Logstash
1.功能:数据输入,数据筛选,数据输出
2.特性:数据来源中立性,支持众多数据源:如文件log file,指标,网站服务日志,关系型数据库,redis,mq等产生的数据
3.beats:分布式收集日志、指标--->到logstash集中式收集--->到elasticsearch -->kibana展示
4.数据收集Data Collection:
1.inputs
通过input插件收集和反序列化(数据采集) 支持的协议:http,tcp,udp,jdbc...
Codecs用来设置解码器
2.Filters
使用filter插件来结构化,转换和充实你的数据,如
1.将不同来源的时间转成统一的格式,
2.或将ip解析出地理位置坐标,
3.或者将一个订单号id,通过Lookups来查询数据库中的完整信息
3.outputs
使用output插件将数据发送到elasticsearch或者其他目的地 (通过http接口:mongodb或者mq或者hadoop)
Codecs用来进行编码
5.数据传输可靠性
At-least-once交付保障和基于持久化队列的自适应缓冲
将错误时间发送到死信队列中(自己处理不了),用于离线处理离和重放
6.管道
带条件和多管道的直接数据流(apache pipeline,jdbc pipeline,netflow pipeline),可以动态的新增和修改管道而不用重启logstash
使用身份验证和加密来确保传输安全
使用modules来一键交付
可轻松构建自定义插件集成和处理器
7.原理剖析
input{
beats{port => 5403} //配置数据源beats 端口为5403
}
filter{
mutate{lowercase => {"message"}} //将message字段的内容转成小写
}
output{
elasticsearch{}
}
8.事件
logstash主要的数据单元就是事件
他们是问的类型和json文档类型很相似,支持任意层次和类型
如:
{
"@timestamp" => 2019-05-24T01-01-01,
"message" => "bar",
"some_other_field" => {
"has_complex_values" => 123
}
}
一个logstash可以有多个管道。pipelines管道可以伸缩,也就是支持多个inputs,支持多个workers来处理filter/outputs部分
queue 分为:in memory queue在内存中(默认),persistent queue持久化队列
9.demo
下载一个filebeat:https://www.elastic.co/cn/downloads/beats/filebeat
文档:https://www.elastic.co/guide/index.html 选中logstash reference
1.构建第一个消息:
cd logstash-7.1.0
bin/logstash -e 'input { stdin { } } output { stdout {} }'
启动之后输入 helloworld 就会有输出
2.处理apache的log
从github上下载日志文件apache_log:https://github.com/elastic/examples/tree/master/Common%20Data%20Formats/apache_logs
对应的logstash配置文件apache_logstash.conf:https://github.com/elastic/examples/blob/master/Common%20Data%20Formats/apache_logs/logstash/apache_logstash.conf
对应input,filter,output有哪些插件,如filter的grok可以参考官网:https://www.elastic.co/guide/en/logstash/current/filter-plugins.html
启动logstash 可以指定配置文件 ./bin/logstash -f apache.conf
启动filebeat ./filebeat -c filebeat.new.yml 会将数据从文件apache_log中读取,并放到logstash中,最终输出到elasticsearch里
进入kibana ,打开devtools
GET _cat/indices 查看索引信息,其中有一个就是刚刚新建的output中的 index => "apache_elastic_example"
GET apache_elastic_example/_search 查看数据
10.logstash的modules模块
使用定制好的模块如netflow,只要输入数据就行了
可用的模块参考官网:https://www.elastic.co/guide/en/logstash/current/logstash-modules.html
11.Codecs与序列化
input{
file{path => "/some/json.log",codec => json_lines} //从日志文件输入,每行是json数据
}
output{
redis{codec => msgpack} //输出到redis中
}
如:{"foo":"bar"}经过input的codec变为:
{
"foo":"bar",
"@timestamp" => 2019-05-24
}
}
再经过output输出为redis的msgpack
经常使用的codecs
line:每行作为一个消息
multiline:多行作为一个消息,如java中的堆栈信息
json_lines:一行作为一个json信息
json:一个大的json对象,可以将消息进一步解析
12.核心操作
1.支持条件if/else,如
filter{
mutate{lowercase => "account"}
if[type] == "batch"{
split{field => actions target => action} //如果type为batch,就将消息拆分
}
if{"action" =~ /special/}{ //如果是以special开头的就删除
drop{}
}
}
2.geoip filter, 如:
filter{
geoip{ //geoip就是lookup的一个类型
fields => "my_geoip_field"
}
}
3.use agent filter,如:
filter{
useragent{
source => "useagent"
}
}
4.将词典做一个翻译,如将一个数字转为一个字符串,如
filter{
translate{
dictionary => [
"101","sz",
"102","bj",
"103","sh"
]
}
}
5.elasticsearch filter,通过elasticsearch拿数据如:
elasticsearch{
hosts => [es-server]
query => "type:start AND operation%{[opid]}"
fields => {"@timestamp" => "started"}
}
6.jdbc streaming filter,通过jdbc拿数据
filter {
jdbc_streaming {
jdbc_driver_library => "/path/to/mysql-connector-java-5.1.34-bin.jar"
jdbc_driver_class => "com.mysql.jdbc.Driver"
jdbc_connection_string => "jdbc:mysql://localhost:3306/mydatabase"
jdbc_user => "me"
jdbc_password => "secret"
statement => "select * from WORLD.COUNTRY WHERE Code = :code"
parameters => { "code" => "country_code"}
target => "country_details"
}
}
7.jdbc static filter,数据会存在logstash本地,不用从数据库中去拿,节省了时间
这些操作可以参考官网:https://www.elastic.co/guide/en/logstash/current/plugins-filters-elasticsearch.html
--------------------------------------------------------------------------实战----------------------------------------------------------------------------
启动脚本(自动刷新配置文件):nohup /usr/local/soft/elk/install/logstash-7.1.0/bin/logstash -f /usr/local/soft/elk/install/logstash-7.1.0/config/demo/fileLog2.conf --config.reload.automatic >/usr/local/soft/elk/install/logstash.log 2>&1 &
1.读取本地的文件到es中,如/usr/local/soft/elk/install/logstash-7.1.0/config/demo/crm_sql.log ,这种情况只有每次内容变化的时候才会动态添加到elasticsearch中
input{
file{
path => ["/usr/local/soft/elk/install/logstash-7.1.0/config/demo/crm_sql.log"]
# path => ["/usr/local/soft/elk/install/logstash-7.1.0/config/demo/1.log"]
# type => "elasticsearch"
}
}
output{
elasticsearch{
hosts => ["127.0.0.1:9200"]
index => "logtest"
}
stdout{codec => rubydebug}
}
2.如果要读取文件中的历史内容,从第一行开始读取,增加配置:
start_position => "beginning"
sincedb_path => "/dev/null"
如:
input{
file{
path => ["/usr/local/soft/elk/install/logstash-7.1.0/config/demo/crm_sql.log"]
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
output{
elasticsearch{
hosts => ["127.0.0.1:9200"]
index => "logtest"
}
stdout{codec => rubydebug}
}
3.如何将log中的内容打散,变成json串,增加配置:
codec => "json"
如:
input{
file{
path => ["/usr/local/soft/elk/install/logstash-7.1.0/config/demo/crm_sql.log"]
start_position => "beginning"
sincedb_path => "/dev/null"
codec => "json"
}
}
output{
elasticsearch{
hosts => ["127.0.0.1:9200"]
index => "logtest"
}
stdout{codec => rubydebug}
}
4.读取其他服务器的文件到logstash中,再将logstash中的内容输出到es中 (有个坑,logstash目前不支持监听其他的ip地址)
input {
file{
path => ["/usr/local/soft/elk/install/logstash-7.1.0/config/demo/crm_sql.log"]
start_position => beginning
sincedb_path => "/dev/null"
codec => "json"
type => "crm_sql"
}
beats {
port => 5046
ssl => false
codec => json
type => "filebeat"
}
}
output {
if "_grokparsefailure" in [tags] {
}else{
if [type] == "crm_sql"{
elasticsearch {
hosts => ["http://127.0.0.1:9200"]
index => "crm_sql-%{+YYYY.MM.dd}"
}
}
if [type] == "filebeat"{
elasticsearch {
hosts => ["http://127.0.0.1:9200"]
index => "filebeat-%{+YYYY.MM.dd}"
}
}
}
}
output {
stdout{codec => rubydebug}
}
5.读取redis到logstash(首先从filebeat将本地文件放入到redis)
input {
redis {
type => "myredis"
host => "192.168.1.134"
password => 'RedisNodeDev@cnhis.com'
port => "6379"
db => "0"
data_type => "list"
key => "myredis"
}
}
output {
if "_grokparsefailure" in [tags] {
}else{
if [type] == "crm_sql"{
elasticsearch {
hosts => ["http://127.0.0.1:9200"]
index => "crm_sql-%{+YYYY.MM.dd}"
}
}
if [type] == "filebeat"{
elasticsearch {
hosts => ["http://127.0.0.1:9200"]
index => "filebeat-%{+YYYY.MM.dd}"
}
}
if [type] == "myredis"{
elasticsearch {
hosts => ["http://127.0.0.1:9200"]
index => "myredis-%{+YYYY.MM.dd}"
}
}
}
}
5.读取kafka到logstash(首先从filebeat将本地文件放入到kafka)
input {
kafka {
type => "kafka"
enable_auto_commit => true
auto_commit_interval_ms => "1000"
codec => "json"
bootstrap_servers => "47.107.146.57:9092"
topics => ["test"]
}
}
output {
if "_grokparsefailure" in [tags] {
}else{
if [type] == "crm_sql"{
elasticsearch {
hosts => ["http://127.0.0.1:9200"]
index => "crm_sql-%{+YYYY.MM.dd}"
}
}
if [type] == "filebeat"{
elasticsearch {
hosts => ["http://127.0.0.1:9200"]
index => "filebeat-%{+YYYY.MM.dd}"
}
}
if [type] == "myredis"{
elasticsearch {
hosts => ["http://127.0.0.1:9200"]
index => "myredis-%{+YYYY.MM.dd}"
}
}
if [type] == "kafka"{
elasticsearch {
hosts => ["http://127.0.0.1:9200"]
index => "kafka-%{+YYYY.MM.dd}"
}
}
}
}