日誌分析平臺ELK之日誌收集器filebeat
前面咱們瞭解了elk集羣中的logstash的用法,使用logstash處理日誌挺好的,可是有一個缺陷,就是太慢了;固然logstash慢的緣由是它依賴jruby虛擬機,jruby虛擬機就是用java語言開發的ruby虛擬機,自己java程序運行在jvm上就已經很慢了,而logstash還要運行在用java語言開發的ruby虛擬機上,就至關於虛擬機上跑一個虛擬機,可想而知;若是咱們只須要收集和處理日誌,在agent端若是運行logstash,顯得格外的消耗資源;爲了解決這種問題,elastic開發了一款更加輕量級的日誌收集器beats;而filebeat只是其中的一種,它是基於收集本地日誌文件中的內容,而後輸出到某個地方;中間不會對日誌作過多的處理;有點相似rsyslog,只作日誌轉發;若是咱們須要對日誌作處理,咱們能夠把filebeat的輸出源配置成logstash,讓logstash運行在一個獨立的服務器上,專門作日誌處理;html
filebeat收集日誌過程java
提示:以上是filebeat收集日誌,而後把日誌轉發給logstash進行分析,而後logstash把filebeat發送過來的日誌,作切詞,分析,處理之後,而後在把日誌發送給elasticsearch存儲;node
提示:若是後端的filebeat一旦增多,logstash的壓力會很是大,爲了解決這樣的問題,咱們可在中間加redis是作臨時緩存;而後logstash就到redis裏讀日誌;而後再把讀到的日誌存儲到elasticsearch中;固然filebeat也是能夠直接將日誌數據發送給elasticsearch進行存儲;git
filebeat安裝redis
下載同elasticsearch版本的filebeat rpm包json
[root@node03 ~]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.8.12-x86_64.rpm --2020-10-04 14:03:03-- https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.8.12-x86_64.rpm Resolving artifacts.elastic.co (artifacts.elastic.co)... 151.101.230.222, 2a04:4e42:36::734 Connecting to artifacts.elastic.co (artifacts.elastic.co)|151.101.230.222|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 11904164 (11M) [application/octet-stream] Saving to: ‘filebeat-6.8.12-x86_64.rpm’ 100%[================================================================================>] 11,904,164 9.76KB/s in 16m 35s 2020-10-04 14:19:41 (11.7 KB/s) - ‘filebeat-6.8.12-x86_64.rpm’ saved [11904164/11904164] [root@node03 ~]# ll total 184540 -rw-r--r-- 1 root root 11904164 Aug 18 19:35 filebeat-6.8.12-x86_64.rpm -rw-r--r-- 1 root root 177059640 Aug 18 19:41 logstash-6.8.12.rpm [root@node03 ~]#
安裝filebeat-6.8.12.rpm包後端
[root@node03 ~]# yum install ./filebeat-6.8.12-x86_64.rpm -y Loaded plugins: fastestmirror Examining ./filebeat-6.8.12-x86_64.rpm: filebeat-6.8.12-1.x86_64 Marking ./filebeat-6.8.12-x86_64.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package filebeat.x86_64 0:6.8.12-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================================== Package Arch Version Repository Size ========================================================================================================================== Installing: filebeat x86_64 6.8.12-1 /filebeat-6.8.12-x86_64 38 M Transaction Summary ========================================================================================================================== Install 1 Package Total size: 38 M Installed size: 38 M Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : filebeat-6.8.12-1.x86_64 1/1 Verifying : filebeat-6.8.12-1.x86_64 1/1 Installed: filebeat.x86_64 0:6.8.12-1 Complete! [root@node03 ~]#
示例:配置filebeat收集httpd的日誌,而後將收集的日誌輸出到logstashcentos
提示:以上配置表示開啓filebeat插件收集/var/log/httpd/access_log中的日誌;緩存
提示:以上配置表示把filebeat收集的日誌發送給node03:5044;ruby
配置node03的logstash輸入數據監聽5044端口
提示:以上配置表示啓動logstash中的beats插件做爲數據輸入,並監聽5044端口;而後logstash將處理後端日誌數據輸出到標準輸出;
啓動filebeat和logstash
提示:能夠看到logstash啓動時,它監聽5044端口;
用其餘主機模擬互聯網用戶訪問node03的httpd提供的頁面
[root@node01 ~]# curl -H "X-Forwarded-For:$[$RANDOM%223+1].$[RANDOM%255].$[RANDOM%255].$[RANDOM%255]" http://node03/test$[$RANDOM%20+1].html page 18 [root@node01 ~]#
在node03的logstash的標準輸出上,看看是否收集到httpd的訪問日誌?
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
"host" => {
"os" => {
"platform" => "centos",
"version" => "7 (Core)",
"family" => "redhat",
"name" => "CentOS Linux",
"codename" => "Core"
},
"containerized" => false,
"architecture" => "x86_64",
"name" => "node03.test.org",
"id" => "002f3e572e3e4886ac9e98db8584b467"
},
"prospector" => {
"type" => "log"
},
"auth" => "-",
"clientip" => "25.99.168.124",
"agent" => "\"curl/7.29.0\"",
"tags" => [
[0] "beats_input_codec_plain_applied"
],
"@timestamp" => 2020-10-04T06:49:34.000Z,
"@version" => "1",
"bytes" => "8",
"offset" => 0,
"verb" => "GET",
"referrer" => "\"-\"",
"source" => "/var/log/httpd/access_log",
"log" => {
"file" => {
"path" => "/var/log/httpd/access_log"
}
},
"clientipInfo" => {
"continent_code" => "EU",
"longitude" => -0.1224,
"country_code2" => "GB",
"ip" => "25.99.168.124",
"country_name" => "United Kingdom",
"country_code3" => "GB",
"location" => {
"lat" => 51.4964,
"lon" => -0.1224
},
"timezone" => "Europe/London",
"latitude" => 51.4964
},
"beat" => {
"hostname" => "node03.test.org",
"version" => "6.8.12",
"name" => "node03.test.org"
},
"request" => "/test18.html",
"input" => {
"type" => "log"
},
"ident" => "-",
"response" => "200",
"httpversion" => "1.1"
}
提示:在node03的標準輸出上可以看到咱們剛纔訪問httpd的訪問日誌;
示例:配置filebeat將日誌輸出到elasticsearch
重啓filebeat
驗證:訪問httpd看看elasticsearch中是否有保存httpd的訪問日誌?
在elasticsearch中查看是否有新的index生成?
提示:能夠看到es上有一個新的index生成;
查看es上存儲的日誌內容
提示:從上面的返回的日誌,存放在es中的日誌並無作拆分,說明filebeat只是把httpd的日誌看成message字段的值處理,並無去把ip地址信息作拆分;因此要想實現把日誌內容拆分紅不一樣字段,咱們能夠藉助logstash,固然也能夠在httpd上直接將日誌格式記錄爲json格式,而後再由filebeat將日誌信息傳給es存儲;
示例:配置filebeat將收集的日誌信息輸出到redis
提示:以上配置是配置filebeat將收集到的日誌輸出到redis;這裏須要注意一點,這個配置文件是yml格式的文件,須要注意下面的縮進關係要對其;其次filebeat它不支持多路輸出,例如,配置filebeat 輸出到logstash,又配置filebeat輸出到redis,這個它不支持,它支持單路輸出;
從新啓動filebeat
用其餘主機模擬訪問httpd
驗證:去node04上的redis 3號庫查看是否有key生成?是否有數據?
提示:能夠看到此時redis的3號庫有指定key生成,對應key裏面也存了httpd的訪問日誌;
配置logstash到redis上讀數據,並刪除filebeat的冗餘字段
[root@node03 ~]# cat /etc/logstash/conf.d/httpd-es.conf
input {
redis {
host => ["node04"]
port => 6379
password => "admin"
key => "filebeat-node03-httpd-access_log"
db => 3
data_type => "list"
}
}
filter {
grok {
match => {"message" => "%{HTTPD_COMBINEDLOG}" }
remove_field => "message"
}
date {
match => ["timestamp","dd/MMM/YYYY:H:m:s Z"]
remove_field => "timestamp"
}
geoip {
source => "clientip"
target => "geoip"
database => "/etc/logstash/geoip/GeoLite2-City.mmdb"
}
mutate {
rename => ["geoip", "clientipInfo" ]
remove_field => ["@metadata","prospector","input","beat","host","id","containerized"]
}
}
output {
# elasticsearch {
# hosts => ["http://node01:9200","http://node02:9200"]
# index => "httpd.log"
# codec => "rubydebug"
# }
stdout { codec => "rubydebug" }
}
[root@node03 ~]#
測試語法
啓動logstash
查看輸出到標準輸出的日誌信息是否還有filebeat生成的多餘字段?
提示:如今從redis讀出來的數據,而後經由logstash處理之後,filebeat生成的多餘字段就刪除了;後續咱們就能夠直接將這些日誌數據放到es中存儲;
- 1. 日誌分析平臺ELK之日誌收集器logstash
- 2. 【20180417】ELK日誌管理之filebeat收集分析mysql慢日誌
- 3. ELK+filebeat+redis 日誌分析平臺
- 4. ELK:日誌收集分析平臺
- 5. elk-filebeat收集docker日誌
- 6. elk-filebeat收集docker容器日誌
- 7. ELK日誌分析平臺
- 8. filebeat收集日誌
- 9. ELK + Filebeat + Nginx 集中式日誌分析平臺(一)
- 10. ELK+filebeat採集java日誌
- 更多相關文章...
- • ionic 平臺 - ionic 教程
- • SQLite 日期 & 時間 - SQLite教程
- • 互聯網組織的未來:剖析GitHub員工的任性之源
- • Docker容器實戰(七) - 容器眼光下的文件系統
-
每一个你不满意的现在,都有一个你没有努力的曾经。