1、基础知识
1.1、LogStash作用
logstash就是借助于大量的功能插件,实现从数据源获取数据,然后将数据传输到elasticsearch
1.2、数据流程图
在图中我们可以明显看到,logstash组件至少包含两个插件:input和output,这两个主要用于信息的接入和输出。
注意:logstash 软件本身无序安装,它仅仅是一个软件运行命令程序,但是该软件的运行依赖于java环境
2、环境准备
2.1、主机准备
Ubuntu操作系统 内存:2G CPU:1核
logstash 192.168.10.28
2.2、同步时间
# 设置时区
timedatectl set-timezone Asia/Shanghai
# 同步系统时间
apt install -y ntpdate cron
systemctl start cron
systemctl enable cron
cat << 'CAT_END' > /var/spool/cron/crontabs/root
#ntp Server update
*/5 * * * * /usr/sbin/ntpdate ntp5.aliyun.com 2>&1 > /dev/null
#ntp end
CAT_END
ntpdate ntp5.aliyun.com
2.3、设置主机名
hostnamectl set-hostname logstash
3、JDK安装
3.1、准备软件
# 这里使用此版本
# openjdk-11.0.0.1_linux-x64_bin.tar.gz
mkdir /data/{softs,server} -p && cd /data/softs
curl -O https://download.java.net/openjdk/jdk11.0.0.1/ri/openjdk-11.0.0.1_linux-x64_bin.tar.gz
# es自带jdk,位置:/usr/share/elasticsearch/jdk
3.2、安装JDK软件
mkdir /data/{softs,server} -p
cd /data/softs
tar xf openjdk-11.0.0.1_linux-x64_bin.tar.gz -C /data/server/
ln -s /data/server/jdk-11.0.0.1 /usr/local/java
cat << 'CAT_END' >> /etc/profile
export JAVA_HOME=/usr/local/java
export LS_JAVA_HOME=/usr/share/logstash/jdk
export PATH=$JAVA_HOME/bin:$PATH
CAT_END
source /etc/profile
java -version
4、LogStash安装
4.1、方式1:yum、apt配置仓库安装
4.1.1、yum安装参考官网
4.1.2、apt安装参考官网
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt-get update && sudo apt-get install logstash
4.2、方式2:下载.deb包离线安装
wget https://artifacts.elastic.co/downloads/logstash/logstash-7.17.0-amd64.deb
wget https://artifacts.elastic.co/downloads/logstash/logstash-7.17.0-amd64.deb.sha512
shasum -a 512 -c logstash-7.17.0-amd64.deb.sha512
dpkg -i logstash-7.17.0-amd64.deb
4.3、配置环境变量
cat << 'CAT_END' >/etc/profile.d/logstash.sh
export PATH=/usr/share/logstash/bin:$PATH
CAT_END
source /etc/profile.d/logstash.sh
4.4、配置目录结构介绍
root@logstash:~# dpkg -L logstash | grep -Ei '^/etc|install$'
/usr/share/logstash/bin/system-install # 生成系统管理配置文件
/usr/share/logstash/lib/systeminstall
/etc
/etc/logstash
/etc/logstash/conf.d
/etc/logstash/log4j2.properties
/etc/logstash/startup.options # 服务启动环境变量文件
/etc/logstash/jvm.options # jvm相关配置
/etc/logstash/logstash.yml # 服务配置文件
/etc/logstash/logstash-sample.conf # 应用配置文件模板
/etc/logstash/pipelines.yml # 管道配置文件
4.5、LogStash命令介绍
命令格式: logstash -e '启动参数'
启动参数:
input {
stdin {}
}
output {
stdout {}
}
参数解析:
input {} # 用于接受信息的输入
output {} # 用于对内部的数据输出
stdin {} # 表示屏幕上的标准输入
stdout {} # 表示屏幕的标准输出
4.6、实践1-简单的输入/输出测试
4.6.1、执行命令
# logstash -e 'input { stdin {} } output { stdout {} }'
hello world stdout # 键盘输入内容
{
"message" => "hello world stdout",
"@timestamp" => 2023-06-05T14:51:40.877Z,
"host" => "logstash",
"@version" => "1"
}
4.6.2、结果属性解析
{
"@version" => "1", # 版本信息
"message" => "hello world stdout", # 我们输入的内容
"@timestamp" => 2023-06-05T14:08:56.953Z, # 该条信息的时间戳
"host" => "logstash" # 当前的主机信息
}
4.7、实践2 - 信息传递到ES
4.7.1、执行命令
# logstash -e 'input { stdin {} } output { elasticsearch { hosts => ["192.168.10.25:9200"] index => "message" } }'
[INFO ] 2023-06-05 22:34:22.896 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
The stdin plugin is now waiting for input:
[INFO ] 2023-06-05 22:34:22.990 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
hello logstash to elasticsearch # 键盘输入数据,这里不用打印的,因为已经配置输出到ES
4.7.2、查询索引
root@logstash:~# curl -XGET 192.168.10.25:9200/_cat/indices
green open .geoip_databases XXPTSqh5R6C2rtMJavz-Pw 1 1 42 0 79.9mb 39.9mb
green open index_test ZTwMpcwBTY259jKfg_K28g 1 1 0 0 454b 227b
green open index_test1 ZOK7dRzQQEiRRIZxikZMnQ 3 1 0 0 1.3kb 681b
green open message ejA_96x8QyWUFOcP00SliA 1 1 1 0 10.8kb 5.4kb
green open username PzODwVIJT1it-rrXYVSnLg 1 1 1 0 8.2kb 4.1kb
4.7.3、查询具体的数据
curl -XGET 192.168.10.25:9200/message?pretty
root@logstash:~# curl -XGET 192.168.10.25:9200/message/_search?pretty
{
"took" : 1,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 1,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "message",
"_type" : "_doc",
"_id" : "EnAFjIgBr53uPqiLdUEk",
"_score" : 1.0,
"_source" : {
"message" : "hello logstash to elasticsearch",
"host" : "logstash",
"@timestamp" : "2023-06-05T14:45:47.526Z",
"@version" : "1"
}
}
]
}
}
4.8、实践3 - 读取日志文件到es
4.8.1、file模块简介
logstash的信息采集模块支持file模块,可以通过指定日志文件,直接从文件中读取相关信息。
参考资料:https://www.elastic.co/guide/en/logstash/7.17/plugins-inputs-file.html
4.8.2、基本属性
path 指定文件路径
start_position 设定从文件的那个位置开始读取,可选值 -- beginning, end(默认)
type 传递信息的时候,增加一个额外的属性字段
4.8.3、input配置示例
file {
path => "/var/log/syslog"
start_position => "beginning"
type => "elasticsearch"
}
4.8.4、增加日志文件
# 因为ubuntu系统此文件不存在,自己创建用于测试
echo "log 11111" > /var/log/syslog
echo "log 22222" >> /var/log/syslog
root@logstash:~# cat /var/log/syslog
log 11111
log 22222
4.8.5、执行logstash命令
logstash -e 'input { file{path => "/var/log/syslog" start_position =>
"beginning" type => "elasticsearch"} } output { elasticsearch { hosts =>
["192.168.10.25:9200"] index => "message" } }'
4.8.6、查看ES数据
5、LogStash服务文件
5.1、为什么要生成配置文件
以命令行的方式来进行启动太繁琐,我们最好还是以配置文件的方式来进行服务的启动管理,对于logstash来说,
它提供好了一个专门用于生成配置文件的命令 system-install,我们只需要按照既定的配置文件规则,定制应用配置,
最后执行该命令,即可实现服务脚本的配置。
5.2、服务启动参数配置
5.2.1、配置startup.options
root@logstash:~# vim /etc/logstash/startup.options
...
# Arguments to pass to logstash
LS_OPTS="--path.settings ${LS_SETTINGS_DIR} -f /etc/logstash/conf.d"
...
# 注意: -f 指定的是 logstash的应用配置文件(比如 logstash.conf)存放到的目录
5.2.2、修改配置文件 conf.d/logstash.conf
cp /etc/logstash/logstash-sample.conf /etc/logstash/conf.d/logstash.conf
cat <<'CAT_END' > /etc/logstash/conf.d/logstash.conf
input {
file {
path => "/var/log/syslog"
start_position => "beginning"
type=> "elasticsearch"
}
}
output {
elasticsearch {
hosts => ["http://192.168.10.25:9200"]
index => "logstash-test-%{+YYYY.MM.dd}"
}
}
CAT_END
5.2.3、生成系统启动文件
# 以root用户执行下面的命令
system-install
# cat /etc/systemd/system/logstash.service
[Unit]
Description=logstash
[Service]
Type=simple
User=logstash
Group=logstash
# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
# Prefixing the path with '-' makes it try to load, but if the file doesn't
# exist, it continues onward.
EnvironmentFile=-/etc/default/logstash
EnvironmentFile=-/etc/sysconfig/logstash
ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash" "-f" "/etc/logstash/conf.d"
Restart=always
WorkingDirectory=/
Nice=19
LimitNOFILE=16384
# When stopping, how long to wait before giving up and sending SIGKILL?
# Keep in mind that SIGKILL on a process can cause data loss.
TimeoutStopSec=infinity
[Install]
WantedBy=multi-user.target
# 注意:由于服务启动的时候,用户名和用户组都是 logstash ,所以,我们采集数据的文件必须是具备查看的权限
5.2.4、日志文件增加权限
chown logstash:logstash /var/log/syslog
5.2.5、启动logstash服务
systemctl daemon-reload
systemctl start logstash.service
systemctl status logstash.service
5.2.6、查看日志
root@logstash:~# ll /var/log/logstash/
total 24
drwxr-xr-x 2 logstash root 4096 Jun 6 12:02 ./
drwxr-xr-x 9 root root 4096 Jun 6 09:28 ../
-rw-r--r-- 1 logstash logstash 3140 Jun 6 12:09 logstash-deprecation.log
-rw-r--r-- 1 logstash logstash 0 Jun 6 12:02 logstash-json.log
-rw-r--r-- 1 logstash logstash 8217 Jun 6 12:09 logstash-plain.log
-rw-r--r-- 1 logstash logstash 0 Jun 6 12:02 logstash-slowlog-json.log
-rw-r--r-- 1 logstash logstash 0 Jun 6 12:02 logstash-slowlog-plain.log
5.2.7、查看ES是否有数据
