ELK之十----logstash结合filebeat将日志存储到redis,再由logstash转存到elasticsearch

实战一:filebeat收集日志到redis再由logstash转存到elasticsearch主机

框架图:

环境准备:

A主机:elasticsearch/kibana   IP地址:192.168.7.100

B主机:logstash                      IP地址:192.168.7.102

C主机:filebeat/nginx             IP地址:192.168.7.103

D主机: redis                          IP地址: 192.168.7.104

1、filebeat收集系统和nginx日志到redis主机

1.1、安装redis服务,并修改配置

1、安装redis服务

# yum install redis  -y

2、修改redis配置文件,修改监听地址和密码

[root@web1 ~]# vim /etc/redis.conf 
bind 0.0.0.0
requirepasswd 123456

3、启动redis服务

# systemctl start redis

1.2、修改filebeat主机配置,将日志存到redis服务器上

1、修改filebeat主机配置文件,将日志存储到redis服务器上

[root@filebate tmp]# vim /etc/filebeat/filebeat.yml 
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/messages
  fields:
    host: "192.168.7.103"
    type: "filebeat-syslog-7-103"
    app: "syslog"
- type: log
  enabled: true
  paths:
    - /var/log/nginx/access.log 
  fields:
    host: "192.168.7.103"
    type: "filebeat-nginx-accesslog-7-103"
    app: "nginx"

output.redis: 
  hosts: ["192.168.7.104"] # 写入redis服务器主机IP地址
  port: 6379 # redis监听的端口号
  password: "123456" # redis密码
  key: "filebeat-log-7-103"  # 自定义的key
  db: 0  # 选择默认的数据库
  timeout: 5  #超时时长,可以修改再大点

2、查看filebeat的关键信息

[root@filebate tmp]# grep -v "#" /etc/filebeat/filebeat.yml | grep -v "^$" 
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/messages
  fields:
    host: "192.168.7.103"
    type: "filebeat-syslog-7-103"
    app: "syslog"
- type: log
  enabled: true
  paths:
    - /var/log/nginx/access.log 
  fields:
    host: "192.168.7.103"
    type: "filebeat-nginx-accesslog-7-103"
    app: "nginx"
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 3
setup.kibana:
processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
output.redis: 
  hosts: ["192.168.7.104"]
  port: 6379
  password: "123456"
  key: "filebeat-log-7-103"
  db: 0
  timeout: 5

3、启动filebeat服务

# systemctl restart filebeat

2、在redis主机上测试验证数据

1、登陆redis客户端查看数据,此时可以看到对应的key值已经到达,说明数据可以到达redis服务器。

[root@web1 ~]# redis-cli -h 192.168.7.104
192.168.7.104:6379> auth 123456
OK
192.168.7.104:6379> KEYS *
1) "filebeat-log-7-103"
192.168.7.104:6379> 

3、在logstash收集redis服务器的日志

1、修改logstash配置文件,收集redis日志

[root@logstash conf.d]# vim logstash-to-es.conf 
input {
   redis {
     host => "192.168.7.104"  # redis主机的IP地址
     port => "6379" # 端口
     db => "0"  # 与filebeat对应的数据库
     password => "123456" #密码
     data_type => "list"  # 日志类型
     key => "filebeat-log-7-103" # 与filebeat对应的key值
     codec => "json"
   }
}


output {
  if [fields][app] == "syslog" {  # 与filebeat主机的app类型一致
    elasticsearch {
      hosts => ["192.168.7.100:9200"] # 日志转到elasticsearch主机上
      index => "logstash-syslog-7-103-%{+YYYY.MM.dd}"
    }}

  if [fields][app] == "nginx" { # 与filebeat主机的app类型一致
    elasticsearch {
      hosts => ["192.168.7.100:9200"]
      index => "logstash-nginx-accesslog-7-103-%{+YYYY.MM.dd}"
    }}
}

检查语法是否存在问题,如果不存在问题就启动服务

[root@logstash conf.d]# logstash -f  logstash-to-es.conf  -t
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[WARN ] 2020-03-16 10:05:05.487 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
Configuration OK  # 检查语法正确
[INFO ] 2020-03-16 10:05:16.597 [LogStash::Runner] runner - Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash

2、重启logstash服务器

# systemctl restart logstash

3、查看head插件收集的日志名称,此时就可以看到日志提取到的信息

4、在kibana网页上创建索引

1、在kibana网页上创建Nginx日志索引,同理系统日志也可以这样创建

 2、在discover查看提取到的nginx日志数据

3、查看收集到的系统日志

实战二:logstash结合filebeat收集到redis日志,并转存到elasticsearch主机

框架图:

环境准备:

这里没有太多测试主机,都是以单机形式测试,生产环境可以按上面的部署

A主机:elasticsearch/kibana   IP地址:192.168.7.100

B主机:logstash-A                      IP地址:192.168.7.102

C主机:filebeat/nginx             IP地址:192.168.7.103

D主机: redis                          IP地址: 192.168.7.104

E主机: logstash-B                 IP地址:192.168.7.101

1、安装并配置filebeat主机

1、安装filebeat包,这里需要在官网上下载包

[root@filebeat-1 ~]# yum install filebeat-6.8.1-x86_64.rpm -y

2、修改filebeat配置文件,将日志由filebeat传递到第一个logstash主机上,如果有多个filebeat对多个logstash主机进行转存日志,可以在output.logstash配置段,写入不同的logstash主机的IP地址

[root@filebate ~]# grep -v "#" /etc/filebeat/filebeat.yml  | grep -v "^$"
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/messages
  fields:
    host: "192.168.7.103"
    type: "filebeat-syslog-7-103"
    app: "syslog"
- type: log
  enabled: true
  paths:
    - /var/log/nginx/access.log 
  fields:
    host: "192.168.7.103" # 指定本机的IP地址
    type: "filebeat-nginx-accesslog-7-103"
    app: "nginx"
output.logstash: 
  hosts: ["192.168.7.101:5044"] # 写到指定的logstash服务器上,如果有多个filebeat主机传递到不同logstash主机时,可以在另一个filebeat主机上写上另一个logstash主机的IP地址
  enabled: true # 是否传递到logstash服务器,默认是开启
  work: 1 # 工作线程
  compression_level: 3  # 压缩等级

3、重启filebeat服务

# systemctl restart filebeat

2、修改logstash-B主机,将日志存储到redis服务器上  

1、在/etc/logstash/conf.d/目录下创建一个存储到redis日志的配置文件,如果有多个filebeat、logstash和redis,可以分别对redis主机进行存储日志,减少logstash压力

[root@logstash-1 conf.d]# cat  filebeat-to-logstash.conf 
input {
  beats {
    host => "192.168.7.101" # logstash主机的IP地址,如果还有其他logstash主机转存到redis主机上,可以在另一台logstash主机上写入对应本机的IP地址,分担logstash主机的压力
    port => 5044  # 端口号
    codec => "json"
  }
}


output {
  if [fields][app] == "syslog" {
  redis {
       host => "192.168.7.104" #  存储到redis服务器地址
       port => "6379"
       db => "0"
       data_type => "list"
       password => "123456"
       key =>  "filebeat-syslog-7-103"  #定义不同日志的key,方便区分
       codec => "json"
  }}

  if [fields][app] == "nginx" {
  redis {
       host => "192.168.7.104"
       port => "6379"
       db => "0"
       data_type => "list"
       password => "123456"
       key =>  "filebeat-nginx-log-7-103" # 定义不同的key,方便分析
       codec => "json"
  }
}
}

2、对logstash主机进行测试

[root@logstash-1 conf.d]# logstash -f filebeat-to-logstash.conf  -t
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[WARN ] 2020-03-16 11:23:31.687 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
Configuration OK  # 测试配置文件正常

重新启动logstash服务

# systemctl  restart logstash

3、此时在redis主机上可以看到两个key值,说明logstash主机已经将日志存到redis主机上

[root@web1 ~]# redis-cli -h 192.168.7.104
192.168.7.104:6379> auth 123456
OK
192.168.7.104:6379> KEYS *
1) "filebeat-nginx-log-7-103"
2) "filebeat-syslog-7-103"

3、在logstash-A主机上配置提取redis的日志并转存到elasticsearch主机上

1、在logstash主机的/etc/logstash/conf.d目录下创建一个提取redis主机的日志

[root@logstash conf.d]# cat  logstash-to-es.conf 
input {
   redis {
     host => "192.168.7.104" # redis主机的IP地址
     port => "6379"
     db => "0"
     password => "123456"
     data_type => "list"
     key => "filebeat-syslog-7-103" # 写入对应的filebeat的key值
     codec => "json"
   }
   redis {
     host => "192.168.7.104" # redis主机的IP地址
     port => "6379"
     db => "0"
     password => "123456"
     data_type => "list"
     key => "filebeat-nginx-log-7-103"  # 针对filebeat写入的key值,
     codec => "json"
   }
}


output {
  if [fields][app] == "syslog" {  # 对应filebeat主机的app类型
    elasticsearch {
      hosts => ["192.168.7.100:9200"] # elasticsearch主机IP地址
      index => "logstash-syslog-7-103-%{+YYYY.MM.dd}"
    }}

  if [fields][app] == "nginx" {  # 对应filebeat主机的app类型
    elasticsearch {
      hosts => ["192.168.7.100:9200"]
      index => "logstash-nginx-accesslog-7-103-%{+YYYY.MM.dd}"
    }}
}

2、测试logstash主机的配置文件

[root@logstash conf.d]# logstash -f logstash-to-es.conf  -t
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[WARN ] 2020-03-16 11:31:30.943 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
Configuration OK

3、重启logstash主机服务

# systemctl restart logstash

4、在head插件查看获取到的系统日志和nginx日志

4、在kibana创建索引,查看收集到的日志信息

1、创建Nginx索引,系统日志索引同理

2、查看创建的索引信息

 

 

 

 

  

 

  

 

  

  

  

 

posted @ 2020-03-23 22:58  一叶知秋~~  阅读(1452)  评论(0编辑  收藏  举报