ELK收集tomcat狀態日誌

一、先查看以前的狀態日誌輸出格式：在logs/catalina.out這個文件中

最上面的日誌格式咱們可能不太習慣使用，因此能輸出下面的格式是最好的，固然須要咱們自定義日誌格式，接下來看看如何修改

二、打開conf/loggind.proterties這個文件，按照以下所示修改

在此文件中添加以下內容

1catalina.org.apache.juli.AsyncFileHandler.formatter = java.util.logging.SimpleFormatter
java.util.logging.SimpleFormatter.format = %1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS.%1$tL [%4$s] [%3$s] %2$s %5$s %6$s%n

同時刪除此行內容

java.util.logging.ConsoleHandler.formatter = org.apache.juli.OneLineFormatter

三、保存以後重啓tomcat咱們就能夠在logs目錄下的catalina.out日誌文件中看到上面的比較友好的格式了。好比第一張圖的第二個方框所示。

四、編寫配置文件

input{
    redis {
        host =>"172.16.0.54"
        port => 6379
        data_type => "list"
        db => "5"
        password => "123456"
        key => "tomcat_accessstatus_filter_index"
        codec => "json"
        add_field => {
            "[@metadata][mytomcat]" => "tomcat_accessstatus_filter_log"
        }
    }
}
filter{
#    if [fields][log_topic] == "tomcatlogs_catalina" {
#             mutate {
#             add_field => [ "[zabbix_key]", "tomcatlogs_catalina" ]
#             add_field => [ "[zabbix_host]", "%{[host][name]}" ]
#             }
    grok {
             match => { "message" => "%{TIMESTAMP_ISO8601:access_time}\s+\[(?<loglevel>[\s\S]*)\]\s+\[%{DATA:exception_info}\](?<tomcatcontent>[\s\S]*)" }
        }
        date {
                match => [ "access_time","MMM  d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601"]

        }
        mutate {
            remove_field => "@version"
            remove_field => "message"
            #remove_field => "[fields][log_topic]"
            #remove_field => "fields"
            remove_field => "access_time"
        }

}

output{
stdout{}
}

接下來輸入一些內容，你就能看到效果了

好比，輸入以下內容：

2019-03-19 13:08:07.782 [INFO] [org.apache.coyote.ajp.AjpNioProtocol] org.apache.coyote.AbstractProtocol destroy Destroying ProtocolHandler ["ajp-nio-8009"]

看到下面的效果

{
        "@timestamp" => 2019-03-19T05:08:07.782Z,
            "source" => "/usr/local/tomcat/logs/catalina.out",
             "input" => {
        "type" => "log"
    },
              "beat" => {
        "hostname" => "ELK-chaofeng07",
         "version" => "6.5.2",
            "name" => "ELK-chaofeng07"
    },
            "offset" => 27466,
    "exception_info" => "org.apache.coyote.ajp.AjpNioProtocol",
              "host" => {
                   "id" => "95f33c1568b94503946976569d36ad32",
                   "os" => {
              "family" => "redhat",
            "codename" => "Core",
            "platform" => "centos",
             "version" => "7 (Core)"
        },
        "containerized" => true,
                 "name" => "ELK-chaofeng07",
         "architecture" => "x86_64"
    },
          "loglevel" => "INFO",
        "prospector" => {
        "type" => "log"
    },
     "tomcatcontent" => " org.apache.coyote.AbstractProtocol destroy Destroying ProtocolHandler [\"ajp-nio-8009\"] "
}

這裏我只是演示了logstash的輸出而已，至於輸出到ES集羣是比較好配置的。這裏再也不詳述