极客时间运维进阶训练营第六周作业
1、基于 logstash filter 功能将 nginx 默认的访问日志及 error log 转换为 json 格式并写入 elasticsearch
tee /etc/logstash/conf.d/nginxlog-to-es.conf << "EOF"
input {
file {
path => "/apps/nginx/logs/access.log"
type => "nginx-accesslog"
stat_interval => "1"
start_position => "beginning"
}
file {
path => "/apps/nginx/logs/error.log"
type => "nginx-errorlog"
stat_interval => "1"
start_position => "beginning"
}
}
filter {
if [type] == "nginx-accesslog" {
grok {
match => { "message" => ["%{IPORHOST:clientip} - %{DATA:username} \[%{HTTPDATE:request-time}\] \"%{WORD:request-method} %{DATA:request-uri} HTTP/%{NUMBER:http_version}\" %{NUMBER:response_code} %{NUMBER:body_sent_bytes} \"%{DATA:referrer}\" \"%{DATA:useragent}\""] }
remove_field => "message"
add_field => { "project" => "magedu"}
}
mutate {
convert => [ "[response_code]", "integer"]
}
}
if [type] == "nginx-errorlog" {
grok {
match => { "message" => ["(?<timestamp>%{YEAR}[./]%{MONTHNUM}[./]%{MONTHDAY} %{TIME}) \[%{LOGLEVEL:loglevel}\] %{POSINT:pid}#%{NUMBER:threadid}\: \*%{NUMBER:connectionid} %{GREEDYDATA:message}, client: %{IPV4:clientip}, server: %{GREEDYDATA:server}, request: \"(?:%{WORD:request-method} %{NOTSPACE:request-uri}(?: HTTP/%{NUMBER:httpversion}))\", host: %{GREEDYDATA:domainname}"]}
remove_field => "message"
}
}
}
output {
if [type] == "nginx-accesslog" {
elasticsearch {
hosts => ["192.168.56.111:9200"]
index => "magedu-nginx-accesslog-%{+yyyy.MM.dd}"
user => "magedu"
password => "123456"
}}
if [type] == "nginx-errorlog" {
elasticsearch {
hosts => ["192.168.56.111:9200"]
index => "magedu-nginx-errorlog-%{+yyyy.MM.dd}"
user => "magedu"
password => "123456"
}}
}
EOF
systemctl restart logstash
2、基于 logstash 收集 json 格式的 nginx 访问日志
cp /apps/nginx/conf/nginx.conf{,.bak}
tee /apps/nginx/conf/nginx.conf << "EOF"
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format access_json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"size":$body_bytes_sent,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamhost":"$upstream_addr",'
'"http_host":"$host",'
'"uri":"$uri",'
'"domain":"$host",'
'"xff":"$http_x_forwarded_for",'
'"referer":"$http_referer",'
'"tcp_xff":"$proxy_protocol_addr",'
'"http_user_agent":"$http_user_agent",'
'"status":"$status"}';
access_log /apps/nginx/logs/access.log access_json;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
EOF
nginx -t
tee /etc/logstash/conf.d/nginx-json-log-to-es.conf << "EOF"
input {
file {
path => "/apps/nginx/logs/access.log"
start_position => "end"
type => "nginx-json-accesslog"
stat_interval => "1"
codec => json
}
}
output {
if [type] == "nginx-json-accesslog" {
elasticsearch {
hosts => ["192.168.56.111:9200"]
index => "nginx-accesslog-2.107-%{+YYYY.MM.dd}"
user => "magedu"
password => "123456"
}}
}
EOF
systemctl restart logstash
3、基于 logstash 收集 java 日志并实现多行合并
#收集java日志
tee /etc/logstash/conf.d/eslog2es.conf << "EOF"
input {
file {
path => "/data/eslogs/magedu-es-cluster1.log"
type => "eslog"
stat_interval => "1"
start_position => "beginning"
codec => multiline {
#pattern => "^\["
pattern => "^\[[0-9]{4}\-[0-9]{2}\-[0-9]{2}"
negate => "true"
what => "previous"
}
}
}
output {
if [type] == "eslog" {
elasticsearch {
hosts => ["192.168.56.113:9200"]
index => "magedu-eslog-%{+YYYY.ww}"
user => "magedu"
password => "123456"
}}
}
EOF
systemctl restart logstash.service
4、基于 logstash 收集 syslog 类型日志 (以 haproxy 替代网络设备)
#安装haproxy 模拟syslog 2022年12月3日 13:49:55
apt update && apt install haproxy
cp /etc/haproxy/haproxy.cfg{,.bak}
## 模拟接收syslog日志
tee -a /etc/haproxy/haproxy.cfg << "EOF"
listen kibana-5601
bind 192.168.56.117:5601
mode http
log global
server kibana-server1 192.168.56.111:5601 check inter 3s fall 3 rise 3
EOF
systemctl restart haproxy.service
cp /etc/rsyslog.d/49-haproxy.conf{,.bak}
sed -i 's#/var/log/haproxy.log#@@192.168.56.116:514#g' /etc/rsyslog.d/49-haproxy.conf
systemctl restart rsyslog.service
tee /etc/logstash/conf.d/syslog-haproxy-to-es.conf << "EOF"
input{
syslog {
type => "rsyslog-haproxy"
port => "514" #监听一个本地的端口
}}
output{
if [type] == "rsyslog-haproxy" {
elasticsearch {
hosts => ["192.168.56.111:9200"]
index => "magedu-rsyslog-haproxy-%{+YYYY.ww}"
user => "magedu"
password => "123456"
}}
}
EOF
systemctl restart logstash
5、logstash 收集日志并写入 Redis、再通过其它 logstash 消费至 elasticsearch 并保持 json 格式日志的解析
# 安装redis
apt update
apt-cache madison redis
apt install -y redis
cp /etc/redis/redis.conf{,.bak}
sed -i 's/bind 127.*/bind 0.0.0.0/g' /etc/redis/redis.conf
sed -i '/save.*0/d' /etc/redis/redis.conf
echo "requirepass 123456" >> /etc/redis/redis.conf
echo 'save ""' >> /etc/redis/redis.conf
systemctl restart redis
telnet 127.0.0.1 6379
# auth 123456
# keys *
# info
# lpop magedu-nginx-accesslog
# select 1 # 选择redis数据库
# 日志-to-redis
# redis为缓存的日志收集
tee /etc/logstash/conf.d/nginx-log-to-redis.conf << "EOF"
input {
file {
path => "/apps/nginx/logs/access.log"
type => "magedu-nginx-accesslog"
start_position => "beginning"
stat_interval => "1"
codec => "json" #对json格式日志进行json解析
}
file {
path => "/apps/nginx/logs/error.log"
type => "magedu-nginx-errorlog"
start_position => "beginning"
stat_interval => "1"
}
}
filter {
if [type] == "magedu-nginx-errorlog" {
grok {
match => { "message" => ["(?<timestamp>%{YEAR}[./]%{MONTHNUM}[./]%{MONTHDAY} %{TIME}) \[%{LOGLEVEL:loglevel}\] %{POSINT:pid}#%{NUMBER:threadid}\: \*%{NUMBER:connectionid} %{GREEDYDATA:message}, client: %{IPV4:clientip}, server: %{GREEDYDATA:server}, request: \"(?:%{WORD:request-method} %{NOTSPACE:request-uri}(?: HTTP/%{NUMBER:httpversion}))\", host: %{GREEDYDATA:domainname}"]}
remove_field => "message" #删除源日志
}
}
}
output {
if [type] == "magedu-nginx-accesslog" {
redis {
data_type => "list"
key => "magedu-nginx-accesslog"
host => "192.168.56.115"
port => "6379"
db => "0"
password => "123456"
}
}
if [type] == "magedu-nginx-errorlog" {
redis {
data_type => "list"
key => "magedu-nginx-errorlog"
host => "192.168.56.115"
port => "6379"
db => "0"
password => "123456"
}
}
}
EOF
systemctl restart logstash
# 日志流 redis-to-es
tee /etc/logstash/conf.d/redis-to-es.conf << "EOF"
input {
redis {
data_type => "list"
key => "magedu-nginx-accesslog"
host => "192.168.56.115"
port => "6379"
db => "0"
password => "123456"
}
redis {
data_type => "list"
key => "magedu-nginx-errorlog"
host => "192.168.56.115"
port => "6379"
db => "0"
password => "123456"
}
}
output {
if [type] == "magedu-nginx-accesslog" {
elasticsearch {
hosts => ["192.168.56.111:9200"]
index => "magedu-nginx-redis-accesslog-%{+yyyy.MM.dd}"
user => "magedu"
password => "123456"
}
}
if [type] == "magedu-nginx-errorlog" {
elasticsearch {
hosts => ["192.168.56.111:9200"]
index => "magedu-nginx-redis-errorlog-%{+yyyy.MM.dd}"
user => "magedu"
password => "123456"
}
}
}
EOF
systemctl restart logstash
6、基于 docker-compose 部署单机版本 ELK
install -d /data/es cd /data/es && git clone https://gitee.com/jiege-gitee/elk-docker-compose.git cd /data/es/elk-docker-compose &&\ docker-compose up -d elasticsearch docker exec -it elasticsearch /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive #设置账户密码 magedu123 #如果密码不同需要改密码 # vim kibana/config/kibana.yml # vim logstash/config/logstash.conf # vim logstash/config/logstash.conf docker-compose up -d
