写入数据库的目的是持久化保存重要数据,比如状态码、客户端浏览器版本等,用于后期按月做数据统计等.
环境准备
linux-elk1:10.0.0.22,Kibana ES Logstash Nginx
linux-elk2:10.0.0.33,MySQL5.7
1.linux-elk2上配置数据库
安装好数据库后,配置,并授权
mysql -uroot -p'Root123!@#' create database elk character set utf8 collate utf8_bin; grant all privileges on elk.* to elk@'10.0.0.%' identified by 'Elk123!@#'; flush privileges; # 在linux-elk1上验证是否能登录elk2上的mysql mysql -u elk -h 10.0.0.33 -p'Elk123!@#'
2.配置JDBC数据库驱动
/usr/share/logstash/bin/logstash-plugin list | grep jdbc
logstash-input-jdbc # 没有logstash-output-jdbc
# 安装logstash的数据库驱动需要先安装gem源
yum -y install gem
gem -v
gem source list # 目前是一个国外的源,需要将其换成rubychina的
gem sources --add https://gems.ruby-china.org/ --remove https://rubygems.org/
Error fetching https://gems.ruby-china.org/:
bad response Not Found 404 (https://gems.ruby-china.org/specs.4.8.gz)
# 替换不成功,是因为官网换地址了
gem sources --add https://gems.ruby-china.com/ --remove https://rubygems.org/
https://gems.ruby-china.com/ added to sources
https://rubygems.org/ removed from sources
RubyChina官网由org换成com
安装JDBC驱动
报错1:WARNING: SSLSocket#session= is not supported
报错2:INFO: I/O exception (java.net.SocketException) caught when processing request to {s}->https://repo.maven.apache.org:443
解决办法:
vim /usr/share/logstash/Gemfile # source "https://rubygems.org" 将国外的源注释,换成国内的 source "https://gems.ruby-china.com/"
安装顺利的话是这样的
/usr/share/logstash/bin/logstash-plugin install logstash-output-jdbc Validating logstash-output-jdbc Installing logstash-output-jdbc Installation successful /usr/share/logstash/bin/logstash-plugin list | grep jdbc logstash-input-jdbc logstash-output-jdbc # 下载数据库的JDBC驱动-https://dev.mysql.com/downloads/connector/j/, # 上传到服务器,驱动的路径必须严格一致,否则连接数据库会报错. tar xf mysql-connector-java-5.1.47.tar.gz cd mysql-connector-java-5.1.47/ mkdir -p /usr/share/logstash/vendor/jar/jdbc cp mysql-connector-java-5.1.47-bin.jar /usr/share/logstash/vendor/jar/jdbc/ chown -R logstash.logstash /usr/share/logstash/vendor/jar/jdbc/
3.创建数据表
配置Nginx日志格式
log_format access_log_json '{"host":"$http_x_real_ip","client_ip":"$remote_addr","log_time":"$time_iso8601","request":"$request","status":"$status","body_bytes_sent":"$body_bytes_sent","req_time":"$request_time","AgentVersion":"$http_user_agent"}';
access_log /var/log/nginx/access.log access_log_json;
nginx -t
nginx -s reload
创建数据表:在数据库中存储数据的时候,没有必要存储日志的所有内容,只需存储我们需要的重要信息即可.
注意:数据表中需要创建time字段,time的默认值设置为CURRENT_TIMESTAMP.
use elk; create table nginx_log(host varchar(128),client_ip varchar(128),status int(4),req_time float(8,3),AgentVersion varchar(512), time TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin;
4.配置Logstash将日志写入数据库
cat /etc/logstash/conf.d/nginx_log.conf
input{
file{
path => "/var/log/nginx/access.log"
start_position => "beginning"
stat_interval => "2"
codec => "json"
}
}
output{
elasticsearch {
hosts => ["10.0.0.22:9200"]
index => "nginx-log-%{+YYYY.MM.dd}"
}
jdbc{
connection_string => "jdbc:mysql://10.0.0.33/elk?user=elk&password=Elk123!@#&useUnicode=true&characterEncoding=UTF8"
statement => ["insert into nginx_log(host,client_ip,status,req_time,AgentVersion) VALUES(?,?,?,?,?)", "host","client_ip","status","req_time","AgentVersion"]
}
}
systemctl restart logstash.service
访问http://10.0.0.22/nginxweb/,可以在数据库看到数据已经入库
输出到es的nginx日志
logstash安装插件解决报错:https://www.jianshu.com/p/4fe495639a9a
ELK收集日志到mysql数据库:http://blog.51cto.com/tryingstuff/2050360
定期删除es集群10天以上的索引:https://blog.csdn.net/felix_yujing/article/details/78207667
ELK批量删除索引及集群相关操作记录:https://www.cnblogs.com/kevingrace/p/9994178.html