LogStash环境搭建
1.下载Logstash
[10:17:18 root@elk2:/usr/local]#wget http://192.168.13.253/Resources/ElasticStack/softwares/logstash-7.17.23-amd64.deb
2.安装Logstash
[10:17:35 root@elk2:/usr/local]#dpkg -i logstash-7.17.23-amd64.deb
3.创建软连接,可以基于PATH变量访问logstash程序
[10:19:11 root@elk2:~]#ln -svf /usr/share/logstash/bin/logstash /usr/local/bin
4.查看帮助信息
#LogStash会启动一个jvm虚拟机所以会启动非常慢。
[10:20:39 root@elk2:~]#logstash -h
Using JAVA_HOME defined java: /usr/share/elasticsearch/jdk
WARNING: Using JAVA_HOME while Logstash distribution comes with a bundled JDK.
DEPRECATION: The use of JAVA_HOME is now deprecated and will be removed starting from 8.0. Please configure LS_JAVA_HOME instead.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Usage:
bin/logstash [OPTIONS]
Options:
-n, --node.name NAME Specify the name of this logstash instance, if no value is given
it will default to the current hostname.
(default: "elk2")
--enable-local-plugin-development Allow Gemfile to be manipulated directly
to facilitate simpler local plugin
development.
This is an advanced setting, intended
only for use by Logstash developers,
and should not be used in production.
(default: false)
-f, --path.config CONFIG_PATH Load the logstash config from a specific file
or directory. If a directory is given, all
files in that directory will be concatenated
in lexicographical order and then parsed as a
single config file. You can also specify
wildcards (globs) and any matched files will
be loaded in the order described above.
-e, --config.string CONFIG_STRING Use the given string as the configuration
data. Same syntax as the config file. If no
input is specified, then the following is
used as the default input:
"input { stdin { type => stdin } }"
and if no output is specified, then the
following is used as the default output:
"output { stdout { codec => rubydebug } }"
If you wish to use both defaults, please use
the empty string for the '-e' flag.
(default: nil)
--field-reference-parser MODE (DEPRECATED) This option is no longer
configurable.
Use the given MODE when parsing field
references.
The field reference parser is used to expand
field references in your pipeline configs,
and has become more strict to better handle
ambiguous- and illegal-syntax inputs.
The only available MODE is:
- `STRICT`: parse in a strict manner; when
given ambiguous- or illegal-syntax input,
raises a runtime exception that should
be handled by the calling plugin.
(default: "STRICT")
--modules MODULES Load Logstash modules.
Modules can be defined using multiple instances
'--modules module1 --modules module2',
or comma-separated syntax
'--modules=module1,module2'
Cannot be used in conjunction with '-e' or '-f'
Use of '--modules' will override modules declared
in the 'logstash.yml' file.
-M, --modules.variable MODULES_VARIABLE Load variables for module template.
Multiple instances of '-M' or
'--modules.variable' are supported.
Ignored if '--modules' flag is not used.
Should be in the format of
'-M "MODULE_NAME.var.PLUGIN_TYPE.PLUGIN_NAME.VARIABLE_NAME=VALUE"'
as in
'-M "example.var.filter.mutate.fieldname=fieldvalue"'
--setup Load index template into Elasticsearch, and saved searches,
index-pattern, visualizations, and dashboards into Kibana when
running modules.
(default: false)
--cloud.id CLOUD_ID Sets the elasticsearch and kibana host settings for
module connections in Elastic Cloud.
Your Elastic Cloud User interface or the Cloud support
team should provide this.
Add an optional label prefix '<label>:' to help you
identify multiple cloud.ids.
e.g. 'staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRub3RhcmVhbCRpZGVudGlmaWVy'
--cloud.auth CLOUD_AUTH Sets the elasticsearch and kibana username and password
for module connections in Elastic Cloud
e.g. 'username:<password>'
--pipeline.id ID Sets the ID of the pipeline.
(default: "main")
-w, --pipeline.workers COUNT Sets the number of pipeline workers to run.
(default: 2)
--pipeline.ordered ORDERED Preserve events order. Possible values are `auto` (default), `true` and `false`.
This setting
will only work when also using a single worker for the pipeline.
Note that when enabled, it may impact the performance of the filters
and ouput processing.
The `auto` option will automatically enable ordering if the
`pipeline.workers` setting is set to `1`.
Use `true` to enable ordering on the pipeline and prevent logstash
from starting if there are multiple workers.
Use `false` to disable any extra processing necessary for preserving
ordering.
(default: "auto")
--java-execution Use Java execution engine.
(default: true)
--plugin-classloaders (Beta) Load Java plugins in independent classloaders to isolate their dependencies.
(default: false)
-b, --pipeline.batch.size SIZE Size of batches the pipeline is to work in.
(default: 125)
-u, --pipeline.batch.delay DELAY_IN_MS When creating pipeline batches, how long to wait while polling
for the next event.
(default: 50)
--pipeline.unsafe_shutdown Force logstash to exit during shutdown even
if there are still inflight events in memory.
By default, logstash will refuse to quit until all
received events have been pushed to the outputs.
(default: false)
--pipeline.ecs_compatibility STRING Sets the pipeline's default value for `ecs_compatibility`,
a setting that is available to plugins that implement
an ECS Compatibility mode for use with the Elastic Common
Schema.
Possible values are:
- disabled (default)
- v1
- v2
This option allows the early opt-in (or preemptive opt-out)
of ECS Compatibility modes in plugins, which is scheduled to
be on-by-default in a future major release of Logstash.
Values other than `disabled` are currently considered BETA,
and may produce unintended consequences when upgrading Logstash.
(default: "disabled")
--path.data PATH This should point to a writable directory. Logstash
will use this directory whenever it needs to store
data. Plugins will also have access to this path.
(default: "/usr/share/logstash/data")
-p, --path.plugins PATH A path of where to find plugins. This flag
can be given multiple times to include
multiple paths. Plugins are expected to be
in a specific directory hierarchy:
'PATH/logstash/TYPE/NAME.rb' where TYPE is
'inputs' 'filters', 'outputs' or 'codecs'
and NAME is the name of the plugin.
(default: [])
-l, --path.logs PATH Write logstash internal logs to the given
file. Without this flag, logstash will emit
logs to standard output.
(default: "/usr/share/logstash/logs")
--log.level LEVEL Set the log level for logstash. Possible values are:
- fatal
- error
- warn
- info
- debug
- trace
(default: "info")
--config.debug Print the compiled config ruby code out as a debug log (you must also have --log.level=debug enabled).
WARNING: This will include any 'password' options passed to plugin configs as plaintext, and may result
in plaintext passwords appearing in your logs!
(default: false)
-i, --interactive SHELL Drop to shell instead of running as normal.
Valid shells are "irb" and "pry"
-V, --version Emit the version of logstash and its friends,
then exit.
-t, --config.test_and_exit Check configuration for valid syntax and then exit.
(default: false)
-r, --config.reload.automatic Monitor configuration changes and reload
whenever it is changed.
NOTE: use SIGHUP to manually reload the config
(default: false)
--config.reload.interval RELOAD_INTERVAL How frequently to poll the configuration location
for changes, in seconds.
(default: #<Java::OrgLogstashUtil::TimeValue:0x291a8ecd>)
--api.enabled ENABLED Can be used to disable the Web API, which is
enabled by default.
(default: true)
--api.http.host HTTP_HOST Web API binding host (default: "127.0.0.1")
--api.http.port HTTP_PORT Web API http port (default: 9600..9700)
--log.format FORMAT Specify if Logstash should write its own logs in JSON form (one
event per line) or in plain text (using Ruby's Object#inspect)
(default: "plain")
--path.settings SETTINGS_DIR Directory containing logstash.yml file. This can also be
set through the LS_SETTINGS_DIR environment variable.
(default: "/usr/share/logstash/config")
--verbose Set the log level to info.
DEPRECATED: use --log.level=info instead.
--debug Set the log level to debug.
DEPRECATED: use --log.level=debug instead.
--quiet Set the log level to info.
DEPRECATED: use --log.level=info instead.
--http.enabled Can be used to disable the Web API, which is
enabled by default.
DEPRECATED: use `--api.enabled=false`
--http.host HTTP_HOST Web API binding host
DEPRECATED: use `--api.http.host=IP`
--http.port HTTP_PORT Web API http port
DEPRECATED: use `--api.http.port=PORT`
-h, --help print help
LogStash的架构
#logstash服务器:
指的是部署了Logstash环境的服务器。
#Logstash实例:
指的是运行了对应Logstash的进程。
#pipeline:
同一个Logstash实例可以有多个pipeline,如果未定义,则默认只有一个main pipeline。
同一个pipeline中有多个插件:
- input:
必须有,数据从哪来。
- filter:
该插件可选操作,数据做哪些处理,处理后再流向output插件。
- output:
必须有,数据到哪去。
LogStash的两种启动方式
`---------------------#基于命令行启动---------------------`
[10:21:39 root@elk2:~]#logstash -e input "input { stdin { type => stdin } } output { stdout { codec => rubydebug } }"
#观察
[INFO ] 2024-10-29 10:34:13.751 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
#测试。输入1111111111111111111
{
"host" => "elk2",
"type" => "stdin",
"@timestamp" => 2024-10-29T02:36:28.784Z,
"message" => "1111111111111111111",
"@version" => "1"
}
#停止服务
ctrl+c终止
`---------------------#基于配置文件方式启动---------------------`
#参考方式一:
#当我们修改完配置后服务会热加载文件
[10:39:24 root@elk2:/etc/logstash/conf.d]#vim 01-stdin-to-stdout.conf
input {
stdin {
type => stdin
}
}
output {
stdout {
codec => rubydebug
}
}
[10:44:11 root@elk2:/etc/logstash/conf.d]#logstash -f 01-stdin-to-stdout.conf
#观察信息
[INFO ] 2024-10-29 10:44:36.810 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
#输入信息测试:222222222222222
{
"@version" => "1",
"host" => "elk2",
"@timestamp" => 2024-10-29T02:45:06.936Z,
"type" => "stdin",
"message" => "222222222222222"
}
#参考方式二:
[10:45:29 root@elk2:/etc/logstash/conf.d]#vim 01-stdin-to-stdout.conf
input {
stdin {
type => stdin
}
}
output {
stdout {
#codec => rubydebug
codec => json
}
}
#观察信息
[INFO ] 2024-10-29 10:46:56.507 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
#输入信息测试:333333333333333333333
{"host":"elk2","@version":"1","@timestamp":"2024-10-29T02:49:54.283Z","type":"stdin","message":"333333333333333333333"}
python脚本产生日志并使用Logstash采集
[11:10:43 root@elk2:~]#vim generate_log.py
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
# @author : Jason Yin
import datetime
import random
import logging
import time
import sys
LOG_FORMAT = "%(levelname)s %(asctime)s [com.edu.%(module)s] - %(message)s "
DATE_FORMAT = "%Y-%m-%d %H:%M:%S"
# 配置root的logging.Logger实例的基本配置
logging.basicConfig(level=logging.INFO, format=LOG_FORMAT, datefmt=DATE_FORMAT, filename=sys.argv[1]
, filemode='a',)
actions = ["浏览页面", "评论商品", "加入收藏", "加入购物车", "提交订单", "使用优惠券", "领取优惠券",
"搜索", "查看订单", "付款", "清空购物车"]
while True:
time.sleep(random.randint(1, 5))
user_id = random.randint(1, 10000)
# 对生成的浮点数保留2位有效数字.
price = round(random.uniform(15000, 30000),2)
action = random.choice(actions)
svip = random.choice([0,1,2])
logging.info("DAU|{0}|{1}|{2}|{3}".format(user_id, action,svip,price))
#配置完后启动,就不要再动了,再开一个窗口去执行其他命令
[11:14:39 root@elk2:~]#python3 generate_log.py /tmp/apps.log
#第二个窗口
[11:34:46 root@elk2:~]#cat /etc/logstash/conf.d/02-file-to-stdout.conf
input {
file {
# 指定采集文件的路径
path => "/tmp/apps.log"
# 指定"首次"采集文件时从哪个位置读取: beginning, end(默认值)。
start_position => "beginning"
}
}
output {
stdout {
codec => rubydebug
}
}
#第二个窗口启动
[11:37:04 root@elk2:~]#logstash -rf /etc/logstash/conf.d/02-file-to-stdout.conf
#第三个窗口查看我们的/tmp/apps.log
[11:38:32 root@elk2:~]#tail -f /tmp/apps.log
INFO 2024-10-29 11:38:12 [com.generate_log] - DAU|843|加入购物车|2|28042.12
INFO 2024-10-29 11:38:17 [com.generate_log] - DAU|6363|领取优惠券|0|20939.4
INFO 2024-10-29 11:38:19 [com.generate_log] - DAU|6314|清空购物车|2|18861.92
.........................
LogStash的filter插件基本使用
#插件汇总
mutate
date
grok
useragent
geoip
mutate插件分析自定义app日志案例
#注意:第一个窗口的脚本别关
[12:00:23 root@elk2:~]#python3 generate_log.py /tmp/apps.log
1.编写配置文件
[12:01:28 root@elk2:~]#vim /etc/logstash/conf.d/03-file-mutate-stdout.conf
input {
file {
path => "/tmp/apps.log"
start_position => "beginning"
}
}
filter {
mutate {
# 将message字段按照"|"进行切割
split => { "message" => "|" }
# 添加字段
add_field => {
"userId" => "%{[message][1]}"
"action" => "%{[message][2]}"
"svip" => "%{[message][3]}"
"price" => "%{[message][4]}"
"other" => "%{[message][0]}"
}
# 移除字段
remove_field => [ "message","@version","host" ]
}
mutate {
# 转换字段的数据类型
convert => {
"userId" => "integer"
"price" => "float"
}
}
}
output {
stdout {
codec => rubydebug
}
}
2.启动Logstash实例
[12:04:31 root@elk2:/etc/logstash/conf.d]#logstash -rf 03-file-mutate-stdout.conf
3.第二次窗口,验证测试
查看2启动后出现的信息
date插件准备处理日期格式案例
#注意:第一个窗口的脚本别关
[12:00:23 root@elk2:~]#python3 generate_log.py /tmp/apps.log
1.编写配置文件
[15:06:53 root@elk2:/etc/logstash/conf.d]#vim 03-file-mutate-stdout.conf
input {
file {
path => "/tmp/apps.log"
start_position => "beginning"
}
}
filter {
mutate {
# 将message字段按照"|"进行切割
split => { "message" => "|" }
# 添加字段
add_field => {
"userId" => "%{[message][1]}"
"action" => "%{[message][2]}"
"svip" => "%{[message][3]}"
"price" => "%{[message][4]}"
"other" => "%{[message][0]}"
}
}
mutate {
# 转换字段的数据类型
convert => {
"userId" => "integer"
"price" => "float"
}
}
mutate {
split => { "other" => " " }
add_field => {
"dt" => "%{[other][1]} %{[other][2]}"
}
# 移除字段
remove_field => [ "message","@version","host","other" ]
}
date {
# 2024-10-29 14:43:21
# 语法参考:
# https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html#plugins-filters-date-match
match => [ "dt", "yyyy-MM-dd HH:mm:ss" ]
# 将转换的数据存储在指定的字段中,若不指定,则默认会覆盖"@timestamp"字段
#target => "datetime-li"
# 定义时区的配置,参考地址:
# https://joda-time.sourceforge.net/timezones.html
timezone => "Asia/Shanghai"
}
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
# 指定ES集群的地址
hosts => ["10.0.0.91:9200","10.0.0.92:9200","10.0.0.93:9200"]
# 指定ES集群的索引名称
index => "linux-logstash-%{+yyyy.MM.dd}"
}
}
2.启动Logstash实例
[15:13:59 root@elk2:/etc/logstash/conf.d]#sed -i 's#2024#2023#g' /tmp/apps.log
[root@elk92 conf.d]# rm -rf /usr/share/logstash/data/
[15:14:02 root@elk2:/etc/logstash/conf.d]#rm -rf /usr/share/logstash/data/
[15:14:14 root@elk2:/etc/logstash/conf.d]#
logstash -rf 03-file-mutate-stdout.conf
#这个脚本是我又执行了一遍,为了生成新数据
[15:17:05 root@elk2:~]#python3 generate_log.py /tmp/apps.log
3.kibana查询数据
先看索引管理-->创建索引-->去Discover中查看-->点击创建的索引
Kibana分析数据(画图)
创建聚合索引
视图库创建UV
ELFK-用户行为统计
ELFK-平台交易额
创建仪表盘(Dashboard)
Logstash对接Filebeat
1.编写Logstash配置文件
[16:17:14 root@elk2:/etc/logstash/conf.d]#vim 04-beats-grok-stdout.conf
input {
beats {
# 监听的端口号
port => 8888
}
}
filter {
mutate {
remove_field => [ "@version","log","tags","agent","ecs","input" ]
}
}
output {
stdout {
codec => rubydebug
}
}
2.启动Logstash
[16:28:59 root@elk2:/etc/logstash/conf.d]# logstash -rf 04-beats-grok-stdout.conf
...
[INFO ] 2024-10-29 16:29:45.880 [[main]-pipeline-manager] beats - Starting input listener {:address=>"0.0.0.0:8888"}
...
3.编写filebeat配置文件
[16:29:59 root@elk3:/etc/filebeat]#vim 09-nginx-to-logstash.yam
filebeat.inputs:
- type: log
paths:
- /var/log/nginx/access.log*
# 输出地址为Logstash的8888端口
output.logstash:
hosts: ["10.0.0.92:8888"]
4.启动filebeat采集数据到Logstash节点
[16:30:23 root@elk3:/etc/filebeat]#rm -rf /var/lib/filebeat/
[16:30:45 root@elk3:/etc/filebeat]#filebeat -e -c 09-nginx-to-logstash.yaml
基于grok分析nginx的访问日志
#第一个窗口
[20:24:48 root@elk2:/etc/logstash/conf.d]#logstash -rf 04-beats-grok-stdout.conf
1.编写Logstash配置文件(第二个窗口)
[20:06:53 root@elk2:/etc/logstash/conf.d]#vim 04-beats-grok-stdout.conf
input {
beats {
# 监听的端口号
port => 8888
}
}
filter {
mutate {
remove_field => [ "@version","log","tags","agent","ecs","input" ]
}
# 基于正则提取任意文本
grok {
# 分析message字段的访问日志,基于内置的变量: HTTPD_COMMONLOG
match => { "message" => "%{HTTPD_COMMONLOG}"}
}
}
output {
stdout {
codec => rubydebug
}
}
2.启动filebeat
[19:06:16 root@elk3:~]#rm -rf /var/lib/filebeat/
[20:11:03 root@elk3:/etc/filebeat/conf.d]#filebeat -e -c 09-nginx-to-logstash.yaml
3.测试数据效果:
{
"verb" => "GET",
"ident" => "-",
"request" => "/",
"bytes" => "396",
"@timestamp" => 2024-10-29T12:52:45.683Z,
"clientip" => "221.218.209.11",
"timestamp" => "28/Oct/2024:17:11:50 +0800",
"host" => {
"name" => "elk3"
},
"auth" => "-",
"httpversion" => "1.1",
"response" => "200",
"message" => "221.218.209.11 - - [28/Oct/2024:17:11:50 +0800] \"GET / HTTP/1.1\" 200 396 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.0 Safari/605.1.15\""
}
基于geoip分析nginx的IP地址经纬度
#第一个窗口
[20:36:57 root@elk2:/etc/logstash/conf.d]#logstash -rf 05-beats-grok-stdout.conf
......
[INFO ] 2024-10-29 20:37:38.375 [[main]<beats] Server - Starting server on port: 8888
.....
1.编写Logstash配置文件
[20:26:50 root@elk2:/etc/logstash/conf.d]#vim 05-beats-geoip-stdout.conf
input {
beats {
port => 8888
}
}
filter {
mutate {
remove_field => [ "@version","log","tags","agent","ecs","input" ]
}
grok {
match => { "message" => "%{HTTPD_COMMONLOG}"}
}
# 基于指定公网IP地址字段分析用户的经纬度,城市,国家等相关信息。
geoip {
source => "clientip"
}
}
output {
stdout {
codec => rubydebug
}
}
2.filebeat启动实例
[20:27:37 root@elk3:/etc/filebeat]#rm -rf /var/lib/filebeat/
[20:27:40 root@elk3:/etc/filebeat]#filebeat -e -c 09-nginx-to-logstash.yaml
3.去第一个窗口查看效果
{
"@timestamp" => 2024-10-29T12:59:48.839Z,
"clientip" => "150.88.66.22",
"response" => "200",
"bytes" => "396",
"auth" => "-",
"verb" => "GET",
"timestamp" => "28/Oct/2024:17:12:27 +0800",
"request" => "/iphone",
"host" => {
"name" => "elk3"
},
"geoip" => {
"longitude" => 139.6895,
"country_code2" => "JP",
"continent_code" => "AS",
"location" => {
"lon" => 139.6895,
"lat" => 35.6897
},
"ip" => "150.88.66.22",
"country_code3" => "JP",
"country_name" => "Japan",
"latitude" => 35.6897,
"timezone" => "Asia/Tokyo"
},
"ident" => "-",
"message" => "150.88.66.22 - - [28/Oct/2024:17:12:27 +0800] \"GET /iphone HTTP/1.1\" 200 396 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36\"",
"httpversion" => "1.1"
}
基于useragent分析用户的设备类型
1.编写Logstash配置文件
[20:59:29 root@elk2:/etc/logstash/conf.d]#vim 06-beats-useragent-stdout.conf
input {
beats {
port => 8888
}
}
filter {
mutate {
remove_field => [ "@version","log","tags","agent","ecs","input" ]
}
grok {
match => { "message" => "%{HTTPD_COMMONLOG}"}
}
geoip {
source => "clientip"
}
useragent {
# 基于哪个字段分析用户的设备类型
source => "message"
# 将分析的结果存储在哪个字段中
target => "linux-useragent"
}
}
output {
stdout {
codec => rubydebug
}
}
[21:03:34 root@elk2:/etc/logstash/conf.d]#logstash -rf 06-beats-useragent-stdout.conf
2.filebeat启动实例
[21:04:12 root@elk3:/etc/filebeat]#rm -rf /var/lib/filebeat/
[21:04:14 root@elk3:/etc/filebeat]#filebeat -e -c 09-nginx-to-logstash.yaml
3.测试结果
{
"linux-useragent" => {
"os_version" => "8.0.0",
"major" => "116",
"os_major" => "8",
"patch" => "0",
"os" => "Android",
"device" => "Samsung SM-G955U",
"os_name" => "Android",
"os_full" => "Android 8.0.0",
"os_patch" => "0",
"minor" => "0",
"version" => "116.0.0.0",
"os_minor" => "0",
"name" => "Chrome Mobile"
},
"@timestamp" => 2024-10-29T13:04:43.443Z,
"response" => "200",
"request" => "/iphone",
"auth" => "-",
"bytes" => "396",
"clientip" => "150.88.66.22",
"ident" => "-",
"host" => {
"name" => "elk3"
},
"verb" => "GET",
"httpversion" => "1.1",
"geoip" => {
"longitude" => 139.6895,
"country_code3" => "JP",
"timezone" => "Asia/Tokyo",
"latitude" => 35.6897,
"continent_code" => "AS",
"country_code2" => "JP",
"country_name" => "Japan",
"ip" => "150.88.66.22",
"location" => {
"lat" => 35.6897,
"lon" => 139.6895
}
},
"timestamp" => "28/Oct/2024:17:12:27 +0800",
"message" => "150.88.66.22 - - [28/Oct/2024:17:12:27 +0800] \"GET /iphone HTTP/1.1\" 200 396 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36\""
}
基于date分析nginx的访问时间
1.编写Logstash配置文件
[21:04:41 root@elk2:/etc/logstash/conf.d]#vim 07-beats-date-stdout.conf
input {
beats {
port => 8888
}
}
filter {
mutate {
remove_field => [ "@version","log","tags","agent","ecs","input" ]
}
grok {
match => { "message" => "%{HTTPD_COMMONLOG}"}
}
geoip {
source => "clientip"
}
useragent {
source => "message"
target => "linux-useragent"
}
date {
# 28/Oct/2024:17:12:27 +0800
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
output {
stdout {
codec => rubydebug
}
}
[21:06:25 root@elk2:/etc/logstash/conf.d]#logstash -rf 07-beats-useragent-stdout.conf
2.filebeat启动实例
[21:04:12 root@elk3:/etc/filebeat]#rm -rf /var/lib/filebeat/
[21:04:14 root@elk3:/etc/filebeat]#filebeat -e -c 09-nginx-to-logstash.yaml
3.测试数据效果:
{
"response" => "200",
"timestamp" => "28/Oct/2024:17:12:27 +0800",
"httpversion" => "1.1",
"auth" => "-",
"geoip" => {
"continent_code" => "AS",
"longitude" => 139.6895,
"country_code3" => "JP",
"country_code2" => "JP",
"location" => {
"lon" => 139.6895,
"lat" => 35.6897
},
"timezone" => "Asia/Tokyo",
"ip" => "150.88.66.22",
"latitude" => 35.6897,
"country_name" => "Japan"
},
"verb" => "GET",
"bytes" => "396",
"linux-useragent" => {
"os_name" => "Android",
"minor" => "0",
"os_patch" => "0",
"major" => "116",
"os_full" => "Android 8.0.0",
"os_minor" => "0",
"os_major" => "8",
"patch" => "0",
"os" => "Android",
"version" => "116.0.0.0",
"os_version" => "8.0.0",
"device" => "Samsung SM-G955U",
"name" => "Chrome Mobile"
},
"clientip" => "150.88.66.22",
"@timestamp" => 2024-10-28T09:12:27.000Z,
"ident" => "-",
"host" => {
"name" => "elk3"
},
"request" => "/iphone",
"message" => "150.88.66.22 - - [28/Oct/2024:17:12:27 +0800] \"GET /iphone HTTP/1.1\" 200 396 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36\""
}
将数据写入到ES集群
1.编写Logstash配置文件
[21:07:37 root@elk2:/etc/logstash/conf.d]#vim 08-beats-filter-es.conf
input {
beats {
port => 8888
}
}
filter {
mutate {
remove_field => [ "@version","log","tags","agent","ecs","input" ]
}
grok {
match => { "message" => "%{HTTPD_COMMONLOG}"}
}
geoip {
source => "clientip"
}
useragent {
source => "message"
target => "linux-useragent"
}
date {
# 28/Oct/2024:17:12:27 +0800
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => ["10.0.0.91:9200","10.0.0.92:9200","10.0.0.93:9200"]
index => "linux-elfk-nginx-%{+yyyy.MM.dd}"
}
}
[21:10:04 root@elk2:/etc/logstash/conf.d]#logstash -rf 08-beats-filter-es.conf
2.filebeat启动实例
[21:10:21 root@elk3:/etc/filebeat]#rm -rf /var/lib/filebeat/
[21:10:22 root@elk3:/etc/filebeat]#filebeat -e -c 09-nginx-to-logstash.yaml
3.kibana查询数据并验证
#重新采集一下
[21:10:21 root@elk3:/etc/filebeat]#rm -rf /var/lib/filebeat/
[21:10:22 root@elk3:/etc/filebeat]#filebeat -e -c 09-nginx-to-logstash.yaml
ELFK架构数据映射之地图故障案例讲解
解决方法:
{
"number_of_replicas": 0,
"number_of_shards": 6
}
[21:40:37 root@elk3:/etc/filebeat]#rm -rf /var/lib/filebeat/
[21:40:39 root@elk3:/etc/filebeat]#filebeat -e -c 09-nginx-to-logstash.yaml
删除索引
重新创建索引
故障修复
统计IP
统计UV
地理位置
设备类型
今日总结
- Logstash的环境搭建
- logstash的架构
- logstash实例
- logstash的pipeline
- input
- filter
- output
- Logstash常用的插件
- input :
- stdin
- beats
- file
- filter:
- mutate
- date
- grok
- geoip
- useragent
- output
- stdout
- elasticsearch
- ELK架构
- ELFK架构
- 故障案例分享之数据映射
扫一扫
3154
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
