ELK之六-----logstash结合redis收集系统日志和nginx访问日志

一、logstash结合redis收集系统日志

架构图:

环境准备:

A主机:elasticsearch主机     IP地址:192.168.7.100

B主机:logstash主机            IP地址:192.168.7.102

C主机:redis主机                IP地址:192.168.7.103

D主机:logstash主机/nginx主机          IP地址:192.168.7.101

1、安装并配置redis

1、安装并配置redis服务,并启动redis服务

[root@redis ~]# yum install redis -y
[root@redis ~]# vim /etc/redis.conf 
bind 0.0.0.0  # 监听本地的所有地址
requirepass 123456  #为了redis安全,设置一个密码

[root@redis ~]# systemctl restart redis  # 启动redis服务

2、在logstash-D主机安装logstash服务

1、先安装JDK、并创建软链接

[root@logstash-1 ~]# cd /usr/local/src
[root@logstash-1 src]# ls
jdk1.8.0_212  jdk-8u212-linux-x64.tar.gz  sonarqube-6.7.7  sonarqube-6.7.7.zip
[root@logstash-1 src]# tar xvf jdk-8u212-linux-x64.tar.gz 
[root@logstash-1 src]# ln -s /usr/local/src/jdk-8u212-linux-x64.tar.gz  /usr/local/jdk
[root@logstash-1 src]# ln -s /usr/local/jdk/bin/java /usr/bin/

2、配置JDK的环境变量,并使其生效

[root@logstash-1 src]# vim /etc/profile.d/jdk.sh   # 设置JDK环境变量
export HISTTIMEFORMAT="%F %T `whoami`"
export export LANG="en_US.utf-8"
export JAVA_HOME=/usr/local/jdk
export CLASSPATH=.:$JAVA_HOME/jre/lib/rt.jar:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
export PATH=$PATH:$JAVA_HOME/bin

[root@logstash-1 src]# .  /etc/profile.d/jdk.sh # 使JDK环境变量生效

3、安装logstash

[root@logstash-1 src]# yum install logstash-6.8.1.rpm -y

[root@logstash-1 ~]# vim /etc/profile.d/logstash.sh  # 定义logstash环境变量
export PATH=$PATH:/usr/share/logstash/bin/

[root@logstash-1 ~]# . /etc/profile.d/logstash.sh  # 使环境变量生效

4、在/etc/logstash/conf.d目录下创建一个写入到redis日志的文件:redis-es.conf

input {
   file {
      path => "/var/log/messages"  # 收集档期那logstash日志文件
      type => "message-101"  # 日志类型
      start_position => "beginning"
      stat_interval => "2" # 间隔2s
      #codec => "json"
  }
}


output {
   if [type] == "message-101" {
   redis {
     host => "192.168.7.103" # 将日志传到103的redis主机
     port => "6379"  # redis的监听端口号
     password => "123456"  # redisa的登陆密码
     db => "1"  # redis的数据库类型,默认是0
     key => "linux-7-101-key"  #自定义的key
     data_type => "list" # 数据类型改为list
   }
 }
}

5、如果logstash服务是以logstash用户启动,将logstash系统日志的权限改为644,否则logstash系统日志无法访问。

[root@logstash-1 conf.d]# vim /etc/systemd/system/logstash.service
[Unit]
Description=logstash

[Service]
Type=simple
User=root  #以root方式启动logstash服务,生产中最好以logstash服务启动
Group=root
# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
# Prefixing the path with '-' makes it try to load, but if the file doesn't
# exist, it continues onward.
EnvironmentFile=-/etc/default/logstash
EnvironmentFile=-/etc/sysconfig/logstash
ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash"
Restart=always
WorkingDirectory=/
Nice=19
LimitNOFILE=16384

[Install]
WantedBy=multi-user.target


[root@logstash-1 conf.d]# chmod 644 /var/log/messages  # 将系统日志权限进行修改。

6、启动logstash服务

# systemctl start logstash

3、开始测试logstash服务

1、在logstash服务上对/var/log/messages系统日志进行输入信息

[root@logstash-1 src]# echo 11 >> /var/log/messages

2、在redis服务器上查登陆redis客户端查看此时显示的KEYS值

[root@redis ~]# redis-cli -h 192.168.7.103
192.168.7.103:6379> auth 123456
OK
192.168.7.103:6379> SELECT 1
OK
192.168.7.103:6379[1]> KEYS *
1) "linux-7-101-key"  # 可以看到此时的logstash服务将logstash服务器的系统日志已经传递到redis服务器上

此时在第二台logstash主机上可以将系统日志传到redis主机上。

4、在logstash-B主机上配置

1、在/etc/logstash/conf.d目录下创建一个提取redis缓存日志文件

input {
   redis {
     host => "192.168.7.103"  # redis主机IP地址
     port => "6379"
     password => "123456"
     db => "1"
     key => "linux-7-101-key" # 取出对应的KEY值
     data_type => "list"
  }
}


output {
   if [type] == "message-101" { # 提取与第二台logstash主机的log类型一致
     elasticsearch {
       hosts => ["192.168.7.100:9200"] # elasticsearch主机的IP地址
       index => "message-7-101-%{+YYYY.MM.dd}"
     }
 }
}

2、重启B主机的logstash服务  

# systemctl restart logstash

3、此时在redis服务器上查看数据已经被logstash服务器采集到并传到了elasticsearch服务器上。

192.168.7.103:6379[1]> KEYS *
(empty list or set)  # 此时的redis服务器数据为空

5、在kibana控制台创建索引

1、创建收集到redis数据的索引

2、在discover选项中查看收集到的信息

二、logstash结合redis收集nginx访问日志

1、在D主机安装nginx服务并将log日志配置为json格式 

1、安装nginx服务,最好是源码编译,方便后期升级nginx版本

[root@logstash-1 ~]# cd /usr/local/src
[root@logstash-1 src]# wget http://nginx.org/download/nginx-1.14.2.tar.gz
[root@logstash-1 src]# tar xvf nginx-1.14.2.tar.gz 
[root@logstash-1 nginx-1.14.2]# ./configure  --prefix=/apps/nginx  # 安装nginx,并制定安装目录
[root@logstash-1 nginx-1.14.2]# make -j 2 && make install  # 编译安装nginx

2、修改nginx配置文件,并将log日志改为json格式/apps/nginx/conf/nginx.conf

    log_format access_json '{"@timestamp":"$time_iso8601",'  
        '"host":"$server_addr",'
        '"clientip":"$remote_addr",'
        '"size":$body_bytes_sent,'
        '"responsetime":$request_time,'
        '"upstreamtime":"$upstream_response_time",'
        '"upstreamhost":"$upstream_addr",'
        '"http_host":"$host",'
        '"url":"$uri",'
        '"domain":"$host",'
        '"http_user_agent":"$http_user_agent",'
        '"xff":"$http_x_forwarded_for",'
        '"referer":"$http_referer",'
        '"status":"$status"}';

    access_log  /var/log/nginx/access.log  access_json;  # 定义json格式的日志,并指定存放在/var/log/nginx目录下


[root@logstash-1 nginx-1.14.2]# mkdir  /var/log/nginx  # 创建一个存放log日志的目录

  

3、启动nginx服务,并查看启动的80端口

[root@logstash-1 nginx-1.14.2]# /apps/nginx/sbin/nginx 
[root@logstash-1 nginx-1.14.2]# ss -nlt
State       Recv-Q Send-Q                           Local Address:Port                                          Peer Address:Port              
LISTEN      0      100                                  127.0.0.1:25                                                       *:*                  
LISTEN      0      511                                          *:80                                                       *:*                  
LISTEN      0      128                                          *:22                                                       *:*                  
LISTEN      0      100                                      [::1]:25                                                    [::]:*                  
LISTEN      0      50                          [::ffff:127.0.0.1]:9600                                                  [::]:*                  
LISTEN      0      128                                       [::]:22                                                    [::]:*

2、修改第logstash-D主机的配置文件  

1、在第二台logstash主机的/etc/logstash/conf.d目录下创建配置文件

input {
   file {
      path => "/var/log/messages"
      type => "message-7-101"
      start_position => "beginning"
      stat_interval => "2"
      #codec => "json"
  }
   file {
      path => "/var/log/nginx/access.log"
      type => "nginx-accesslog-7-101"
      start_position => "beginning"
      stat_interval => "2"
      codec => "json"
  }
}


output {
   if [type] == "message-7-101" {
   redis {
     host => "192.168.7.103"
     port => "6379"
     password => "123456"
     db => "1"
     key => "linux-7-101-key"
     data_type => "list"
   }}

   if [type] == "nginx-accesslog-7-101" {
   redis {
     host => "192.168.7.103"
     port => "6379"
     password => "123456"
     db => "1"
     key => "linux-nginxlog-7-101-key"
     data_type => "list"
   }
 }
}

2、重启logstash服务,将第一台的logstash主机服务停掉。

[root@logstash-1 conf.d]# systemctl restart logstash

3、在redis主机上查看logstash主机是否已经将数据传到redis上

192.168.7.103:6379[1]> KEYS *
1) "linux-7-101-key"  # 系统日志
2) "linux-nginxlog-7-101-key"  # nginx日志

3、在logstash-A主机上修改配置文件 

1、在/etc/logstash/conf.d目录下创建一个提取redis数据的配置文件

input {
   redis {
     host => "192.168.7.103"
     port => "6379"
     password => "123456"
     db => "1"
     key => "linux-7-101-key"  # 与第二台的logstash服务器key对应
     data_type => "list"
  }
   redis {
     host => "192.168.7.103"
     port => "6379"
     password => "123456"
     db => "1"
     key => "linux-nginxlog-7-101-key"  # 与第二台logstash服务器对应
     data_type => "list"
  }
}


output {
   if [type] == "message-7-101" {  # 与第二台logstash服务器对应
     elasticsearch {
       hosts => ["192.168.7.100:9200"]
       index => "message-7-101-%{+YYYY.MM.dd}"
     }
 }
   if [type] == "nginx-accesslog-7-101" {  # 与第二台logstash服务器对应
     elasticsearch {
       hosts => ["192.168.7.100:9200"]
       index => "nginx-accesslog-7-101-%{+YYYY.MM.dd}"
     }
 }
}

2、重启logstash服务

# systemctl restart logstash

3、查看reids主机的数据,此时数据已经为空,被此台logstash服务器已经取走

192.168.7.103:6379[1]> KEYS *
(empty list or set)
192.168.7.103:6379[1]> KEYS *
(empty list or set)

4、在kibaba网页上创建索引

1、在kibana网页上创建索引

 2、查看discover选项添加的索引信息

 

 

 

 

 

 

 

  

 

 

 

  

  

  

 

posted @ 2020-03-22 15:09  一叶知秋~~  阅读(550)  评论(0编辑  收藏  举报