使用filebeat收集日志
目录
一、初始化环境
1.1 环境准备
| 系统版本 | 主机名 | IP地址 | 服务 |
|---|---|---|---|
| Centos 7.5 | node | 192.168.1.1 | es、kibana |
| Centos 7.5 | test | 192.168.1.2 | filebeat |
1.2 安装es
$ wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.6.0.rpm $ yum -y install elasticsearch-6.6.0.rpm $ egrep -v '#|^$' /etc/elasticsearch/elasticsearch.yml node.name: node path.data: /elk/data path.logs: /elk/log network.host: 192.168.1.1 http.port: 9200 $ mkdir -p /elk/{data,log} $ chown elasticsearch.elasticsearch /elk -R $ systemctl start elasticsearch $ ss -lnt | grep 9200 LISTEN 0 128 ::ffff:192.168.1.1:9200 :::*
1.3 安装Kibana
$ wget https://artifacts.elastic.co/downloads/kibana/kibana-6.6.0-x86_64.rpm $ yum -y install kibana-6.6.0-x86_64.rpm $ egrep -v '#|^$' /etc/kibana/kibana.yml server.port: 5601 server.host: "192.168.1.1" server.name: "node" elasticsearch.hosts: ["http://192.168.1.1:9200"] kibana.index: ".kibana" $ systemctl start kibana $ ss -lnt | grep 5601 LISTEN 0 128 192.168.1.1:5601 *:*
二、收集nginx日志
由于nginx的日志格式不是json的,收集起来也无法立即定位到关键信息,所以就直接转为json格式并进行拆分!
$ vim /etc/yum.repos.d/nginx.repo [nginx-stable] name=nginx stable repo baseurl=http://nginx.org/packages/centos/7/$basearch/ gpgcheck=0 enabled=1 $ yum -y install nginx httpd-tools $ vim /etc/nginx/nginx.conf #添加以下内容将其日志格式转换为json格式 log_format json '{ "@time_local": "$time_local", ' '"remote_addr": "$remote_addr", ' '"referer": "$http_referer", ' '"request": "$request", ' '"status": $status, ' '"bytes": $body_bytes_sent, ' '"agent": "$http_user_agent", ' '"x_forwarded": "$http_x_forwarded_for", ' '"up_addr": "$upstream_addr",' '"up_host": "$upstream_http_host",' '"up_resp_time": "$upstream_response_time",' '"request_time": "$request_time"' ' }'; access_log /var/log/nginx/access.log json; $ nginx -t $ nginx $ wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.6.0-x86_64.rpm $ yum -y install filebeat-6.6.0-x86_64.rpm $ rm -rf /etc/filebeat/filebeat.yml $ vim /etc/filebeat/filebeat.yml filebeat.inputs: - type: log enabled: true paths: - /var/log/nginx/access.log json.keys_under_root: true json.overwrite_keys: true tags: ["access"] - type: log enabled: true paths: - /var/log/nginx/error.log tags: ["error"] output.elasticsearch: hosts: ["192.168.1.1:9200"] indices: - index: "nginx-acess-%{[beat.version]}-%{+yyyy.MM}" when.contains: tags: "access" - index: "nginx-error-%{[beat.version]}-%{+yyyy.MM}" when.contains: tags: "error" setup.template.name: "nginx" setup.template.pattern: "nginx-*" setup.template.enabled: false setup.template.overwrite: true $ systemctl start filebeat $ ab -n 1000 -c 100 http://192.168.1.2/ $ ab -n 1000 -c 100 http://192.168.1.2/test
kibana自行添加索引:
这样就可以将日志拆分成好几个字段,便于查找关键信息!
三、收集tomcat日志
tomcat日志默认情况下虽然是json格式,但是并没有进行拆分,所以,需要进行以下配置进行拆分!
$ yum -y install tomcat tomcat-webapps tomcat-admin-webapps tomcat-docs-webapp tomcat-javadoc $ vim /etc/tomcat/server.xml #139行原本的删除,添加以下内容: pattern="{"client":"%h", "client user":"%l", "authenticated":"%u", "access time":"%t", "method":"%r", "status":"%s", "send bytes":"%b", "Query?string":"%q", "partner":"%{Referer}i", "Agent version":"%{User-Agent}i"}"/> $ systemctl start tomcat $ vim /etc/filebeat/filebeat.yml filebeat.inputs: - type: log enabled: true paths: - /var/log/tomcat/localhost_access_log.*.txt json.keys_under_root: true json.overwrite_keys: true tags: ["tomcat"] output.elasticsearch: hosts: ["192.168.1.1:9200"] indices: - index: "tomcat-access-%{[beat.version]}-%{+yyyy.MM}" when.contains: tags: "tomcat" setup.template.name: "tomcat" setup.template.pattern: "tomcat-*" setup.template.enabled: false setup.template.overwrite: true $ systemctl restart filebeat
自行访问tomcat,使其产生日志!
自行添加tomcat索引!
四、收集ES日志
因为ES的日志有点不同,需要用到多行匹配模式!直接在node主机上安装filebeat进行操作!
$ yum -y install filebeat-6.6.0-x86_64.rpm $ vim /etc/filebeat/filebeat.yml filebeat.inputs: - type: log enabled: true paths: - /elk/log/elasticsearch.log tags: ["es"] multiline.pattern: '^\[' multiline.negate: true multiline.match: after output.elasticsearch: hosts: ["192.168.1.1:9200"] indices: - index: "es-java-%{[beat.version]}-%{+yyyy.MM}" when.contains: tags: "es" setup.template.name: "es" setup.template.pattern: "es-java-*" setup.template.enabled: false setup.template.overwrite: true $ systemctl start filebeat
想办法让ES产生一些错误日志!
自行创建索引。
这就是ES错误的特点,所以需要使用以上多行合并技术!
五、收集docker容器日志
如果需要实现安装docker、docker-compose!
$ yum install -y yum-utils device-mapper-persistent-data lvm2 $ yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo $ yum install -y docker-ce-18.09.0-3.el7 docker-ce-cli-18.09.0-3.el7 containerd.io-1.2.0-3.el7 $ systemctl daemon-reload && systemctl start docker $ curl -L https://github.com/docker/compose/releases/download/1.25.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose $ chmod +x /usr/local/bin/docker-compose $ mkdir compose && cd compose [root@test compose]# vim docker-compose.yaml version: '3' services: nginx: image: nginx labels: service: nginx logging: options: labels: "service" ports: - "80:80" db: image: nginx labels: service: db logging: options: labels: "service" ports: - "3306:80" #使用一个nginx镜像模拟两种服务 [root@test compose]# docker-compose up $ vim /etc/filebeat/filebeat.yml filebeat.inputs: - type: log paths: - /var/lib/docker/containers/*/*-json.log json.keys_under_root: true json.overwrite_keys: true output.elasticsearch: hosts: ["192.168.1.1:9200"] indices: - index: "docker-nginx-access-%{[beat.version]}-%{+yyyy.MM}" when.contains: attrs.service: "nginx" stream: "stdout" - index: "docker-nginx-error-%{[beat.version]}-%{+yyyy.MM}" when.contains: attrs.service: "nginx" stream: "stderr" - index: "docker-db-access-%{[beat.version]}-%{+yyyy.MM}" when.contains: attrs.service: "db" stream: "stdout" - index: "docker-db-error-%{[beat.version]}-%{+yyyy.MM}" when.contains: attrs.service: "db" stream: "stderr" setup.template.name: "docker" setup.template.pattern: "docker-*" setup.template.enabled: false setup.template.overwrite: true $ systemctl restart filebeat
访问容器中的服务,使其产生日志!
自行添加索引!
六、使用filebeat自带模块进行监控
filebeat自带了很多模块,这里以nginx为例!
$ vim /etc/filebeat/filebeat.yml filebeat.config.modules: path: ${path.config}/modules.d/*.yml reload.enabled: true reload.period: 10s output.elasticsearch: hosts: ["192.168.1.1:9200"] indices: - index: "nginx-access-%{[beat.version]}-%{+yyyy.MM}" when.contains: fileset.name: "access" - index: "nginx-error-%{[beat.version]}-%{+yyyy.MM}" when.contains: fileset.name: "error" setup.template.name: "nginx" setup.template.pattern: "nginx-*" setup.template.enabled: false setup.template.overwrite: true $ filebeat modules enable nginx Enabled nginx $ vim /etc/filebeat/modules.d/nginx.yml - module: nginx # Access logs access: enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. var.paths: ["/var/log/nginx/access.log"] # Error logs error: enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. var.paths: ["/var/log/nginx/error.log"] $ yum -y install nginx $ nginx
ES服务器需要安装以下两个插件才支持此功能!
$ /usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-user-agent $ /usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-geoip $ systemctl restart elasticsearch
安装完成之后:
$ filebeat setup $ systemctl restart filebeat $ ab -c 100 -n 100 http://192.168.1.2/
添加错误日志索引:
七、Kibana的x-pack监控
*************** 当你发现自己的才华撑不起野心时,就请安静下来学习吧!***************
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· AI与.NET技术实操系列:向量存储与相似性搜索在 .NET 中的实现
· 基于Microsoft.Extensions.AI核心库实现RAG应用
· Linux系列:如何用heaptrack跟踪.NET程序的非托管内存泄露
· 开发者必知的日志记录最佳实践
· SQL Server 2025 AI相关能力初探
· 震惊!C++程序真的从main开始吗?99%的程序员都答错了
· 【硬核科普】Trae如何「偷看」你的代码?零基础破解AI编程运行原理
· 单元测试从入门到精通
· 上周热点回顾(3.3-3.9)
· winform 绘制太阳,地球,月球 运作规律