ELK springboot日誌收集

1、安裝elasticsearch

 能夠查看前篇博客 elasticsearch安裝、elasticsearch-head 安裝

 

2、安裝 配置 logstash

1.安裝logstash

下載地址：https://www.elastic.co/downloads/logstash

 wget https://artifacts.elastic.co/downloads/logstash/logstash-6.5.4.tar.gz

 tar -zxvf logstash-6.5.4.tar.gz

 

2.爲了方便統計，此處使用了自定義模板 springlog.json

{
    "springboot-logback": {
        "order": 1,
        "index_patterns": [
            "sspringboot-logback-*"
        ]
    },
    "settings": {
        "number_of_shards": 5,
        "number_of_replics": 1
    },
    "mappings": {
        "properties": {
            "@timestamp": {
                "type": "date",
                "format": "yyyy-MM-dd HH:mm:ss||yyyy-MM-dd||epoch_millis"
            },
            "thread": {
                "type": "text"
            },
            "level": {
                "type": "text"
            },
            "class": {
                "type": "text"
            },
            "messge": {
                "type": "text"
            }
        }
    }
}

 

3.配置logstash.conf 能夠在config目錄中建立此文件

input {
 beats {
   port => 10515
   ssl => false
  }
}
filter {
  if [fields][logtype] == "springboot-logback" {
    grok {
      match => { "message" => "%{TIMESTAMP_ISO8601:time} %{GREEDYDATA:thread} %{LOGLEVEL:level}  (?<class>\bcom.idelan\S*) - %{GREEDYDATA:message}" }
    }
    mutate {
      remove_field => ["host","tags","beat","@version","prospector","input"]
    }
  }
}
output {
  if [fields][logtype] == "springboot-logback"{
    elasticsearch {
      hosts => ["192.168.30.242:9200"]
      index => "logstash-%{+YYYY.MM.dd}"
      template => "/home/tools/logstash-6.5.4/template/springlog.json"  #此文件中的內容即上面自定義的模板json
      template_name => "springboot-logback"
      template_overwrite => true
    }
   stdout { codec => rubydebug } #將日誌打印到控制檯調試，放在if中順便檢測 是否獲取到了[fields][logtype] 正式環境刪除此行配置

} }

 

4.啓動 logstash  進入logstash bin目錄

 ./logstash -f ../config/logstash.conf

後臺啓動

./logstash -f ../config/logstash.conf &

 

5.grok 過濾規則配置

調試工具：http://grokdebug.herokuapp.com/

grok正則：https://github.com/logstash-plugins/logstash-patterns-core/tree/master/patterns

 

6.日誌說明 springboot日誌配置

日誌格式

2019-01-04 16:08:36.487 [http-nio-8200-exec-10] INFO  com.idelan.test.controller.TestController - hello info

grok配置

%{TIMESTAMP_ISO8601:time} %{GREEDYDATA:thread} %{LOGLEVEL:level}  %{JAVACLASS:class} - %{GREEDYDATA:message}

因爲我只想看屬於我本身包中的日誌，因此此處我過濾了com.idelan包下的日誌

%{TIMESTAMP_ISO8601:time} %{GREEDYDATA:thread} %{LOGLEVEL:level}  (?<class>\bcom.idelan\S*) - %{GREEDYDATA:message}

自定義grok表達式

語法：(?<field_name>the pattern here)

 

3、安裝配置filebeat

1.下載filebeat

地址：https://www.elastic.co/downloads/beats/filebeat

wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.5.4-linux-x86_64.tar.gz

tar -zxvf filebeat-6.5.4-linux-x86_64.tar.gz

 

2.配置filebeat.yml 若是沒有能夠手動建立

filebeat.prospectors:
- input_type: log
  paths:
    - /usr/local/logs/springboot-demo/*.log
  include_lines: [".*INFO.*",".*ERROR.*"]
  exclude_lines: [".*DEBUG.*",".*WARN.*"]
  exclude_files: [".*debug.*",".*warn.*"]
  multiline:
    pattern: '^\s*(\d{4}|\d{2})\-(\d{2}|[a-zA-Z]{3})\-(\d{2}|\d{4})'   # 指定匹配的表達式（匹配以 2017-11-15 08:04:23:889 時間格式開頭的字符串）
    #pattern: '^\s*("{)'                         # 指定匹配的表達式（匹配以 "{ 開頭的字符串）
    negate: true                                # 是否匹配到
    match: after                                # 合併到上一行的末尾
    max_lines: 1000                             # 最大的行數
    timeout: 30s                                # 若是在規定的時候沒有新的日誌事件就不等待後面的日誌
  fields:
    logtype: springboot-logback
output.logstash:
  hosts: ["192.168.30.242:10515"]

 

3.啓動filebeat

調試命令：./filebeat -e -c filebeat.yml -d "publish"

後臺啓動：./filebeat -e -c filebeat.yml &

 

4、成果展現