基于ELK的日志收集系统
1. 环境搭建
- Elastic Search 7.6.2
- Kibana7.6.2
- FileBeat 7.6.2
- Nginx
- AB Test
国内加速镜像站:华为云mirror(https://repo.huaweicloud.com/elasticsearch/7.6.2/)
- nginx rpm 方式安装
- 安装ab Test工具
yum -y install httpd-tools
- Elastic Search 安装
[root@shine107 elasticsearch]# grep "^[a-Z]" /etc/elasticsearch/elasticsearch.yml
node.name: node-1
path.data: /data/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.21.107
http.port: 9200
cluster.initial_master_nodes: ["node-1"]
需手动创建data目录.
- Kibana安装
rpm 安装
rpm -ivh kibana-7.6.2-x86_64.rpm
kibana.yml配置
[root@shine107 ~]# grep "^[a-Z]" /etc/kibana/kibana.yml
server.port: 5601
server.host: "192.168.21.107"
server.name: "db01"
elasticsearch.hosts: ["http://192.168.21.107:9200"]
kibana.index: ".kibana"
查看5601端口kibana是否正常启动
netstat -lntup |grep 5601
安装Ngnx和httpd-tools 启动nginx
systemctl start nginx
使用ab工具模拟请求100次
# 模拟请求100次
ab -n 100 -c 100 http://192.168.21.107/
# 查看nginx access.log
tail -f /var/log/nginx/access.log
- filebeat 安装
filebeat.yml配置
[root@shine107 ~]# egrep -v "#|^$" /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
output.elasticsearch:
hosts: ["192.168.21.107:9200"]
查看access.log 数据量
[root@shine107 ~]# wc -l /var/log/nginx/access.log
101 /var/log/nginx/access.log
kibana接入es日志内容
选择 Index Patterns --> create index pattern
配置Configure settings 选择 @timestamp
选择 Discover
在message旁 点击add 添加
使用filter 过滤筛选条件
2. 使用filebeat收集json格式日志
####2.1 nginx 日志格式配置 nginx 对于log配置
log_format log_json escape=json '{"@timestamp":"$time_iso8601",' #通用日志格式下的本地时间,也可使用“$time_iso8601”标准格式下的本地时间
'"server_addr":"$server_addr",' #访问服务器的IP
'"remote_addr":"$remote_addr",' #客户端请求的IP
'"host":"$host",' #请求的域名
'"uri":"$uri",' #请求的URL
'"body_bytes_sent":$body_bytes_sent,' #发送给客户端的字节数,发送给客户端的字节数,也可选择 $bytes_sent 发送给客户端的总字节数
'"request":"$request",' #记录请求的URL和HTTP协议
'"request_length":$request_length,' #字节的长度
'"request_time":$request_time,' #请求处理时间
'"status":"$status",' #返回的状态
'"http_referer":"$http_referer",' #记录从哪个页面链接访问过来的
'"http_x_forwarded_for":"$http_x_forwarded_for",' #(反向)记录客户端IP地址,也可以用 $remote_addr
'"http_user_agent":"$http_user_agent"' #记录客户端浏览器相关信息
'}';
access_log /var/log/nginx/access.log log_json;
配置完成后清空之前的nginx日志
# 清空nginx日志
> /var/log/nginx/access.log
配置输出es index名称 filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.key_under_root: true
json.overwrite_keys: true
output.elasticsearch:
hosts: ["192.168.21.107:9200"]
index: "nginx-%{[agent.version]}-%{+yyyy.MM}"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true
重启后即可按照json格式收集acess.log.
3. 收集nginx 正确日志和错误日志
filebeat日志配置内容
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.key_under_root: true
json.overwrite_keys: true
tags: ["access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
setup.kibana:
host: "192.168.21.107:5601"
output.elasticsearch:
hosts: ["192.168.21.107:9200"]
indices:
- index: "nginx-access-%{[agent.version]}-%{+yyyy.MM}"
when.contains:
tags: "access"
- index: "nginx-error-%{[agent.version]}-%{+yyyy.MM}"
when.contains:
tags: "error"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true
4. 收集tomcat日志
安装tomcat
yum install tomcat tomcat-webapps tomcat-admin-webapps tomcat-docs-webapp tomcat-javadoc -y
修改 tomcat的server.xml文件(配置在135行)
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="{"client":"%h", "client user":"%l", "authenticated":"%u", "access time":"%t", "method":"%r", "status":"%s", "send bytes":"%b", "Query?string":"%q", "partner":"%{Referer}i", "Agent version":"%{User-Agent}i"}"/>
参考文档