一、logstash使用学习
不难理解,我们的日志通常都是在日志文件中存储的,所以,当我们在使用INPUT插件时,收集日志,需要使用file模块,从文件中读取日志的内容,那么接下来讲解的是,将日志内容输出到另一个文件中,如此一来,我们可以将日志文件同意目录,方便查找。
注意:Logstash与其他服务不同,收集日志的配置文件需要我们根据实际情况自己去写。
前提:需要Logstash对被收集的日志文件有读的,并且对要写入的文件,有写入的权限。
1.logstash配置文件
[root@web01 ~]# vim /etc/logstash/logstash.yml
path.config: /etc/logstash/conf.d
2.logstash收集单个日志到文件
1)配置
[root@web01 ~]# cd /etc/logstash/conf.d/
[root@web01 /etc/logstash/conf.d]# vim message_file.conf
input {
file {
path => "/var/log/messages"
start_position => "beginning"
}
}
output {
file {
path => "/tmp/messages_%{+YYYY-MM-dd}"
}
}
[root@web01 /etc/logstash/conf.d]# vim message_file.conf
#输入插件
input {
#文件模块
file {
#日志类型
type => "message-log"
#日志路径
path => "/var/log/messages"
#第一次收集日志从头开始
start_position => "beginning"
}
}
#输出插件
output {
#文件模块
file {
#输出路径
path => "/tmp/message_%{+yyyy.MM.dd}.log"
}
}
2)启动
#检测语法
[root@web01 ~]# logstash -f /etc/logstash/conf.d/message_file.conf -t
#启动
[root@web01 ~]# logstash -f /etc/logstash/conf.d/message_file.conf &
3)测试日志收集
#实时监控收集到的日志
[root@web01 ~]# tail -f /tmp/messages_2020-12-04
#手动添加一台日志
[root@web01 ~]# echo 111 >> /var/log/messages
3.logstash收集单个日志到ES
1)配置
[root@web01 ~]# vim /etc/logstash/conf.d/message_es.conf
input {
file {
path => "/var/log/messages"
start_position => "beginning"
}
}
output {
elasticsearch {
hosts => ["10.0.0.71:9200"]
index => "message_%{+YYYY-MM-dd}"
}
}
2)启动
[root@web01 ~]# logstash -f /etc/logstash/conf.d/message_es.conf &
[2] 82713
4.logstash启动多实例
logstash收集日志时使用多实例方式启动,不是使用system管理启动,
但是启动多实例会报错,怎么处理?
1)配置收集/var/log/secure日志
[root@web01 ~]# vim /etc/logstash/conf.d/secure_es.conf
input {
file {
path => "/var/log/secure"
start_position => "beginning"
}
}
output {
elasticsearch {
hosts => ["10.0.0.71:9200"]
index => "secure_%{+YYYY-MM-dd}"
}
}
2)启动多实例
logstash只启动一个不需要数据目录,如果想要启动多个进程,
需要每个进程指定不同的数据目录,需要加 --path.data参数,然后可以启动多实例
1.创建数据目录
[root@web01 ~]# mkdir /data/logstash/messages_es -p
[root@web01 ~]# mkdir /data/logstash/secure_es -p
[root@web01 ~]# chown -R logstash.logstash /data/logstash/
2.分别指定数据目录再启动两个进程
[root@web01 ~]# logstash -f /etc/logstash/conf.d/message_es.conf --path.data=/data/logstash/messages_es &
[root@web01 ~]# logstash -f /etc/logstash/conf.d/secure_es.conf --path.data=/data/logstash/secure_es &
5.logstash收集多个日志到文件
1)配置
[root@web01 ~]# vim /etc/logstash/conf.d/morefile_file.conf
#输入的插件
input {
#文件模块
file {
#收集文件的路径
path => "/var/log/messages"
#第一次收集从头收集
start_position => "beginning"
#收集日志间隔时间3秒
stat_interval => "3"
}
#第二个文件模块
file {
#第二个收集日志的路径
path => "/var/log/secure"
}
}
#输出插件
output {
#输出时的文件模块
file {
#输出的文件路径
path => "/tmp/morefile.txt"
}
}
2)启动
[root@web01 ~]# logstash -f /etc/logstash/conf.d/morefile_file.conf &
3)验证
[root@web01 ~]# tail -f /tmp/morefile.txt
#手动添加文件
[root@web01 ~]# echo 111 >> /var/log/messages
[root@web01 ~]# echo 2222 >> /var/log/secure
6.logstash收集多个日志到ES
1)配置
[root@web01 ~]# vim /etc/logstash/conf.d/morefile_es.conf
input {
file {
path => "/var/log/messages"
}
file {
path => "/var/log/secure"
}
}
output {
elasticsearch {
hosts => ["10.0.0.71:9200"]
index => "morefile_%{+YYYY-MM-dd}"
}
}
2)启动
[root@web01 ~]# logstash -f /etc/logstash/conf.d/morefile_es.conf &
3)验证
7.收集多个日志到多个索引
1)方法一:
#配置
[root@web01 ~]# cat /etc/logstash/conf.d/morefile_es.conf
input {
file {
type => "messages_log"
path => "/var/log/messages"
}
file {
type => "secure_log"
path => "/var/log/secure"
}
}
output {
if [type] == "messages_log" {
elasticsearch {
hosts => ["10.0.0.71:9200"]
index => "messages_log_%{+YYYY-MM-dd}"
}
}
if [type] == "secure_log" {
elasticsearch {
hosts => ["10.0.0.71:9200"]
index => "secure_log_%{+YYYY-MM-dd}"
}
}
}
#启动
[root@web01 ~]# logstash -f /etc/logstash/conf.d/morefile_es.conf
2)方法二:
#配置
[root@web01 ~]# cat /etc/logstash/conf.d/second_morefile_es.conf
input {
file {
type => "messages_log"
path => "/var/log/messages"
}
file {
type => "secure_log"
path => "/var/log/secure"
}
}
output {
elasticsearch {
hosts => ["10.0.0.71:9200"]
index => "%{type}_%{+YYYY-MM-dd}"
}
}
#启动
[root@web01 ~]# logstash -f /etc/logstash/conf.d/second_morefile_es.conf
二、使用logstash收集nginx日志
1.修改nginx日志格式为json格式
[root@web01 ~]# cat /etc/nginx/nginx.conf
... ...
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"size":$body_bytes_sent,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamhost":"$upstream_addr",'
'"http_host":"$host",'
'"url":"$uri",'
'"referer":"$http_referer",'
'"agent":"$http_user_agent",'
'"status":"$status"}';
#access_log /var/log/nginx/access.log main;
access_log /var/log/nginx/access.log json;
sendfile on;
client_max_body_size 100M;
keepalive_timeout 65;
include /etc/nginx/conf.d/*.conf;
}
2.重启nginx访问查看日志
[root@web01 ~]# systemctl restart nginx
[root@web01 ~]# tail -f /var/log/nginx/access.log
{"@timestamp":"2020-12-04T17:39:22+08:00","host":"10.0.0.7","
clientip":"10.0.0.1","size":0,"responsetime":0.000,
"upstreamtime":"-","upstreamhost":"-","http_host":"10.0.0.7",
"url":"/index.html","referer":"-","agent":"Mozilla/5.0 (Windows NT 10.0; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36","status":"304"}
3.配置logstash收集nginx日志
[root@web01 ~]# vim /etc/logstash/conf.d/nginx_log_es.conf
input {
file {
path => "/var/log/nginx/access.log"
start_position => "end"
type => "access_log"
}
}
output {
elasticsearch {
hosts => ["10.0.0.71:9200"]
index => "nginx_access_log_%{+YYYY-MM-dd}"
}
}
4.启动并测试
[root@web01 ~]# logstash -f /etc/logstash/conf.d/nginx_log_es.conf