1、案例: 利用 Filebeat 收集 Tomat 的 Json 格式的访问日志到Elasticsearch
1.1、安装 Tomcat 并配置使用 Json 格式的访问日志
# 安装Tomcat,包安装或二进制安装
root@web02:~# apt install -y tomcat9 tomcat9-admin
root@web02:~# ll /var/lib/tomcat9/
total 20
drwxr-xr-x 5 root root 4096 Jan 3 11:37 ./
drwxr-xr-x 43 root root 4096 Jan 3 11:37 ../
lrwxrwxrwx 1 root root 12 Nov 18 19:07 conf -> /etc/tomcat9/
drwxr-xr-x 2 tomcat tomcat 4096 Nov 18 19:07 lib/
lrwxrwxrwx 1 root root 17 Nov 18 19:07 logs -> ../../log/tomcat9/
drwxr-xr-x 2 root root 4096 Jan 3 11:37 policy/
drwxrwxr-x 3 tomcat tomcat 4096 Jan 3 11:37 webapps/
lrwxrwxrwx 1 root root 19 Nov 18 19:07 work -> ../../cache/tomcat9/
root@web02:~# ll /var/lib/tomcat9/webapps/
total 12
drwxrwxr-x 3 tomcat tomcat 4096 Jan 3 11:37 ./
drwxr-xr-x 5 root root 4096 Jan 3 11:37 ../
drwxr-xr-x 3 root root 4096 Jan 3 11:37 ROOT/
root@web02:~# ls /etc/tomcat9/
Catalina context.xml logging.properties server.xml web.xml
catalina.properties jaspic-providers.xml policy.d tomcat-users.xml# 修改 Tomcat 的访问日志为Json格式
root@web02:~# vim /etc/tomcat9/server.xml
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt" pattern="{"clientip":"%h","ClientUser":"%l","authenticated":"%u","AccessTime":"%t","method":"%r","status":"%s","SendBytes":"%b","Query?string":"%q","partner":"%{Referer}i","AgentVersion":"%{User-Agent}i"}"/>
root@web02:~# systemctl restart tomcat9.service
# 访问几次tomcat的页面,可以看到如下的Json格式日志
root@web02:~# tail -f /var/lib/tomcat9/logs/localhost_access_log.2023-01-03.txt
{"clientip":"192.168.1.1","ClientUser":"-","authenticated":"-","AccessTime":"[03/Jan/2023:11:43:30 +0000]","method":"GET / HTTP/1.1","status":"200","SendBytes":"1895","Query?string":"","partner":"-","AgentVersion":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.42"}
{"clientip":"192.168.1.1","ClientUser":"-","authenticated":"-","AccessTime":"[03/Jan/2023:11:43:30 +0000]","method":"GET /favicon.ico HTTP/1.1","status":"404","SendBytes":"729","Query?string":"","partner":"http://192.168.1.106:8080/","AgentVersion":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.42"}
{"clientip":"192.168.1.1","ClientUser":"-","authenticated":"-","AccessTime":"[03/Jan/2023:11:44:27 +0000]","method":"GET / HTTP/1.1","status":"200","SendBytes":"23","Query?string":"","partner":"-","AgentVersion":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.42"}
1.2、修改 Filebeat 配置文件
root@web02:~# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/lib/tomcat9/logs/localhost_access_log.*
json.keys_under_root: true
json.overwrite_keys: false
tags: ["tomcat-access"]
- type: log
enabled: true
paths:
- /var/lib/tomcat9/logs/catalina.*
tags: ["tomcat-error"]
setup.template.settings:
index.number_of_shards: 1
setup.ilm.enabled: false
setup.template.name: "tomcat"
setup.template.pattern: "tomcat-*"
output.elasticsearch:
hosts: ["192.168.1.101:9200","192.168.1.102:9200","192.168.1.103:9200"]
indices:
- index: "tomcat-access-%{[agent.version]}-%{+yyy.MM.dd}"
when.contains:
tags: "tomcat-access"
- index: "tomcat-error-%{[agent.version]}-%{+yyy.MM.dd}"
when.contains:
tags: "tomcat-error"
root@web02:~# systemctl restart filebeat.service
1.3、插件查看索引
![图片[1]-利用 Filebeat 收集日志(下)-李佳程的个人主页](http://www.lijiach.com/wp-content/uploads/2023/01/image-66.png)
1.4、通过 Kibana 查看收集的日志信息
![图片[2]-利用 Filebeat 收集日志(下)-李佳程的个人主页](http://www.lijiach.com/wp-content/uploads/2023/01/image-67.png)
![图片[3]-利用 Filebeat 收集日志(下)-李佳程的个人主页](http://www.lijiach.com/wp-content/uploads/2023/01/image-68.png)
![图片[4]-利用 Filebeat 收集日志(下)-李佳程的个人主页](http://www.lijiach.com/wp-content/uploads/2023/01/image-69.png)
![图片[5]-利用 Filebeat 收集日志(下)-李佳程的个人主页](http://www.lijiach.com/wp-content/uploads/2023/01/image-70.png)
2、案例: 利用 Filebeat 收集 Tomat 的多行错误日志到Elasticsearch
2.1、Tomcat 错误日志解析
Tomcat 是 Java 应用,当只出现一个错误时,会显示很多行的错误日志
root@web02:~# tail /var/lib/tomcat9/logs/catalina.out
12-Jul-2021 14:05:58.190 WARNING [main]
org.apache.catalina.startup.Catalina.parseServerXml Unable to load server
configuration from [/usr/local/apache-tomcat-9.0.64/conf/server.xml]
org.xml.sax.SAXParseException; systemId: file:/usr/local/apache-tomcat8.5.61/conf/server.xml; lineNumber: 22; columnNumber: 1; Content is not allowed
in prolog.
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXPa
rser.java:1243)
at
com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXPar
serImpl.java:644)
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1535)
at
org.apache.catalina.startup.Catalina.parseServerXml(Catalina.java:617)
at org.apache.catalina.startup.Catalina.load(Catalina.java:709)
at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.jav
a:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
12-Jul-2021 14:05:58.191 SEVERE [main]
org.apache.catalina.startup.Catalina.start Cannot start server, server instance
is not configured
多个行其实是同一个事件的日志的内容,而ES是根据每一行来区别不同的日志
可以将多个行合并成一个日志来解决此问题
2.2、安装 Tomcat 并配置
# 修改 Tomcat 的访问日志格式为 Json2.3、修改 Filebeat 配置文件
root@web02:~# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/lib/tomcat9/logs/localhost_access_log.*
json.keys_under_root: true
json.overwrite_keys: false
tags: ["tomcat-access"]
- type: log
enabled: true
paths:
- /var/lib/tomcat9/logs/catalina.*
tags: ["tomcat-error"]
multiline.type: pattern # 此为默认值,可省略
multiline.pattern: '^[0-3][0-9]-' # 正则表达式匹配以两位,或者为'^\d{2}'
multiline.negate: true
multiline.match: after
multiline.maxlines: 10000 # 默认只合并500行,指定最大合并1万行
setup.template.settings:
index.number_of_shards: 1
setup.ilm.enabled: false
setup.template.name: "tomcat"
setup.template.pattern: "tomcat-*"
output.elasticsearch:
hosts: ["192.168.1.101:9200","192.168.1.102:9200","192.168.1.103:9200"]
indices:
- index: "tomcat-access-%{[agent.version]}-%{+yyy.MM.dd}"
when.contains:
tags: "tomcat-access"
- index: "tomcat-error-%{[agent.version]}-%{+yyy.MM.dd}"
when.contains:
tags: "tomcat-error"
root@web02:~# systemctl restart filebeat.service2.4、插件查看索引
![图片[6]-利用 Filebeat 收集日志(下)-李佳程的个人主页](http://www.lijiach.com/wp-content/uploads/2023/01/image-71.png)
2.5、通过 Kibana 查看收集的日志信息
![图片[7]-利用 Filebeat 收集日志(下)-李佳程的个人主页](http://www.lijiach.com/wp-content/uploads/2023/01/image-72.png)
3、案例: 利用 Filebeat 收集 Nginx 日志到 Redis
将 filebeat收集的日志,发送至Redis 格式如下
3.1、安装 Nginx 配置访问日志使用 Json格式
3.2、安装和配置 Redis
root@client:~# apt install -y redis
root@client:~# sed -i.bak '/^bind.*/c bind 0.0.0.0' /etc/redis/redis.conf
root@client:~# systemctl restart redis3.3、修改 Filebeat 配置文件
root@web01:~# vim /etc/filebeat/filebeat.yml
......
output.redis:
hosts: ["192.168.1.100:6379"]
key: "filebeat"
# password: "123456"
# db: 0
root@web01:~# systemctl restart filebeat.service 3.3、在 Redis 验证日志数据
127.0.0.1:6379> keys *
1) "filebeat"
127.0.0.1:6379> TYPE filebeat
list
127.0.0.1:6379> llen filebeat
(integer) 9
127.0.0.1:6379> llen filebeat
(integer) 11
127.0.0.1:6379> LINDEX filebeat 11
"{\"@timestamp\":\"2023-01-03T12:21:26.000Z\",\"@metadata\":{\"beat\":\"filebeat\",\"type\":\"_doc\",\"version\":\"7.17.8\"},\"ecs\":{\"version\":\"1.12.0\"},\"responsetime\":0,\"referer\":\"-\",\"log\":{\"offset\":160858,\"file\":{\"path\":\"/var/log/nginx/access_json.log\"}},\"upstreamtime\":\"-\",\"status\":\"200\",\"host\":{\"architecture\":\"x86_64\",\"os\":{\"family\":\"debian\",\"name\":\"Ubuntu\",\"kernel\":\"5.4.0-131-generic\",\"codename\":\"focal\",\"type\":\"linux\",\"platform\":\"ubuntu\",\"version\":\"20.04.5 LTS (Focal Fossa)\"},\"name\":\"web01.test.com\",\"id\":\"9eaba3e85c9a4e16b66cda021bc16221\",\"containerized\":false,\"ip\":[\"192.168.1.105\",\"fe80::20c:29ff:fe6c:ce9f\"],\"mac\":[\"00:0c:29:6c:ce:9f\"],\"hostname\":\"web01.test.com\"},\"clientip\":\"192.168.1.105\",\"http_user_agent\":\"Elastic-Heartbeat/7.17.8 (linux; amd64; 692b4aac606e457bd2f5ef092d2d23c2fa950828; 2022-12-03 00:38:18 +0000 UTC)\",\"input\":{\"type\":\"log\"},\"uri\":\"/index.html\",\"xff\":\"-\",\"tcp_xff\":\"-\",\"http_host\":\"192.168.1.105\",\"size\":12,\"upstreamhost\":\"-\",\"domain\":\"192.168.1.105\",\"tags\":[\"nginx-access\"],\"agent\":{\"hostname\":\"web01.test.com\",\"ephemeral_id\":\"254a3692-8ccd-44d5-af39-d6c20165d71f\",\"id\":\"2fe34205-12d8-4f37-a3f5-39e0d42f73e6\",\"name\":\"web01.test.com\",\"type\":\"filebeat\",\"version\":\"7.17.8\"}}"
127.0.0.1:6379> LINDEX filebeat 10
"{\"@timestamp\":\"2023-01-03T12:21:23.000Z\",\"@metadata\":{\"beat\":\"filebeat\",\"type\":\"_doc\",\"version\":\"7.17.8\"},\"log\":{\"offset\":160423,\"file\":{\"path\":\"/var/log/nginx/access_json.log\"}},\"tags\":[\"nginx-access\"],\"ecs\":{\"version\":\"1.12.0\"},\"uri\":\"/index.html\",\"responsetime\":0,\"upstreamhost\":\"-\",\"clientip\":\"192.168.1.1\",\"agent\":{\"name\":\"web01.test.com\",\"type\":\"filebeat\",\"version\":\"7.17.8\",\"hostname\":\"web01.test.com\",\"ephemeral_id\":\"254a3692-8ccd-44d5-af39-d6c20165d71f\",\"id\":\"2fe34205-12d8-4f37-a3f5-39e0d42f73e6\"},\"domain\":\"192.168.1.105\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.42\",\"upstreamtime\":\"-\",\"size\":0,\"http_host\":\"192.168.1.105\",\"host\":{\"id\":\"9eaba3e85c9a4e16b66cda021bc16221\",\"containerized\":false,\"ip\":[\"192.168.1.105\",\"fe80::20c:29ff:fe6c:ce9f\"],\"mac\":[\"00:0c:29:6c:ce:9f\"],\"name\":\"web01.test.com\",\"hostname\":\"web01.test.com\",\"architecture\":\"x86_64\",\"os\":{\"kernel\":\"5.4.0-131-generic\",\"codename\":\"focal\",\"type\":\"linux\",\"platform\":\"ubuntu\",\"version\":\"20.04.5 LTS (Focal Fossa)\",\"family\":\"debian\",\"name\":\"Ubuntu\"}},\"xff\":\"-\",\"tcp_xff\":\"-\",\"referer\":\"-\",\"status\":\"304\",\"input\":{\"type\":\"log\"}}"
4、案例: 从标准输入读取再输出至 Kafka
root@web01:~# vim /etc/filebeat/filebeat.yml
output.kafka:
hosts: ["192.168.1.87:9092", "192.168.1.88:9092", "192.168.1.89:9092"]
topic: filebeat-log #指定kafka的topic
partition.round_robin:
reachable_only: true#true表示只发布到可用的分区,false时表示所有分区,如果一个节点down,会block
required_acks: 1 #如果为0,错误消息可能会丢失,1等待写入主分区(默认),-1等待写入副本分区
compression: gzip
max_message_bytes: 1000000 #每条消息最大长度,以字节为单位,如果超过将丢弃5、案例: 从标准输入读取再输出至 Logstash
root@web01:~# vim /etc/filebeat/filebeat.yml
output.logstash:
hosts: ["192.168.1.108:5044","192.168.1.109:5044"]
index: filebeat
loadbalance: true #默认为false,只随机输出至一个可用的logstash,设为true,则输出至全部
logstash
worker: 1 #线程数量
compression_level: 3 #压缩比© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
