|NO.Z.00010|——————————|Deployment|——|Hadoop&ElasticSearch集中式日志分析系统.v10|——|Elasticsearch.v10|Logstash&Logstash部署.V2|

一、Input插件部署

### --- Input插件部署

~~~     stdin标准输入和stdout标准输出

### --- 使用标准的输入与输出组件

~~~     # 使用标准的输入与输出组件，实现将我们的数据从控制台输入，从控制台输出
[root@hadoop02 ~]# /opt/yanqi/servers/es/Logstash/bin/logstash -e 'input{stdin{}}output{stdout{codec=>rubydebug}}'
 ~~~    # 写入参数：
 hello
 ~~~    # 输出参数： 
{
      "@version" => "1",
    "@timestamp" => 2021-11-25T16:33:17.467Z,
          "host" => "hadoop02",
       "message" => "hello"
}

二、监控日志文件变化

### --- 监控日志文件变化

~~~     Logstash 使用一个名叫 FileWatch 的 Ruby Gem 库来监听文件变化。
~~~     这个库支持 glob 展开文件路径，
~~~     而且会记录一个叫 .sincedb 的数据库文件来跟踪被监听的日志文件的当前读取位置。
~~~     所以，不要担心 Logstash 会漏过你的数据。

### --- 编写脚本

~~~     # 编写脚本
~~~     # 补充：start_position => "beginning"或者是"end"
[root@hadoop02 ~]# vim /opt/yanqi/servers/es/Logstash/config/monitor_file.conf
~~~     # 输入以下信息
input{
  file{
    path => "/opt/yanqi/servers/es/datas/tomcat.log"
    type => "log"
    start_position => "beginning"
  }
}

output{
stdout{
 codec=>rubydebug
 }
}

### --- 检查配置文件是否可用

~~~     # 检查文件可用性
[root@hadoop02 ~]# /opt/yanqi/servers/es/Logstash/bin/logstash \
-f /opt/yanqi/servers/es/Logstash/config/monitor_file.conf -t
~~~     # 成功会出现一下信息：
Configuration OK
Config Validation Result: OK. Exiting Logstash

### --- 启动logstash服务

~~~     # 启动logstash服务
[root@hadoop02 ~]# /opt/yanqi/servers/es/Logstash/bin/logstash \
-f /opt/yanqi/servers/es/Logstash/config/monitor_file.conf
~~~     # 输出参数
{
          "host" => "hadoop02",
      "@version" => "1",
          "type" => "log",
    "@timestamp" => 2021-11-26T06:56:41.552Z,
       "message" => "hello Logstash",
          "path" => "/opt/yanqi/servers/es/datas/tomcat.log"

~~~     # 发送数据：新开窗口发送命令数据

[root@hadoop02 ~]# mkdir -p /opt/yanqi/servers/es/datas
[root@hadoop02 ~]# echo "hello Logstash" >> /opt/yanqi/servers/es/datas/tomcat.log

### --- 其它参数说明

~~~     Path=>表示监控的文件路径 Type=>给类型打标记，用来区分不同的文件类型。 
~~~     Start_postion=>从哪里开始记录文件，默认是从结尾开始标记，
~~~     要是你从头导入一个文件就把改成”beginning”. discover_interval=>多久去监听path下是否有文件，
~~~     默认是15s exclude=>排除什么文件 close_older=>一个已经监听中的文件，
~~~     如果超过这个值的时间内没有更新内容，就关闭监听它的文件句柄。默认是3600秒，即一个小时。 
~~~     sincedb_path=>监控库存放位置(默认的读取文件信息记录在哪个文件中)。
~~~     默认在：/data/plugins/inputs/file。 sincedb_write_interval=> Logstash 
~~~     每隔多久写一次 sincedb 文件，默认是 15 秒。
~~~     stat_interval=>Logstash 每隔多久检查一次被监听文件状态（是否有更新），默认是 1 秒。

三、jdbc插件

### --- jdbc插件：采集mysql数据

~~~     jdbc插件可以采集某张数据库表当中的数据到Logstash当中来

### --- 准备数据

~~~     # 在mysql下创建数据库
mysql> create database elasticsearch;
mysql> use elasticsearch;

~~~     # 创建数据表
mysql> CREATE TABLE `user` (
       `id` bigint(20) NOT NULL,
       `user_name` varchar(25) DEFAULT NULL,
       `gender` varchar(20) DEFAULT NULL,
       `create_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, PRIMARY KEY (`id`)
       ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

~~~     # 加载数据
mysql> INSERT INTO `user` VALUES (1, 'zhangsan', 'male', '2021-11-1 00:00:00');
mysql> INSERT INTO `user` VALUES (2, 'lisi', 'female', '2021-11-1 00:00:00');

~~~     # 查看加载的数据

mysql> select * from user;
+----+-----------+--------+---------------------+
| id | user_name | gender | create_time         |
+----+-----------+--------+---------------------+
|  1 | zhangsan  | male   | 2021-11-01 00:00:00 |
|  2 | lisi      | female | 2021-11-01 00:00:00 |
+----+-----------+--------+---------------------+

### --- 在/opt/yanqi/servers/es/准备mysql驱动包

~~~     # 在/opt/yanqi/servers/es/准备mysql驱动包
[root@hadoop02 ~]# ll /opt/yanqi/servers/es/
-rw-r--r--  1 es root 1006904 Nov 26 15:18 mysql-connector-java-5.1.49.jar

### --- 编写脚本

~~~     # 开发脚本配置文件：一分钟执行一次采集任务
[root@hadoop02 ~]# vim /opt/yanqi/servers/es/Logstash/config/jdbc.conf
 
input {

jdbc {

  jdbc_driver_library => "/opt/yanqi/servers/es/mysql-connector-java-5.1.49.jar"
  jdbc_driver_class => "com.mysql.jdbc.Driver"
  jdbc_connection_string => "jdbc:mysql://hadoop03:3306/elasticsearch"
  jdbc_user => "root"
  jdbc_password => "123456"
  use_column_value => "true"
  clean_run => "false"
  record_last_run =>"true"
  tracking_column => "id"
  schedule => "* * * * *"
  last_run_metadata_path => "/opt/yanqi/servers/es/.Logstash_user_jdbc_last_run"
  statement => "SELECT * from user where id > :sql_last_value;"
 }

}

output{
 stdout{
 codec=>rubydebug
 }

}

### --- 检查配置文件是否可用

~~~     # 检查配置文件是否可用
[root@hadoop02 ~]# /opt/yanqi/servers/es/Logstash/bin/logstash \
-f /opt/yanqi/servers/es/Logstash/config/jdbc.conf -t
~~~     # 输出参数
Configuration OK
Config Validation Result: OK. Exiting Logstash

### --- 启动服务

~~~     # 通过以下命令启动Logstash
[root@hadoop02 ~]# /opt/yanqi/servers/es/Logstash/bin/logstash \
-f /opt/yanqi/servers/es/Logstash/config/jdbc.conf
~~~     # 输出参数
{
    "create_time" => 2021-10-31T16:00:00.000Z,
     "@timestamp" => 2021-11-26T07:30:02.753Z,
             "id" => 1,                                 #  ID为1
      "user_name" => "zhangsan",
         "gender" => "male",
       "@version" => "1"
}
{
    "create_time" => 2021-10-31T16:00:00.000Z,
     "@timestamp" => 2021-11-26T07:30:02.779Z,
             "id" => 2,                                #  ID为2
      "user_name" => "lisi",
         "gender" => "female",
       "@version" => "1"
}

~~~     # 查看记录的历史ID进度

[root@hadoop02 ~]# cat /opt/yanqi/servers/es/.Logstash_user_jdbc_last_run 
--- 2                                               # 当前采集的ID记录为2，因为只采集到了2条数据

### --- 在mysql中再次插入数据

~~~     # 数据库当中添加数据：在我们的数据库当中手动随便插入数据，发现我们的Logstash可以进行收集
mysql> INSERT INTO `user` VALUES (3, 'wangwu', 'male', '2021-11-1 00:00:00');

~~~     # 采集到的数据

[root@hadoop02 ~]# /opt/yanqi/servers/es/Logstash/bin/logstash \
-f /opt/yanqi/servers/es/Logstash/config/jdbc.conf
~~~     # 输出参数
{
    "create_time" => 2021-10-31T16:00:00.000Z,
     "@timestamp" => 2021-11-26T07:36:00.396Z,
             "id" => 3,                               # 采集到的是ID为3的数据，前面1、2没有被采集
      "user_name" => "wangwu",
         "gender" => "male",
       "@version" => "1"
}

~~~     # 查看记录的历史ID进度

[root@hadoop02 ~]# cat /opt/yanqi/servers/es/.Logstash_user_jdbc_last_run 
--- 3                                                # ID更新为3

四、systlog插件

### --- systlog插件

~~~     syslog机制负责记录内核和应用程序产生的日志信息，管理员可以通过查看日志记录，
~~~     来掌握系统状况默认系统已经安装了rsyslog.直接启动即可

### --- 编写脚本

~~~     # 编写systlog采集脚本
[root@hadoop02 ~]# vim /opt/yanqi/servers/es/Logstash/config/syslog.conf
~~~     # 写入脚本参数
input{
    tcp{
       port=> 6789
       type=> syslog
    }
    udp{
        port=> 6789
        type=> syslog
    }
}

filter{
    if [type] == "syslog" {
        grok {
                match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])? :%{GREEDYDATA:syslog_message}" }
                add_field => [ "received_at", "%{@timestamp}" ]
                add_field => [ "received_from", "%{host}" ]
        }
       date {
             match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
           }
    }
}

output{
    stdout{
        codec=> rubydebug
    }
}

### --- 检查配置文件是否可用

~~~     # 检查配置文件的可用性
[root@hadoop02 ~]# /opt/yanqi/servers/es/Logstash/bin/logstash \
-f /opt/yanqi/servers/es/Logstash/config/syslog.conf -t
~~~     # 输出参数
Configuration OK
Config Validation Result: OK. Exiting Logstash

### --- 启动服务

~~~     # 启动服务：执行以下命令启动Logstash服务
[root@hadoop02 ~]# /opt/yanqi/servers/es/Logstash/bin/logstash \
-f /opt/yanqi/servers/es/Logstash/config/syslog.conf

### --- 发送数据

~~~     # 修改系统日志配置文件
[root@hadoop02 ~]# vim /etc/rsyslog.conf 
~~~     # 最后一行添加如下参数：
 *.* @@hadoop02:6789

~~~     # 重启系统日志服务

[root@hadoop02 ~]# systemctl restart rsyslog

### --- 随意执行一个命令即可看到文件被收集了

~~~     # 执行命令查看是否被收集日志
[root@hadoop02 ~]#  systemctl status firewalld.service

~~~     # 启动syslog.conf：解析日志

[root@hadoop02 ~]# /opt/yanqi/servers/es/Logstash/bin/logstash \
-f /opt/yanqi/servers/es/Logstash/config/syslog.conf
~~~     # 解析到的系统日志
{
                "port" => 36086,
    "syslog_timestamp" => "Nov 26 16:43:14",
     "syslog_hostname" => "hadoop02",
         "received_at" => "2021-11-26T08:43:14.062Z",
       "received_from" => "hadoop02",
          "@timestamp" => 2021-11-26T08:43:14.000Z,
                "type" => "syslog",
                "host" => "hadoop02",
      "syslog_program" => "polkitd[546]: Registered Authentication Agent for unix-process:26417:18366899 (system bus name",
      "syslog_message" => "1.7503 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)",
            "@version" => "1",
             "message" => "<85>Nov 26 16:43:14 hadoop02 polkitd[546]: Registered Authentication Agent for unix-process:26417:18366899 (system bus name :1.7503 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)"
} 

### --- 其它参数说明

~~~     # 在Logstash中的grok是正则表达式，用来解析当前数据
Dec 23 12:11:43 louis postfix/smtpd[31499]: connect from unknown[95.75.93.154]
Jun 05 08:00:00 louis named[16000]: client 199.48.164.7#64817: query (cache) 'amsterdamboothuren.com/MX/IN' denied
Jun 05 08:10:00 louis CRON[620]: (www-data) CMD (php /usr/share/cacti/site/poller.php >/dev/null 2>/var/log/cacti/poller-error.log)
Jun 05 08:05:06 louis rsyslogd: [origin software="rsyslogd" swVersion="4.2.0" x-pid="2253" x-info="http://www.rsyslog.com"] rsyslogd was HUPed, type 'lightweight'.

---

 

 

 

 

 

 

 

 

 

---

Walter Savage Landor:strove with none,for none was worth my strife.Nature I loved and, next to Nature, Art:I warm'd both hands before the fire of life.It sinks, and I am ready to depart

                                                                                                                                                   ——W.S.Landor

---