日志分析工具ELK配置详解(5)

日期：2020-06-16 栏目：程序人生浏览：次

8.2 上图架构的优点
解耦，松耦合
解除了由于网络原因不能直接连elasticsearch的情况
方便架构演变，增加新内容
消息队列可以使用rabbitmq，zeromq等，也可以使用redis，kafka（消息不删除，但是比较重量级）等
九、引入redis到架构中
9.1 使用redis收集logstash的信息
修改redis的配置文件并启动redis
vim /etc/redis.conf
daemonize yes
bind 192.168.3.17
service redis restart
# ss -tunlp|grep 6379
tcp LISTEN 0 128 192.168.3.17:6379 *:* users:(("redis-server",17337,4))
编写redis.conf
# vim redis-out.conf
input{
stdin{
}
}
output{
redis{
host => "192.168.3.17"
port => "6379"
db => "6"
data_type => "list" # 数据类型为list
key => "demo"
}
}
启动配置文件输入信息
# /opt/logstash/bin/logstash -f redis-out.conf
Settings: Default pipeline workers: 2
Pipeline main started
chinasoft
chinasoft.com
使用redis-cli连接到redis并查看输入的信息
# redis-cli -h 192.168.3.17
redis 192.168.3.17:6379> info
redis_version:2.4.10
redis_git_sha1:00000000
redis_git_dirty:0
arch_bits:64
multiplexing_api:epoll
gcc_version:4.4.6
process_id:17337
uptime_in_seconds:563
uptime_in_days:0
lru_clock:988645
used_cpu_sys:0.13
used_cpu_user:0.11
used_cpu_sys_children:0.00
used_cpu_user_children:0.00
connected_clients:2
connected_slaves:0
client_longest_output_list:0
client_biggest_input_buf:0
blocked_clients:0
used_memory:735488
used_memory_human:718.25K
used_memory_rss:1454080
used_memory_peak:735416
used_memory_peak_human:718.18K
mem_fragmentation_ratio:1.98
mem_allocator:jemalloc-2.2.5
loading:0
aof_enabled:0
changes_since_last_save:2
bgsave_in_progress:0
last_save_time:1477892296
bgrewriteaof_in_progress:0
total_connections_received:2
total_commands_processed:3
expired_keys:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:0
vm_enabled:0
role:master
db6:keys=1,expires=0
redis 192.168.3.17:6379> select 6 #选择db6
OK
redis 192.168.3.17:6379[6]> keys * #选择demo这个key
1) "demo"
redis 192.168.3.17:6379[6]> LINDEX demo -2 #查看消息
"{\"message\":\"chinasoft\",\"@version\":\"1\",\"@timestamp\":\"2016-10-31T05:44:02.823Z\",\"host\":\"node1.chinasoft.com\"}"
redis 192.168.3.17:6379[6]> LINDEX demo -1 #查看消息
"{\"message\":\"chinasoft.com\",\"@version\":\"1\",\"@timestamp\":\"2016-10-31T05:44:15.855Z\",\"host\":\"node1.chinasoft.com\"}"
为了下一步写input插件到把消息发送到elasticsearch中，多在redis中写入写数据
# /opt/logstash/bin/logstash -f redis-out.conf
Settings: Default pipeline workers: 2
Pipeline main started
chinasoft
chinasoft.com
a
b
c
d
....
查看redis中名字为demo的key长度
redis 192.168.3.17:6379[6]> llen demo
(integer) 37
9.3 将all.conf的内容改为经由redis
编写shipper.conf作为redis收集logstash配置文件
# cp all.conf shipper.conf
# vim shipper.conf
-------------------------------------
input {
syslog {
type => "system-syslog"
host => "192.168.3.17"
port => "514"
}
file {
path => "/var/log/nginx/access.log"
type => "nginx"
start_position => "beginning"
}
file {
path => "/var/log/elasticsearch/chuck-clueser.log"
type => "es-error"
start_position => "beginning"
codec => multiline {
pattern => "^\["
negate => true
what => "previous"
}
}
}
output {
if [type] == "nginx" {
redis{
host => "192.168.3.17"
port => "6379"
db => "6"
data_type => "list"
key => "nginx"
}
}
if [type] == "es-error" {
redis {
host => "192.168.3.17"
port => "6379"
db => "6"
data_type => "list"
key => "es-error"
}
}
if [type] == "system-syslog" {
redis{
host => "192.168.3.17"
port => "6379"
db => "6"
data_type => "list"
key => "system-syslog"
}
}
}
-------------------------------------
# /opt/logstash/bin/logstash -f shipper.conf
Settings: Default pipeline workers: 2
Pipeline main started

在redis中查看keys
192.168.56.11:6379[6]> select 6
OK
192.168.56.11:6379[6]> keys *
1) "demo"
2) "nginx"
在别的机器上用ab进行对3.17的nginx进行压力测试，可以看到redis的变化
# ab -c 10 -n 100000
redis 192.168.3.17:6379[6]> llen nginx
(integer) 10002
redis 192.168.3.17:6379[6]> llen nginx
(integer) 11989
redis 192.168.3.17:6379[6]> llen nginx
(integer) 12878
redis 192.168.3.17:6379[6]> llen nginx
(integer) 13757
编写indexer.conf作为redis发送elasticsearch配置文件(配置文件报错：Redis connection problem {:exception=>#<Redis::CommandError: ERR unknown command 'script'>, :level=>:warn}
)测试不成功
# cat indexer.conf
input {
redis {
type => "system-syslog"
host => "192.168.3.17"
port => "6379"
db => "6"
data_type => "list"
key => "system-syslog"
}
redis {
type => "nginx"
host => "192.168.3.17"
port => "6379"
db => "6"
data_type => "list"
key => "nginx"
}
redis {
type => "es-error"
host => "192.168.3.17"
port => "6379"
db => "6"
data_type => "list"
key => "nginx"
}
}
output {
if [type] == "system-syslog" {
elasticsearch {
hosts => ["192.168.3.17:9200"]
index => "system-syslog-%{+YYYY.MM.dd}"
}
}
if [type] == "nginx" {
elasticsearch {
hosts => ["192.168.3.17:9200"]
index => "nginx-%{+YYYY.MM.dd}"
}
}
if [type] == "es-error" {
elasticsearch {
hosts => ["192.168.3.17:9200"]
index => "es-error-%{+YYYY.MM.dd}"
}
}
}
启动indexer.conf
# /opt/logstash/bin/logstash -f indexer.conf
Settings: Default filter workers: 1
由于日志量小，很快就会全部被发送到elasticsearch，key也就没了，所以多写写数据到日志中
# for n in `seq 10000` ;do echo $n >>/var/log/nginx/access.log;done
# for n in `seq 10000` ;do echo $n >>/var/log/messages;done
十、生产如何上线ELK。
10.1日志分类
系统日志 rsyslog logstash syslog插件
访问日志 nginx logstash codec json
错误日志 file logstash file+ mulitline
运行日志 file logstash codec json
设备日志 syslog logstash syslog插件
debug日志 file logstash json or mulitline
10.2 日志标准化
1）路径固定标准化
2）格式尽量使用json
10.3日志收集步骤
系统日志开始->错误日志->运行日志->访问日志
前文学习了input和output插件，在这里学习fliter插件

kibana中搜索状态码为200或者302的访问记录：
status 302 or status 200
在客户端安装

转载注明出处：https://www.heiqu.com/00075c0035f4d4f5cd9f2c3bcb230e58.html

日志分析工具ELK配置详解(5)

相关推荐