分布式实时日志处理平台ELK

系统 1821 0

   

这三样东西分别作用是:日志收集、索引与搜索、可视化展现

 

l  logstash

    这张架构图可以看出logstash只是collect和index的地方,运行时传入一个.conf文件,配置分三部分:input ,filter,output。

l  redis

    redis在这里是作为日志收集与索引之间解耦作用

l  elasticsearch

    核心组件,用来搜索。主要特点:real-time,distributed,Highly Available,document oriented,schema free,RESTful

 

kibana

    可视化日志组件,让数据交互变得更容易

 

部署

需要的组件

 

 

 

Logstash

logstash 10 分钟教程 : http://logstash.net/docs/1.4.2/tutorials/10-minute-walkthrough/

 

下载最新logstash版本并解压

 

 

 

编辑logstash.conf配置文件

 

logstash用户说明文档: http://logstash.net/docs/1.4.2/

log4j server配置实例:log4j.conf

input {

  log4j {

    data_timeout => 5

# mode => "server"

# port => 4560

  }

}

 

filter {

  json {

    source => "message"

    remove_field => ["message","class","file","host","method","path","priority","thread","type","logger_name"]

  }

}

 

output{

    #stdout {     codec => json   }

    redis {

        host => "redis.internal.173"

        port => 6379

        data_type => "list"

        key => "soalog"

    }

}

 

 

 

 

logstash输出elasticsearch配置实例:soalog-es.conf

input {

  redis {

    host => "redis.internal.173"

    port => "6379"

    key => "soalog"

    data_type => "list"

  }

}

 

filter {

  json {

    source => "message"

    remove_field => ["message","type"]

  }

}

 

output {

  elasticsearch {

    #host => "es1.internal.173,es2.internal.173,es3.internal.173"

    cluster => "soaes"

    index => "soa_logs-%{+YYYY.MM.dd}"

  }

}

 

 

这里filter配置source => message,是把message里json串解析出来,作为索引字段,然后配置remove_field 把不需要字段删除 

 

启动

./logstash -f soalog-es.conf --verbose -l ../soalog-es.log &

./logstash -f log4j.conf --verbose -l ../log4j.log &

 

 

 

Elastcisearch

 

下载最新版本elasticsearch并解压

 

bin/elasticsearch -d 后端运行

 

验证

 

elasticsearch集群配置:

编辑 config/elasticsearch.yml 

#指定你的集群名称,默认是elasticsearch,在使用客户端连接集群模式会用到

cluster.name: soaes

#指定数据存储目录,可以多个磁盘 /path/to/data1,/path/to/data2

path.data: /mnt/hadoop/esdata

#指定日志存储目录

path.logs: /mnt/hadoop/eslogs

#集群主节点列表,执行发现新节点

discovery.zen.ping.unicast.hosts: ["hadoop74", "hadoop75"]

 

配置es模板 ,可以指定字段是否索引,以及存储类型

在config目录下创建templates目录

增加模板文件template-soalogs.json

{

  "template-soalogs" : {

    "template" : "soa_logs*",

    "settings" : {

      "index.number_of_shards" : 5,

      "number_of_replicas" : 1,

      "index" : {

        "store" : {

          "compress" : {

            "stored" : true,

            "tv": true

          }

        }

      }

    },

    "mappings" : {

 "logs" : {

 "properties" : {

 "providerNode" : {

 "index" : "not_analyzed",

 "type" : "string"

 },

 "serviceMethod" : {

 "index" : "not_analyzed",

 "type" : "string"

 },

 "appId" : {

 "index" : "not_analyzed",

 "type" : "string"

 },

 "status" : {

 "type" : "long"

 },

 "srcAppId" : {

 "index" : "not_analyzed",

 "type" : "string"

 },

 "remark" : {

 "type" : "string"

 },

 "serviceVersion" : {

 "index" : "not_analyzed",

 "type" : "string"

 },

 "srcServiceVersion" : {

 "index" : "not_analyzed",

 "type" : "string"

 },

 "logSide" : {

 "type" : "long"

 },

 "invokeTime" : {

 "type" : "long"

 },

 "@version" : {

 "type" : "string"

 },

 "@timestamp" : {

 "format" : "dateOptionalTime",

 "type" : "date"

 },

 "srcServiceInterface" : {

 "index" : "not_analyzed",

 "type" : "string"

 },

 "serviceInterface" : {

 "index" : "not_analyzed",

 "type" : "string"

 },

 "retryCount" : {

 "type" : "long"

 },

 "traceId" : {

 "index" : "not_analyzed",

 "type" : "string"

 },

 "processTime" : {

 "type" : "long"

 },

 "consumerNode" : {

 "index" : "not_analyzed",

 "type" : "string"

 },

 "rpcId" : {

 "index" : "not_analyzed",

 "type" : "string"

 },

 "srcServiceMethod" : {

 "index" : "not_analyzed",

 "type" : "string"

 }

 }

 }

 }

  }

}

 

 

kibana

进入elasticsearch目录

bin/plugin -install elasticsearch/kibana 
验证: http://localhost :9200/_plugin/kibana 

kibana需要配置查询索引规则

 

 

这里index是soa_logs,按天分索引格式需要指定为YYYY-MM-DD

 

 

 

logstash时差8小时问题

 

logstash在按每天输出到elasticsearch时,因为时区使用utc,造成每天8:00才创建当天索引,而8:00以前数据则输出到昨天的索引

修改logstash/lib/logstash/event.rb 可以解决这个问题

第226行

.withZone(org.joda.time.DateTimeZone::UTC)

修改为

.withZone(org.joda.time.DateTimeZone.getDefault())

 

 

log4j.properties配置

#remote logging

log4j.additivity.logstash=false

log4j.logger.logstash=INFO,logstash

log4j.appender.logstash = org.apache.log4j.net.SocketAppender

log4j.appender.logstash.RemoteHost = localhost

log4j.appender.logstash.Port = 4560

log4j.appender.logstash.LocationInfo = false

 

 

java日志输出

    private static final org.slf4j.Logger logstash = org.slf4j.LoggerFactory.getLogger("logstash");

     logstash.info(JSONObject.toJSONString(rpcLog));

 

 

KOPF

 elasticsearch集群监控

bin/plugin -install lmenezes/elasticsearch-kopf

http://localhost:9200/_plugin/kopf

 

 

 


logstash接入tomcat日志示例:

 logstash代理端配置tomcat.conf

input {

  file {

    type=> "usap"

    path=> ["/opt/17173/apache-tomcat-7.0.50-8090/logs/catalina.out","/opt/17173/apache-tomcat-7.0.50-8088/logs/catalina.out","/opt/17173/apache-tomcat-7.0.50-8086/logs/catalina.out","/opt/

17173/apache-tomcat-7.0.50-8085/logs/catalina.out","/opt/17173/apache-tomcat-6.0.37-usap-image/logs/catalina.out"]

    codec=> multiline {

     pattern => "(^.+Exception:.+)|(^\s+at .+)|(^\s+... \d+ more)|(^\s*Caused by:.+)"

     what=> "previous"

    }

  }

}

filter {

  grok {

    #match => { "message" => "%{COMBINEDAPACHELOG}" }

    match => [ "message", "%{TOMCATLOG}", "message", "%{CATALINALOG}" ]

    remove_field => ["message"]

  }

}

output {

# stdout{ codec => rubydebug }

  redis {host => "redis.internal.173" data_type => "list" key=> "usap" }

}

 

 

修改logstash/patterns/grok-patterns 

增加tomcat日志过滤正则

#tomcat log

JAVACLASS (?:[a-zA-Z0-9-]+\:)+[A-Za-z0-9$]+

JAVALOGMESSAGE (.*)

THREAD [A-Za-z0-9\-\[\]]+

# MMM dd, yyyy HH:mm:ss eg: Jan 9, 2014 7:13:13 AM

CATALINA_DATESTAMP %{MONTH} %{MONTHDAY}, 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) (?:AM|PM)

# yyyy-MM-dd HH:mm:ss,SSS ZZZ eg: 2014-01-09 17:32:25,527 -0800

TOMCAT_DATESTAMP 20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) %{ISO8601_TIMEZONE}

LOG_TIME %{HOUR}:?%{MINUTE}(?::?%{SECOND})

CATALINALOG %{CATALINA_DATESTAMP:timestamp} %{JAVACLASS:class} %{JAVALOGMESSAGE:logmessage}

# 11:27:51,786 [http-bio-8088-exec-4] DEBUG JsonRpcServer:504 - Invoking method: getHistory

#TOMCATLOG %{LOG_TIME:timestamp} %{THREAD:thread} %{LOGLEVEL:level} %{JAVACLASS:class} - %{JAVALOGMESSAGE:logmessage}

TOMCATLOG %{TOMCAT_DATESTAMP:timestamp} %{LOGLEVEL:level} %{JAVACLASS:class} - %{JAVALOGMESSAGE:logmessage}

 

启动 tomcat 日志代理:

./logstash -f tomcat.conf --verbose -l ../tomcat.log & 

 

tomcat日志存入es 

配置tomcat-es.conf 

input {

redis {

       host => 'redis.internal.173'

       data_type => 'list'

       port => "6379"

       key => 'usap'

       #type => 'redis-input'

       #codec => json

        }

       }

output {

# stdout { codec => rubydebug }

        elasticsearch {

         #host => "es1.internal.173,es2.internal.173,es3.internal.173" 

         cluster => "soaes"

         index => "usap-%{+YYYY.MM.dd}"

        }

}

 

启动tomcat日志存储

./logstash -f tomcat-es.conf --verbose -l ../tomcat-es.log & 

 

 

logstash接入nginx\syslog日志示例

logstash代理端配置nginx.conf 

input {

 file{

  type => "linux-syslog"

  path => [ "/var/log/*.log", "/var/log/messages"]

 }

 file {

  type => "nginx-access"

  path => "/usr/local/nginx/logs/access.log"

 }

 file {

  type => "nginx-error"

  path => "/usr/local/nginx/logs/error.log"

 }

}

output {

# stdout{ codec => rubydebug }

  redis {host => "redis.internal.173" data_type => "list" key=> "nginx" }

}

 

启动nginx日志代理

./logstash -f nginx.conf --verbose -l ../nginx.log & 

 

nginx日志存入es

配置nginx-es.conf

input {

redis {

       host => 'redis.internal.173'

       data_type => 'list'

       port => "6379"

       key => 'nginx'

       #type => 'redis-input'

       #codec => json

        }

       }

filter {

 grok {

  type => "linux-syslog"

  pattern => "%{SYSLOGLINE}"

 }

 grok {

  type => "nginx-access"

  pattern => "%{IPORHOST:source_ip} - %{USERNAME:remote_user} \[%{HTTPDATE:timestamp}\] %{IPORHOST:host} %{QS:request} %{INT:status} %{INT:body_bytes_sent} %{QS:http_refere

r} %{QS:http_user_agent}"

 }

}

output {

# stdout { codec => rubydebug }

        elasticsearch {

         #host => "es1.internal.173,es2.internal.173,es3.internal.173"

         cluster => "soaes"

         index => "nginx-%{+YYYY.MM.dd}"

        }

        }

 

启动nginx日志存储

./logstash -f nginx-es.conf --verbose -l ../nginx-es.log & 

 

 

分布式实时日志处理平台ELK


更多文章、技术交流、商务合作、联系博主

微信扫码或搜索:z360901061

微信扫一扫加我为好友

QQ号联系: 360901061

您的支持是博主写作最大的动力,如果您喜欢我的文章,感觉我的文章对您有帮助,请用微信扫描下面二维码支持博主2元、5元、10元、20元等您想捐的金额吧,狠狠点击下面给点支持吧,站长非常感激您!手机微信长按不能支付解决办法:请将微信支付二维码保存到相册,切换到微信,然后点击微信右上角扫一扫功能,选择支付二维码完成支付。

【本文对您有帮助就好】

您的支持是博主写作最大的动力,如果您喜欢我的文章,感觉我的文章对您有帮助,请用微信扫描上面二维码支持博主2元、5元、10元、自定义金额等您想捐的金额吧,站长会非常 感谢您的哦!!!

发表我的评论
最新评论 总共0条评论