Winse Blog

走走停停, 熙熙攘攘, 忙忙碌碌, 不知何畏.

Logstash Elasticsearch Kibana日志采集查询系统搭建

软件版本

1
2
3
4
5
6
7
[root@master opt]# ll
total 20
drwxr-xr-x 7 root root 4096 Aug 21 01:23 elasticsearch-1.7.1
drwxr-xr-x 8 uucp  143 4096 Mar 18  2014 jdk1.8.0_05
drwxrwxr-x 7 1000 1000 4096 Aug 21 01:09 kibana-4.1.1-linux-x64
drwxr-xr-x 5 root root 4096 Aug 21 05:58 logstash-1.5.3
drwxrwxr-x 6 root root 4096 Aug 21 06:44 redis-3.0.3

安装运行脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# java
vi /etc/profile
source /etc/profile

cd /opt/elasticsearch-1.7.1
bin/elasticsearch -p elasticsearch.pid -d

curl localhost:9200/_cluster/nodes/172.17.0.4

cd /opt/kibana-4.1.1-linux-x64/
bin/kibana 
# http://master:5601

cd /opt/redis-3.0.3
yum install gcc
yum install bzip2
make MALLOC=jemalloc

# 也可以修改配置的daemon属性
nohup src/redis-server & 

cd /opt/logstash-1.5.3/
bin/logstash -e 'input { stdin { } } output { stdout {} }'

vi index.conf
vi agent.conf

# agent可不加
bin/logstash agent -f agent.conf &
bin/logstash agent -f index.conf &

logstash配置

由于程序都运行在一台机器(localhost),redis、elasticsearch和kibana都使用默认配置。下面贴的是logstash的采集和过滤的配置:

(kibaba的配置config/kibana.yml, elasticsearch的配置config/elasticsearch.yml)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[root@master logstash-1.5.3]# cat agent.conf 
input {
  file {
    path => "/var/log/yum.log"
    start_position => beginning
  }
}

output {
  redis {
    key => "logstash.redis"
    data_type => list
  }
  
  # 便于查看调试
  stdout { }
}

[root@master logstash-1.5.3]# cat index.conf 
input {
  redis {
    data_type => list
    key => "logstash.redis"
  }
}

output {
  elasticsearch {
    host => "localhost"
  }
}

注意要改动下被采集的原始文件!!然后启动相应的程序,打开浏览器http://master:5601配置一下索引项,就可以查看了。

至于input/output/filter(map,reduce)怎么配置,查看官方文档filter-plugins

filter

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[hadoop@cu1 logstash-1.5.3]$ bin/logstash -e "
input {
stdin {}
}

filter {
grok { 
match => {\"message\" => \"%{WORD:content}\"}
add_field => { \"foo_%{content}\" => \"helloworld\" }
}
}

output {
stdout { codec => json }
}
"

abc
{"message":"abc","@version":"1","@timestamp":"2015-09-10T08:02:52.024Z","host":"cu1","content":"abc","foo_abc":"helloworld"}

grok-pattern文件的位置:

1
2
3
4
5
6
7
[hadoop@cu2 logstash-1.5.3]$ less ./vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.1.10/patterns/grok-patterns 

2015-09-06 15:23:53,027 INFO org.apache.hadoop.hdfs.server.namenode.FSNamesystem: No KeyProvider found.
%{TIMESTAMP_ISO8601:time} %{LOGLEVEL:loglevel} %{GREEDYDATA:content}

[2015-09-10 08:00:46,539][INFO ][cluster.metadata         ] [Jumbo Carnation] [logstash-2015.09.10] update_mapping [hbase-logs] (dynamic)
\[%{TIMESTAMP_ISO8601:time}\]\[%{LOGLEVEL:loglevel}%{SPACE}\]%{GREEDYDATA:content}

学习

过滤DEBUG/INFO日志

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[hadoop@cu1 logstash-1.5.3]$ bin/logstash -e "
 input {
 stdin {}
 }
 
 filter {
 grok {
 match => { \"message\" => \"%{TIMESTAMP_ISO8601:time} %{LOGLEVEL:loglevel} %{GREEDYDATA:content}\" }
 }
 
 if [loglevel] == \"INFO\" { drop {} }
 }
 
 output {
 stdout {}
 }
 
 "

用shell先预处理

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
input {
    stdin {
        type => "nginx"
        format => "json_event"
    }
} 
output {
    amqp {
        type => "nginx"
        host => "10.10.10.10"
        key  => "cdn"
        name => "logstash"
        exchange_type => "direct"
    }
}

#!/bin/sh
      tail -F /data/nginx/logs/access.json \
    | sed 's/upstreamtime":-/upstreamtime":0/' \
    | /usr/local/logstash/bin/logstash -f /usr/local/logstash/etc/agent.conf &

参考

–END

Comments