ELK(Logstash部分二)

Logstash部分

Logstash

Input filter output

Kibana

logstash是什么

logstash是一个数据采集、加工处理以及传输的工具

logstash特点：

所有类型的数据集中处理

不同模式和格式数据的正常化

自定义数据源轻松添加插件

lostash安装

Logstash 依赖java环境，需要安装java-1.8.0-openjdk

Logstash没有默认的配置文件，需要手动配置

logstash 安装在 /opt/logstash 目录下

rpm -ivh logstash-2.3.4-1.noarch.rpm

logstash插件：

[root@logstash logstash]# /opt/logstash/bin/logstash-plugin list

codec类插件

– 常用的插件:plain、json、json_lines、rubydebug、

multiline等

– 我们还使用刚刚的例子,不过这次我们输入 json 数据

– 我们设置输入源的 codec 是 json,在输入的时候选择

rubydebug

codec:编码，可用于所有区域段

logstash-codec-

logstash-filter-

logstash-input-

logstash-output-

[root@logstash logstash]# vim logstash.conf

input{

stdin{} //标准输入

}

filter{

}

output{

stdout{} //标准输出

}

man cat

[root@logstash logstash]# cat

adbd //标准输入

adbd //标准输出

123456

[root@logstash logstash]# /opt/logstash/bin/logstash -f logstash.conf

Settings: Default pipeline workers: 2

Pipeline main started

2018-07-30T06:31:31.562Z logstash //时间戳加主机名标准输入

adbc

2018-07-30T06:31:36.121Z logstash adbc //标准输出

https://github.com/logstash-plugins/logstash-input-file

https://www.elastic.co/guide/en/logstash/current/index.html

input{

stdin{ codec => "json" }

}

code编解码：

codec 类插件

– 练习 output 和 input 配置

– 练习在 input 不指定类型 json 输出结果

– 练习在 output 不指定 rubydebug 的输出结果

– 同时指定以后的输出结果

[root@logstash logstash]# cat logstash.conf

input{

stdin{ codec => "json" }

}

filter{

}

output{

stdout{ codec => "rubydebug" }

}

[root@logstash logstash]# vim logstash.conf

[root@logstash logstash]# /opt/logstash/bin/logstash -f logstash.conf

Settings: Default pipeline workers: 2

Pipeline main started

abcd

{

"message" => "abcd",

"tags" => [

[0] "_jsonparsefailure"

"@version" => "1",

"@timestamp" => "2018-07-30T06:52:58.482Z",

"host" => "logstash"

}

{"a":1,"b":2,"c":3}

{

"a" => 1,

"b" => 2,

"c" => 3,

"@version" => "1",

"@timestamp" => "2018-07-30T06:53:23.702Z",

"host" => "logstash"

}

[root@logstash tmp]# cat /etc/logstash/logstash.conf

input{

stdin{ codec => "json" }

file {

path => [ "/tmp/a.log", "/tmp/b.log" ]

}

filter{

}

output{

stdout{ codec => "rubydebug" }

}

[root@logstash logstash]# vim logstash.conf

[root@logstash logstash]# /opt/logstash/bin/logstash -f logstash.conf

Settings: Default pipeline workers: 2

Pipeline main started

{

"message" => "a1",

"@version" => "1",

"@timestamp" => "2018-07-30T07:33:20.167Z",

"path" => "/tmp/a.log",

"host" => "logstash"

}

[root@logstash ~]# cd /tmp

[root@logstash tmp]# echo a1 >> a.log

[root@logstash tmp]# cat /root/.sincedb_ab3977c541d1144f701eedeb3af4956a

613715 0 64769 6

613716 0 64769 3

start_positionedit

Value can be any of: beginning, end

Default value is "end"

sincedb_path 记录读取文件的位置

start_position 配置第一次读取文件从什么地方开始

[root@logstash logstash]# cat logstash.conf

input{

stdin{ codec => "json" }

file {

path => [ "/tmp/a.log", "/tmp/b.log" ]

sincedb_path => "/var/lib/logstash/sincedb.log"

start_position => "beginning"

type => "filelog"

}

filter{

}

output{

stdout{ codec => "rubydebug" }

}

[root@logstash tmp]# cat /var/lib/logstash/sincedb.log

613715 0 64769 6

613716 0 64769 3

练习 input tcp 和 udp 插件

[root@es5 ~]# man bash

[root@es5 ~]# echo "test udp log" >/dev/udp/192.168.6.16/9999

[root@es5 ~]# echo "test tcp log" >/dev/tcp/192.168.6.16/8888

[root@es5 ~]#

[root@logstash logstash]# vim logstash.conf

[root@logstash tmp]# cat /etc/logstash/logstash.conf

input{

stdin{ codec => "json" }

file {

path => [ "/tmp/a.log", "/tmp/b.log" ]

sincedb_path => "/var/lib/logstash/sincedb.log"

start_position => "beginning"

type => "filelog"

}

tcp {

mode => "server"

host => "0.0.0.0"

port => 8888

type => "tcplog"

}

udp {

port => 9999

type => "udplog"

}

filter{

}

output{

stdout{ codec => "rubydebug" }

}

[root@logstash logstash]# /opt/logstash/bin/logstash -f logstash.conf

Settings: Default pipeline workers: 2

Pipeline main started

{

"message" => "test udp log\n",

"@version" => "1",

"@timestamp" => "2018-07-30T08:40:01.774Z",

"type" => "udplog",

"host" => "192.168.6.15"

}

{

"message" => "test tcp log",

"@version" => "1",

"@timestamp" => "2018-07-30T08:40:37.124Z",

"host" => "192.168.6.15",

"port" => 59100,

"type" => "tcplog"

}

cat /var/log/message

vim /etc/rsyslog.conf

[root@kibana ~]# vim /etc/rsyslog.conf

local0.info /var/log/info.log

EXAMPLES

logger System rebooted

logger -p local0.notice -t HOSTIDM -f /dev/idmc

logger -n loghost.example.com System rebooted

[root@kibana ~]# systemctl restart rsyslog

[root@kibana ~]# cd /var/log/

[root@kibana log]# ls

anaconda boot.log-20180730 cron dmesg.old httpd maillog-20180730 qemu-ga secure-20180730 tallylog yum.log

audit btmp cron-20180730 firewalld lastlog messages rhsm spooler tuned

boot.log chrony dmesg grubby_prune_debug maillog messages-20180730 secure spooler-20180730 wtmp

[root@kibana log]# ls info.log

ls: 无法访问info.log: 没有那个文件或目录

[root@kibana log]# man logger

[root@kibana log]# logger -p local0.info -t "testlog" "a b c d"

[root@kibana log]# cat info.log

Jul 30 17:01:57 kibana testlog: a b c d

@@(tcp)

[root@logstash logstash]# vim logstash.conf

[root@logstash tmp]# cat /etc/logstash/logstash.conf

input{

stdin{ codec => "json" }

file {

path => [ "/tmp/a.log", "/tmp/b.log" ]

sincedb_path => "/var/lib/logstash/sincedb.log"

start_position => "beginning"

type => "filelog"

}

tcp {

mode => "server"

host => "0.0.0.0"

port => 8888

type => "tcplog"

}

udp {

port => 9999

type => "udplog"

}

syslog{

host => "0.0.0.0"

port => 514

type => "syslog"

}

filter{

}

output{

stdout{ codec => "rubydebug" }

}

[root@logstash logstash]# /opt/logstash/bin/logstash -f logstash.conf

Settings: Default pipeline workers: 2

Pipeline main started

{

"message" => "helloworld\n",

"@version" => "1",

"@timestamp" => "2018-07-30T09:07:49.000Z",

"type" => "syslog",

"host" => "192.168.6.10",

"priority" => 134,

"timestamp" => "Jul 30 17:07:49",

"logsource" => "kibana",

"program" => "testlog",

"severity" => 6,

"facility" => 16,

"facility_label" => "local0",

"severity_label" => "Informational"

}

[root@kibana log]# man logger

[root@kibana log]# logger -p local0.info -t "testlog" "a b c d"

[root@kibana log]# cat info.log

Jul 30 17:01:57 kibana testlog: a b c d

[root@kibana log]# vim /etc/rsyslog.conf

local7.* /var/log/boot.log

local0.info /var/log/info.log

local0.info @@192.168.6.16:514

[root@kibana log]# systemctl restart rsyslog

[root@kibana log]# logger -p local0.info -t "testlog" "helloworld"

[root@kibana log]# cat info.log

Jul 30 17:01:57 kibana testlog: a b c d

Jul 30 17:04:19 kibana testlog: helloworld

Jul 30 17:07:49 kibana testlog: helloworld

[root@kibana log]#

@(udp)

[root@kibana log]# vim /etc/rsyslog.conf

local7.* /var/log/boot.log

local0.info /var/log/info.log

local0.info @192.168.6.16:514

[root@kibana log]# systemctl restart rsyslog

[root@kibana log]# logger -p local0.info -t "testlog" "helloworld1"

[root@logstash logstash]# /opt/logstash/bin/logstash -f logstash.conf

Settings: Default pipeline workers: 2

Pipeline main started

{

"message" => "helloworld1",

"@version" => "1",

"@timestamp" => "2018-07-30T09:12:05.000Z",

"type" => "syslog",

"host" => "192.168.6.10",

"priority" => 134,

"timestamp" => "Jul 30 17:12:05",

"logsource" => "kibana",

"program" => "testlog",

"severity" => 6,

"facility" => 16,

"facility_label" => "local0",

"severity_label" => "Informational"

}

//端口查询

[root@logstash tmp]# ss -tunlp

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port

udp UNCONN 0 0 127.0.0.1:323 *:* users:(("chronyd",pid=471,fd=1))

udp UNCONN 0 0 ::1:323 :::* users:(("chronyd",pid=471,fd=2))

tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=678,fd=3))

tcp LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=774,fd=13))

tcp LISTEN 0 128 :::22 :::* users:(("sshd",pid=678,fd=4))

tcp LISTEN 0 100 ::1:25 :::* users:(("master",pid=774,fd=14))

[root@logstash tmp]# ss -tunlp

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port

udp UNCONN 0 0 127.0.0.1:323 *:* users:(("chronyd",pid=471,fd=1))

udp UNCONN 0 0 :::514 :::* users:(("java",pid=4265,fd=29))

udp UNCONN 0 0 :::9999 :::* users:(("java",pid=4265,fd=36))

udp UNCONN 0 0 ::1:323 :::* users:(("chronyd",pid=471,fd=2))

tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=678,fd=3))

tcp LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=774,fd=13))

tcp LISTEN 0 128 :::22 :::* users:(("sshd",pid=678,fd=4))

tcp LISTEN 0 50 :::8888 :::* users:(("java",pid=4265,fd=7))

tcp LISTEN 0 100 ::1:25 :::* users:(("master",pid=774,fd=14))

tcp LISTEN 0 50 :::514 :::* users:(("java",pid=4265,fd=40))

logstash 部分

• grok 正则分组匹配

– 匹配 ip 时间戳和请求方法

"(?<ip>(\d+\.){3}\d+) \S+ \S+

(?<time>.*\])\s+\"(?<method>[A-Z]+)"]

– 使用正则宏

%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth}

\[%{HTTPDATE:timestamp}\] \"%{WORD:verb}

– 最终版本

%{COMMONAPACHELOG} \"(?<referer>[^\"]+)\"

\"(?<UA>[^\"]+)\

match => ["message", "(?<client_ip>([12]?\d?\d\.){3}[12]?\d?\d).+[(?<time>.+)\] \"(?<method>[A-Z]+) (?<url>\S+) (?<prot>[^\"]+)\" ]

[root@logstash patterns]# vim grok-patterns

[root@logstash patterns]# pwd

/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns

COMBINEDAPACHELOG %{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}

filter{

grok {

match => ["message", "%{COMBINEDAPACHELOG}"]

}

[root@kibana html]# curl http://www.baidu.com/ -o index.html

猜你喜欢