ES1 ~]# which ntpdate
/usr/sbin/ntpdate

#进行时间同步
[root@ES1 ~]# ntpdate ntp1.aliyun.com
27 Aug 22:29:56 ntpdate[7009]: adjust time server 120.25.115.20 offset 0.028693 sec

    1.3 企业级Elasticsearch集群部署

    在三台ES上都进行如下操作

    1.3.1 安装jdk

    #yum安装jdk1.8
[root@ES1 ~]# yum -y install java-1.8.0-openjdk

#导入yum方式安装ES的公钥
[root@ES1 ~]# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

    1.3.2 添加ES的yum源文件

    [root@ES1 ~]# vim /etc/yum.repos.d/elastic.repo
[root@ES1 ~]# cat /etc/yum.repos.d/elastic.repo
[elastic-6.x]

name=Elastic repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

    1.3.3 安装并修改elasticsearch的配置文件

    #安装elasticsearch
[root@ES1 ~]# yum -y install elasticsearch

#配置elasticsearch的配置文件
[root@ES1 ~]# cd /etc/elasticsearch/
[root@ES1 elasticsearch]# cp -a elasticsearch.yml elasticsearch.yml_bak

#修改前elasticsearch配置文件
[root@ES1 elasticsearch]# cat -n /etc/elasticsearch/elasticsearch.yml_bak | sed -n '17p;23p;33p;37p;55p;59p;68p;72p'
    17	#cluster.name: my-application
    23	#node.name: node-1
    33	path.data: /var/lib/elasticsearch
    37	path.logs: /var/log/elasticsearch
    55	#network.host: 192.168.0.1
    59	#http.port: 9200
    68	#discovery.zen.ping.unicast.hosts: ["host1", "host2"]
    72	#discovery.zen.minimum_master_nodes: 

#修改后elasticsearch配置文件
[root@ES1 elasticsearch]# cat -n /etc/elasticsearch/elasticsearch.yml | sed -n '17p;23p;33p;37p;55p;59p;68p;72p'
    17	cluster.name: elk-cluster
    23	node.name: node-1
    33	path.data: /var/lib/elasticsearch
    37	path.logs: /var/log/elasticsearch
    55	network.host: 192.168.200.16
    59	http.port: 9200
    68	discovery.zen.ping.unicast.hosts: ["192.168.200.16", "192.168.200.17","192.168.200.18"]
    72	discovery.zen.minimum_master_nodes: 2

    #将ES1配置文件拷贝到ES2和ES3
[root@ES1 elasticsearch]# scp /etc/elasticsearch/elasticsearch.yml 192.168.200.17:/etc/elasticsearch/
root@192.168.200.17's password: 
elasticsearch.yml                                                          100% 2899     2.0MB/s   00:00    
[root@ES1 elasticsearch]# scp /etc/elasticsearch/elasticsearch.yml 192.168.200.18:/etc/elasticsearch/
root@192.168.200.18's password: 
elasticsearch.yml                                                          100% 2899     2.1MB/s   00:00 

#只需要修改ES2和ES3的节点名称和监听端口即可
[root@ES2 elasticsearch]# cat -n /etc/elasticsearch/elasticsearch.yml | sed -n '17p;23p;33p;37p;55p;59p;68p;72p'
    17	cluster.name: elk-cluster
    23	node.name: node-2
    33	path.data: /var/lib/elasticsearch
    37	path.logs: /var/log/elasticsearch
    55	network.host: 192.168.200.17
    59	http.port: 9200
    68	discovery.zen.ping.unicast.hosts: ["192.168.200.16", "192.168.200.17","192.168.200.18"]
    72	discovery.zen.minimum_master_nodes: 2

[root@ES3 elasticsearch]# cat -n /etc/elasticsearch/elasticsearch.yml | sed -n '17p;23p;33p;37p;55p;59p;68p;72p'
    17	cluster.name: elk-cluster
    23	node.name: node-3
    33	path.data: /var/lib/elasticsearch
    37	path.logs: /var/log/elasticsearch
    55	network.host: 192.168.200.18
    59	http.port: 9200
    68	discovery.zen.ping.unicast.hosts: ["192.168.200.16", "192.168.200.17","192.168.200.18"]
    72	discovery.zen.minimum_master_nodes: 2

    1.3.4 启动三台ES上的elasticsearch

    [root@ES1 elasticsearch]# systemctl start elasticsearch
[root@ES2 elasticsearch]# systemctl start elasticsearch
[root@ES3 elasticsearch]# systemctl start elasticsearch

    1.3.5 查看集群节点的健康情况

    [root@ES1 elasticsearch]# curl -X GET "192.168.200.16:9200/_cat/health?v"
epoch      timestamp cluster     status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1567046042 02:34:02  elk-cluster green           3         3      0   0    0    0        0             0                  -                100.0%

    1.4 Elasticsearch数据操作

    RestFul API格式:curl -X<verb> '<protocol>://<host>:<port>/<path>?<query_string>' -d '<body>'

    参数 描述
    verb HTTP方法,比如GET,POST,PUT,HEAD,DELETE
    host ES集群中的任意节点主机名
    port ES HTTP服务端口,默认9200
    path 索引路径
    query_string 可选的查询请求参数。例如?pretty参数将格式化输出JSON数据
    -d 里面放一个GET的JSON格式请求主体
    body 自己写的JSON格式的请求主体 
    #列出数据库所有的索引
[root@ES1 ~]# curl -X GET "192.168.200.16:9200/_cat/indices?v"
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size

#创建一个索引
[root@ES1 ~]# curl -X PUT "192.168.200.16:9200/logs-test-2019.08.29"
{"acknowledged":true,"shards_acknowledged":true,"index":"logs-test-2019.08.29"}

#查看数据库所有索引
[root@ES1 ~]# curl -X GET "192.168.200.16:9200/_cat/indices?v"
health status index                uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   logs-test-2019.08.29 Yua-9GCmROOmCgqotJ_31w   5   1          0            0      2.2kb          1.1kb

    1.5 Head插件图形管理Elasticsearch

    1.5.1 head插件下载

    [root@ES1 ~]# wget https://npm.taobao.org/mirrors/node/latest-v4.x/node-v4.4.7-linux-x64.tar.gz
[root@ES1 ~]# ll -d node-v4.4.7-linux-x64.tar.gz 
-rw-r--r-- 1 root root 12189839 6月  29 2016 node-v4.4.7-linux-x64.tar.gz

[root@ES1 ~]# tar xf node-v4.4.7-linux-x64.tar.gz -C /usr/local/
[root@ES1 ~]# mv /usr/local/node-v4.4.7-linux-x64/ /usr/local/node-v4.4
[root@ES1 ~]# echo -e 'NODE_HOME=/usr/local/node-v4.4
PATH=$NODE_HOME/bin:$PATH
export NODE_HOME PATH' >> /etc/profile
[root@ES1 ~]# tail -3 /etc/profile
NODE_HOME=/usr/local/node-v4.4
PATH=$NODE_HOME/bin:$PATH
export NODE_HOME PATH
[root@ES1 ~]# source /etc/profile

    1.5.2 安装git客户端

    #yum安装git
[root@ES1 ~]# yum -y install git

#切换国内源
[root@ES1 ~]# npm config set registry http://registry.npm.taobao.org   

    #git拉取elasticsearch-head代码
[root@ES1 ~]# git clone git://github.com/mobz/elasticsearch-head.git
正克隆到 'elasticsearch-head'...
remote: Enumerating objects: 73, done.
remote: Counting objects: 100% (73/73), done.
remote: Compressing objects: 100% (53/53), done.
remote: Total 4333 (delta 36), reused 46 (delta 17), pack-reused 4260
接收对象中: 100% (4333/4333), 2.51 MiB | 29.00 KiB/s, done.
处理 delta 中: 100% (2409/2409), done.

[root@ES1 ~]# cd elasticsearch-head/
[root@ES1 elasticsearch-head]# npm install
#以下省略若干。。。

#特别提示:此安装过程报错也没关系,不影响使用

    npm install命令详解(https://blog.csdn.net/csdn_yudong/article/details/83721870)

    #修改源码包配置文件Gruntfile.js(在99行处下边增加一行代码如下)
[root@ES1 elasticsearch-head]# cat -n Gruntfile.js | sed -n '94,101p'
    94			connect: {
    95				server: {
    96					options: {
    97						port: 9100,
    98						base: '.',
    99						keepalive: true,    #添加一个逗号
   100	                    hostname: '*'       #增加本行代码
   101					}

    1.5.3 启动head插件

    [root@ES1 elasticsearch-head]# npm run start

> elasticsearch-head@0.0.0 start /root/elasticsearch-head
> grunt server

Running "connect:server" (connect) task
Waiting forever...
Started connect web server on http://localhost:9100

    1.5.4 浏览器上访问http://192.168.200.16:9100

    image.png-154.8kB

    虽然浏览器上我们打开了,但是我们发现插件无法连接elasticsearch的API,这是因为ES5.0+版本以后,要想连接API必须先要进行授权才行。

    1.5.5 先ES配置文件添加两行代码

    [root@ES1 elasticsearch-head]# echo -e 'http.cors.enabled: true
http.cors.allow-origin: "*"' >> /etc/elasticsearch/elasticsearch.yml
[root@ES1 elasticsearch-head]# tail -2 /etc/elasticsearch/elasticsearch.yml
http.cors.enabled: true
http.cors.allow-origin: "*"

#重启动elasticsearch
[root@ES1 elasticsearch-head]# systemctl restart elasticsearch

    1.5.6 浏览器上再次访问http://192.168.200.16:9100

    image.png-229.9kB

    image.png-251.9kB

    2. 企业级Logstash使用详解

    2.1 Logstash安装与Input常用插件

    2.1.1 Logstash-安装
    #yum安装jdk1.8
[root@Logstash-Kibana ~]# yum -y install java-1.8.0-openjdk

[root@Logstash-Kibana ~]# vim /etc/yum.repos.d/elastic.repo
[root@Logstash-Kibana ~]# cat /etc/yum.repos.d/elastic.repo
[elastic-6.x]

name=Elastic repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

[root@Logstash-Kibana ~]# yum -y install logstash

    2.1.2 Logstash-条件判断

    • 比较操作符:
      (1)相等:==,!=,<,>,<=,>=
      (2)正则:=(正则匹配),!(不匹配正则)
      (3)包含:in(包含),not in(不包含)
    • 布尔操作符:
      (1)and(与)
      (2)or(或)
      (3)nand(非与)
      1)xor(非或)
    • 一元运算符:
      (1)!:取反
      (2)():复合表达式
      (3)!():对复合表达式取反

    2.1.3 Logstash-Input之Stdin,File,Tcp,Beats插件

    #(1)stdin示例
input {
  stdin{    #标准输入(用户交互输入数据)
  }
}
filter {   #条件过滤(抓取字段信息)
}
output {
  stdout {
    codec => rubydebug  #输出调试(调试配置文件语法用)
  }
}

#(2)File示例
input {
  file {
    path => "/var/log/messages" #读取的文件路径
    tags => "123"           #标签
    type => "syslog"        #类型
  }
}
filter {   #条件过滤(抓取字段信息)
}
output {
  stdout {
    codec => rubydebug  #输出调试(调试配置文件语法用)
  }
}

#(3)TCP示例
input {
  tcp {
    port => 12345
    type => "nc"
  }
}
filter {   #条件过滤(抓取字段信息)
}
output {
  stdout {
    codec => rubydebug  #输出调试(调试配置文件语法用)
  }
}

#(4)Beats示例
input {
  beats {           #后便会专门讲,此处不演示
    port => 5044
  }
}
filter {   #条件过滤(抓取字段信息)
}
output {
  stdout {
    codec => rubydebug  #输出调试(调试配置文件语法用)
  }
}

    (1)input ==> stdin{}标准输入插件测试

    #创建logstash配置文件
[root@Logstash-Kibana ~]# vim /etc/logstash/conf.d/test.conf
[root@Logstash-Kibana ~]# cat /etc/logstash/conf.d/test.conf
input {
    stdin{
     }
 }
filter {
 }
output {
  stdout {
     codec => rubydebug
     }
}

    #测试logstash配置文件是否正确
[root@Logstash-Kibana ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf -t
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2019-09-04 14:58:15.396 [main] writabledirectory - Creating directory {:setting=>"path.queue", :path=>"/usr/share/logstash/data/queue"}
[INFO ] 2019-09-04 14:58:15.435 [main] writabledirectory - Creating directory {:setting=>"path.dead_letter_queue", :path=>"/usr/share/logstash/data/dead_letter_queue"}
[WARN ] 2019-09-04 14:58:16.016 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
Configuration OK      #配置文件正确
[INFO ] 2019-09-04 14:58:22.750 [LogStash::Runner] runner - Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash

    #启动Logstash进行测试
[root@Logstash-Kibana ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
#以上省略若干。。。
yangwenbo     #这就是用户输入的数据
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
       "message" => "yangwenbo",
      "@version" => "1",
          "host" => "Logstash-Kibana",
    "@timestamp" => 2019-09-04T07:03:18.814Z
}
12345         #这就是用户输入的数据
{
       "message" => "12345",
      "@version" => "1",
          "host" => "Logstash-Kibana",
    "@timestamp" => 2019-09-04T07:03:28.797Z
}

    特别提示:
    让用户直接输入数据的方式就是标准输入stdin{};
    将输入的数据存储到message以后直接输出到屏幕上进行调试就是标准输出stdout{codec => rubydebug}

    (2)input ==> file{}读取文件数据

    #修改Logstash配置文件
[root@Logstash-Kibana ~]# vim /etc/logstash/conf.d/test.conf
[root@Logstash-Kibana ~]# cat /etc/logstash/conf.d/test.conf
input {
  file {
       path => "/var/log/messages"
       tags => "123"
       type => "syslog"
     }
 }
filter {
 }
output {
   stdout {
      codec => rubydebug
     }
 }

    #启动Logstash
[root@Logstash-Kibana ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
#以下省略若干。。。

    #再开一个窗口向日志文件输入一句话
[root@Logstash-Kibana ~]# echo "yunwei" >> /var/log/messages

    #回头再去查看logstash的debug输出
{
          "type" => "syslog",
      "@version" => "1",
          "path" => "/var/log/messages",
          "tags" => [
        [0] "123"
    ],
    "@timestamp" => 2019-09-04T07:26:29.726Z,
          "host" => "Logstash-Kibana",
       "message" => "yunwei"
}

    (3)input ==> tcp{}通过监听tcp端口接收日志

    #修改logstash配置文件
[root@Logstash-Kibana ~]# vim /etc/logstash/conf.d/test.conf
[root@Logstash-Kibana ~]# cat /etc/logstash/conf.d/test.conf
input {
  tcp {
     port => 12345
     type => "nc"
   }
}
filter {
}
output {
   stdout {
     codec => rubydebug
    }
}

    #启动Logstash
[root@Logstash-Kibana ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
#以下省略若干。。。

    #再开一个窗口,查看12345端口监听情况
[root@Logstash-Kibana ~]# netstat -antup | grep 12345
tcp6       0      0 :::12345                :::*                    LISTEN      8538/java   

    #在ES1上安装nc向12345端口传输数据
[root@ES1 ~]# yum -y install nc
[root@ES1 ~]# echo "welcome to yangwenbo" | nc 192.168.200.19 12345

    #回头再去查看logstash的debug输出
{
          "host" => "192.168.200.16",
          "port" => 37944,
    "@timestamp" => 2019-09-04T09:41:11.396Z,
          "type" => "nc",
      "@version" => "1",
       "message" => "welcome to yangwenbo"
}

    2.1.4 更多Input插件的用户请查看官网链接

    https://www.elastic.co/guide/en/logstash/current/plugins-inputs-file.html

    2.2 Logstash-Input(Output)之Codec插件

    #Json/Json_lines示例
input {
  stdin {
    codec => json {     #将json格式的数据转码成UTF-8格式后进行输入
      charset => ["UTF-8"]
    }
  }
}
filter {
}
output {
  stdout {
    codec => rubydebug
  }
}

    codec => json {}将json格式数据进行编码转换

    #修改logstash配置文件
[root@Logstash-Kibana ~]# vim /etc/logstash/conf.d/test.conf
[root@Logstash-Kibana ~]# cat /etc/logstash/conf.d/test.conf
input {
  stdin {
     codec => json {     
        charset => ["UTF-8"]
      }
   }
}
filter {
}
output {
   stdout {
      codec => rubydebug
   }
}

    #启动Logstash
[root@Logstash-Kibana ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
#以下省略若干。。。

    #再开一个窗口进入python交互界面生成json格式数据
[root@Logstash-Kibana ~]# python
Python 2.7.5 (default, Apr  9 2019, 14:30:50) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-36)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import json
>>> data = [{'a':1,'b':2,'c':3,'d':4,'e':5}]
>>> json = json.dumps(data)
>>> print json
[{"a": 1, "c": 3, "b": 2, "e": 5, "d": 4}]    #这就是json格式数据

    #将json格式数据,输入后,查看logstash数据的输出结果
{
             "d" => 4,
             "e" => 5,
          "host" => "Logstash-Kibana",
             "a" => 1,
             "c" => 3,
             "b" => 2,
      "@version" => "1",
    "@timestamp" => 2019-09-04T11:29:12.044Z
}

    2.3 Logstash-Filter之Json,Kv插件

    #Json示例
input {
  stdin {
  }
}
filter {
  json {
    source => "message" #将保存在message中的json数据进行结构化解析
    target => "content" #解析后的结果保存在content里
  }
}
output {
  stdout {
    codec => rubydebug
  }
}

#Kv示例
filter {
  kv {
    field_split => "&?"     #将输入的数据按&字符进行切割解析
  }
}

    (1)filter => json {}将json的编码进行结构化解析过滤

    #修改logstash配置文件
[root@Logstash-Kibana ~]# vim /etc/logstash/conf.d/test.conf
[root@Logstash-Kibana ~]# cat /etc/logstash/conf.d/test.conf
input {
  stdin {
   }
}
filter {
}
output {
   stdout {
     codec => rubydebug
   }
}

    #启动Logstash
[root@Logstash-Kibana ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
#以下省略若干。。。

    #交互式输入json格式数据:{"a": 1, "c": 3, "b": 2, "e": 5, "d": 4}
{
       "message" => "{"a": 1, "c": 3, "b": 2, "e": 5, "d": 4}",    #数据都保存在了message字段里
          "host" => "Logstash-Kibana",
      "@version" => "1",
    "@timestamp" => 2019-09-05T06:15:17.723Z
}

    #再次修改logstash配置文件
[root@Logstash-Kibana ~]# vim /etc/logstash/conf.d/test.conf
[root@Logstash-Kibana ~]# cat /etc/logstash/conf.d/test.conf
input {
   stdin {
   }
}
filter {
   json {
      source => "message"
      target => "content"
    }
}
output {
   stdout {
      codec => rubydebug
   }
}

    #启动Logstash
[root@Logstash-Kibana ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
#以下省略若干。。。

    #交互式输入以下内容进行解析:{"a": 1, "c": 3, "b": 2, "e": 5, "d": 4}
{
    "@timestamp" => 2019-09-05T06:24:59.352Z,
       "content" => {     #json被结构化解析出来了
        "d" => 4,
        "e" => 5,
        "a" => 1,
        "c" => 3,
        "b" => 2
    },
          "host" => "Logstash-Kibana",
      "@version" => "1",
       "message" => "{"a": 1, "c": 3, "b": 2, "e": 5, "d": 4}"
}

    (2)filter => kv {}将输入的数据按照制定符号切割

    #修改logstash配置文件
[root@Logstash-Kibana ~]# vim /etc/logstash/conf.d/test.conf
[root@Logstash-Kibana ~]# cat /etc/logstash/conf.d/test.conf
input {
   stdin {
   }
}
filter {
    kv {
       field_split => "&?"
    }
}
output {
    stdout {
      codec => rubydebug
    }
}

    #启动Logstash
[root@Logstash-Kibana ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
#以下省略若干。。。

    #交互式输入以下数据,然后查看解析结果:name=yangwenbo&yunjisuan=benet&yunwei=666
{
    "@timestamp" => 2019-09-05T06:32:01.093Z,
        "yunwei" => "666",
          "name" => "yangwenbo",
       "message" => "name=yangwenbo&yunjisuan=benet&yunwei=666",
     "yunjisuan" => "benet",
      "@version" => "1",
          "host" => "Logstash-Kibana"
}

    2.4 Logstash-Filter之Grok插件

    2.4.1 grok自定义正则的数据抓取模式

    #日志输入示例:
223.72.85.86 GET /index.html 15824 200

#grok自定义正则的数据抓取示例
input {
  stdin {
  }
}
filter {
  grok {
    match => {
      "message" => '(?<client>[0-9.]+)[ ]+(?<method>[A-Z]+)[ ]+(?<request>[a-zA-Z/.]+)[ ]+(?<bytes>[0-9]+)[ ]+(?<num>[0-9]+)'
    }
  }
}
output {
  stdout {
    codec => rubydebug
  }
}

    操作演示

    #修改logstash配置文件
[root@Logstash-Kibana ~]# vim /etc/logstash/conf.d/test.conf
[root@Logstash-Kibana ~]# cat /etc/logstash/conf.d/test.conf
input {
   stdin {
    }
}
filter {
    grok {
       match => {
           "message" => '(?<client>[0-9.]+)[ ]+(?<method>[A-Z]+)[ ]+(?<request>[a-zA-Z/.]+)[ ]+(?<bytes>[0-9]+)[ ]+(?<num>[0-9]+)'
        }
    } 
}
output {
   stdout {
     codec => rubydebug
    }
}

    #启动Logstash
[root@Logstash-Kibana ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
#以下省略若干。。。

    #输入日志进行数据抓取测试:223.72.85.86 GET /index.html 15824 200
{
      "@version" => "1",
       "request" => "/index.html",
       "message" => "223.72.85.86 GET /index.html 15824 200",
        "method" => "GET",
         "bytes" => "15824",
          "host" => "Logstash-Kibana",
           "num" => "200",
    "@timestamp" => 2019-09-05T06:41:49.878Z,
        "client" => "223.72.85.86"
}

    2.4.2 grok内置正则的数据抓取模式

    为了方便用户抓取数据方便,官方自定义了一些内置正则的默认抓取方式
    Grok默认的内置正则模式,官方网页示例
    https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns

    #logstash默认挂载的常用的内置正则库文件
[root@Logstash-Kibana ~]# rpm -ql logstash | grep grok-patterns
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-patterns-core-4.1.2/patterns/grok-patterns
[root@Logstash-Kibana ~]# cat /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-patterns-core-4.1.2/patterns/grok-patterns
#以下省略无数条。。。

    操作演示

    #日志输入示例:223.72.85.86 GET /index.html 15824 200

    #修改logstash配置文件
[root@Logstash-Kibana ~]# vim /etc/logstash/conf.d/test.conf 
[root@Logstash-Kibana ~]# cat /etc/logstash/conf.d/test.conf 
input {
   stdin {
    }
}
filter {
   grok {
      match => { 
          "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:num}"
        }
    }
}
output {
    stdout {
       codec => rubydebug
    }
}

    #启动Logstash
[root@Logstash-Kibana ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
#以下省略若干。。。

    #输入日志进行数据抓取测试:223.72.85.86 GET /index.html 15824 200
{
        "client" => "223.72.85.86",
    "@timestamp" => 2019-09-05T06:55:31.459Z,
           "num" => "200",
          "host" => "Logstash-Kibana",
       "request" => "/index.html",
       "message" => "223.72.85.86 GET /index.html 15824 200",
      "@version" => "1",
        "method" => "GET",
         "bytes" => "15824"
}

    2.4.3 grok自定义内置正则的数据抓取模式

    #日志输入示例(新增一个数据):223.72.85.86 GET /index.html 15824 200 "welcome to yangwenbo"

    #修改logstash配置文件
[root@Logstash-Kibana ~]# vim /etc/logstash/conf.d/test.conf 
[root@Logstash-Kibana ~]# cat /etc/logstash/conf.d/test.conf 
input {
   stdin {
   }
}
filter {
   grok {
      patterns_dir => "/opt/patterns"     #自定义的内置正则抓取模板路径
      match => {
        "message" => '%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:num} "%{STRING:content}"'
        }
    }
}
output {
    stdout {
      codec => rubydebug
    }
}

    #创建自定义内置正则的挂载模板文件
[root@Logstash-Kibana ~]# vim /opt/patterns
[root@Logstash-Kibana ~]# cat /opt/patterns
STRING .*

    #启动Logstash
[root@Logstash-Kibana ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
#以下省略若干。。。

    #输入日志示例,查看数据抓取结果:223.72.85.86 GET /index.html 15824 200 "welcome to yangwenbo"
{
       "request" => "/index.html",
       "message" => "223.72.85.86 GET /index.html 15824 200 "welcome to yangwenbo"",
    "@timestamp" => 2019-09-05T07:25:23.949Z,
        "method" => "GET",
         "bytes" => "15824",
       "content" => "welcome to yangwenbo",
          "host" => "Logstash-Kibana",
           "num" => "200",
        "client" => "223.72.85.86",
      "@version" => "1"
}

    2.4.4 grok多模式匹配的数据抓取

    有的时候,我们可能需要抓取多种日志格式的数据
    因此,我们需要配置grok的多模式匹配的数据抓取

    #日志输入示例:
223.72.85.86 GET /index.html 15824 200 "welcome to yangwenbo"
223.72.85.86 GET /index.html 15824 200 《Mr.yang-2019-09-05》

    #修改logstash配置文件
[root@Logstash-Kibana ~]# vim /etc/logstash/conf.d/test.conf
[root@Logstash-Kibana ~]# cat /etc/logstash/conf.d/test.conf
input {
   stdin {
   }
}
filter {
   grok {
      patterns_dir => "/opt/patterns"
      match => [
         "message",'%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:num} "%{STRING:content}"',     
         "message",'%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:num} 《%{NAME:name}》'
          ]
     }
}
output {
    stdout {
        codec => rubydebug
    }
}

    #增加一个自定义的内置正则抓取变量
[root@Logstash-Kibana ~]# vim /opt/patterns
[root@Logstash-Kibana ~]# cat /opt/patterns
STRING .*
NAME .*

    #启动Logstash
[root@Logstash-Kibana ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
#以下省略若干。。。

    #输入日志示例,查看数据抓取结果
{
         "bytes" => "15824",
    "@timestamp" => 2019-09-05T07:51:29.505Z,
      "@version" => "1",
       "content" => "welcome to yangwenbo",
           "num" => "200",
       "message" => "223.72.85.86 GET /index.html 15824 200 "welcome to yangwenbo"",
          "host" => "Logstash-Kibana",
        "client" => "223.72.85.86",
       "request" => "/index.html",
        "method" => "GET"
}

-----------------------------------------------------------------------------

{
         "bytes" => "15824",
    "@timestamp" => 2019-09-05T07:51:38.083Z,
      "@version" => "1",
           "num" => "200",
       "message" => "223.72.85.86 GET /index.html 15824 200 《Mr.yang-2019-09-05》",
          "name" => "Mr.yang-2019-09-05",
          "host" => "Logstash-Kibana",
        "client" => "223.72.85.86",
       "request" => "/index.html",
        "method" => "GET"
}

    2.5 Logstash-Filter之geoip插件

    geoip插件可以对IP的来源进行分析,并通过Kibana的地图功能形象的显示出来。

    #日志输入示例
223.72.85.86 GET /index.html 15824 200 "welcome to yangwenbo"
119.147.146.189 GET /index.html 15824 200 《Mr.yang-2019-09-05》

    #修改logstash配置文件
[root@Logstash-Kibana ~]# vim /etc/logstash/conf.d/test.conf
[root@Logstash-Kibana ~]# cat /etc/logstash/conf.d/test.conf
input {
   stdin {
   }
}
filter {
   grok {
     patterns_dir => "/opt/patterns"
     match => [
        "message",'%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:num} "%{STRING:content}"',     
        "message",'%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:num} 《%{NAME:name}》'
         ]
    }
    geoip {
       source => "client"
       database => "/opt/GeoLite2-City.mmdb"
    }
}
output {
    stdout {
       codec => rubydebug
    }
}

    #下载geoip插件包
[root@Logstash-Kibana ~]# wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz
[root@Logstash-Kibana ~]# ll -d GeoLite2-City.tar.gz 
-rw-r--r-- 1 root root 30044666 9月   4 19:40 GeoLite2-City.tar.gz

#解压安装geoip插件包
[root@Logstash-Kibana ~]# tar xf GeoLite2-City.tar.gz
[root@Logstash-Kibana ~]# cd GeoLite2-City_20190903/
[root@Logstash-Kibana ~]# cp GeoLite2-City_20190903/GeoLite2-City.mmdb /opt/

    #启动Logstash
[root@Logstash-Kibana ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
#以下省略若干。。。

    #输入日志示例,查看数据抓取结果
223.72.85.86 GET /index.html 15824 200 "welcome to yangwenbo"
{
    "@timestamp" => 2019-09-05T08:29:35.399Z,
       "content" => "welcome to yangwenbo",
         "geoip" => {
           "region_code" => "BJ",
         "country_code3" => "CN",      #IP所在国家
              "timezone" => "Asia/Shanghai",
         "country_code2" => "CN",
                    "ip" => "223.72.85.86",
        "continent_code" => "AS",
              "location" => {
            "lon" => 116.3889,     #IP所在地图经度
            "lat" => 39.9288       #IP所在地图纬度
        },
              "latitude" => 39.9288,
          "country_name" => "China",        
           "region_name" => "Beijing",      
             "city_name" => "Beijing",     #IP所在城市
             "longitude" => 116.3889
    },
       "message" => "223.72.85.86 GET /index.html 15824 200 "welcome to yangwenbo"",
       "request" => "/index.html",
         "bytes" => "15824",
           "num" => "200",
      "@version" => "1",
          "host" => "Logstash-Kibana",
        "client" => "223.72.85.86",
        "method" => "GET"
}

-----------------------------------------------------------------------------
119.147.146.189 GET /index.html 15824 200 《Mr.yang-2019-09-05》
{
    "@timestamp" => 2019-09-05T08:33:42.454Z,
          "name" => "Mr.yang-2019-09-05",
         "geoip" => {
           "region_code" => "GD",
         "country_code3" => "CN",
              "timezone" => "Asia/Shanghai",
         "country_code2" => "CN",
                    "ip" => "119.147.146.189",
        "continent_code" => "AS",
              "location" => {
            "lon" => 113.25,
            "lat" => 23.1167
        },
              "latitude" => 23.1167,
          "country_name" => "China",
           "region_name" => "Guangdong",
             "longitude" => 113.25
    },
       "message" => "119.147.146.189 GET /index.html 15824 200 《Mr.yang-2019-09-05》",
       "request" => "/index.html",
         "bytes" => "15824",
           "num" => "200",
      "@version" => "1",
          "host" => "Logstash-Kibana",
        "client" => "119.147.146.189",
        "method" => "GET"
}

    2.6 Logstash-输出(Output)插件

    #ES示例

output {
  elasticsearch {
    hosts => "localhost:9200"     #将数据写入elasticsearch
    index => "logstash-mr_chen-admin-%{+YYYY.MM.dd}"      #索引为xxx
  }
}

    3. 企业级Kibana使用详解

    主机名 主机IP 用途
    ES1 192.168.200.16 elasticsearch-node1
    ES2 192.168.200.17 elasticsearch-node2
    ES3 192.168.200.18 elasticsearch-node3
    Logstash-Kibana 192.168.200.19 日志可视化服务器

    3.1 ELK Stack配置应用案例

    #利用yum源安装kibana
[root@Logstash-Kibana ~]# yum -y install kibana

    #修改logstash配置文件
[root@Logstash-Kibana ~]# vim /etc/logstash/conf.d/test.conf
[root@Logstash-Kibana ~]# cat /etc/logstash/conf.d/test.conf
input {
   file {
      path => ["/var/log/messages"]
      type => "system"                #对数据添加类型
      tags => ["syslog","test"]       #对数据添加标识
      start_position => "beginning"
   }
file {
      path => ["/var/log/audit/audit.log"]
      type => "system"                #对数据添加类型
      tags => ["auth","test"]         #对数据添加标识
      start_position => "beginning"
   }
}
filter {
   }
output {
    if [type] == "system" {
          if [tags][0] == "syslog" {      #通过判断可以将不同日志写到不同的索引里
                 elasticsearch {
                        hosts => ["http://192.168.200.16:9200","http://192.168.200.17:9200","http://192.168.200.18:9200"]
                        index => "logstash-mr_yang-syslog-%{+YYYY.MM.dd}"
              }
              stdout { codec => rubydebug }
          }
          else if [tags][0] == "auth" {
                 elasticsearch {
                        hosts => ["http://192.168.200.16:9200","http://192.168.200.17:9200","http://192.168.200.18:9200"]
                        index => "logstash-mr_yang-auth-%{+YYYY.MM.dd}"
              }
              stdout { codec => rubydebug }
           }
     }
}

    #修改kibana的配置文件
#修改前
[root@Logstash-Kibana ~]# cat -n /etc/kibana/kibana.yml_bak | sed -n '7p;28p'
     7	#server.host: "localhost"
    28	#elasticsearch.hosts: ["http://localhost:9200"]

#修改后
[root@Logstash-Kibana ~]# cat -n /etc/kibana/kibana.yml | sed -n '7p;28p'
     7	server.host: "0.0.0.0"
    28	elasticsearch.hosts: ["http://192.168.200.16:9200"]     #就写一个ES主节点即可

    #启动kibana进程
[root@Logstash-Kibana ~]# systemctl start kibana

#启动logstash
[root@Logstash-Kibana ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf

    特别提示: 如果elasticsearch里没有任何索引,那么kibana是都取不到的 ,所以启动logstash先elasticsearch里写点数据就好了

    通过浏览器访问kibana http://192.168.200.19:5601
    image.png-679.4kB

    image.png-533.9kB

    依次创建两个索引

    image.png-195kB

    image.png-211.9kB

    创建两个索引后,如下图所示

    image.png-718.4kB

    3.2 Kibana常用查询表达式

    直接演示简单讲解kibana的数据检索功能

    image.png-661.5kB

    image.png-669.3kB
  • 相关阅读:
    淘宝IP地址库采集
    Android MediaCodec硬编兼容性测试方案
    《Tensorflow实战》之6.3VGGnet学习
    tensorflow问题集锦
    <tensorflow实战>之5.3实现进阶的卷积网咯
    CNN_minist
    tensorflow之MLP学习
    tensorflow学习之等价代码
    tensorflow学习之softmax regression
    NPE进一步学习
  • 原文地址:https://www.cnblogs.com/ywb123/p/11475362.html
Copyright © 2011-2022 走看看