filebeat_elk多機環境入門探測（三）

接着上一篇繼續http://www.javashuo.com/article/p-apebebsv-ey.html（filebeat_elk多機環境入門探測（二））

使用redis做爲消息中間件，在filebeat上收集到日誌後先放到redis中，logstash的input段中指定redis的位置，這樣作的目的就是爲了在filebeat收集日誌過多時使消息不丟失。

redis版本爲redis-2.8.20.tar.gz

在test2上安裝redis

自動化安裝腳本：
源碼編譯安裝，提早準備好jdk,redis
# environment prepare. NOTICE: jdk need versions
rpm -q gcc > /dev/null
[ $? -ne 0 ] && yum install -y gcc > /dev/null
rpm -q gcc-c++ > /dev/null
[ $? -ne 0 ] && yum install -y gcc-c++ > /dev/null
rpm -q jdk > /dev/null
[ $? -ne 0 ] && yum install -y /usr/local/sr/jdk* > /dev/null
cat > /etc/profile.d/java.sh << EOF
export JAVA_HOME=/usr/java/latest
export PATH=\${JAVA_HOME}/bin:\${PATH}
EOF
source /etc/profile.d/java.sh

# redis source build install
tar xf /usr/local/src/redis-2.8.20.tar.gz -C /usr/local/
cd /usr/local/
cd redis-2.8.20/
make > /dev/null

# configuration redis
mkdir -p /usr/local/redis/{bin,etc,var}
cp -af src/{redis-benchmark,redis-check-aof,redis-check-dump,redis-cli,redis-sentinel,redis-server} /usr/local/redis/bin/
cp -a redis.conf /usr/local/redis/etc/
echo "export PATH=/usr/local/redis/bin:\$PATH" > /etc/profile.d/redis2.8.sh
source /etc/profile.d/redis2.8.sh
sed -i 's@pidfile.*@pidfile /var/run/redis.pid@' /usr/local/redis/etc/redis.conf
sed -i "s@logfile.*@logfile /usr/local/redis/var/redis.log@" /usr/local/redis/etc/redis.conf
sed -i "s@^dir.*@dir /usr/local/redis/var@" /usr/local/redis/etc/redis.conf
sed -i 's@daemonize no@daemonize yes@' /usr/local/redis/etc/redis.conf
[ -z "`grep ^maxmemory /usr/local/redis/etc/redis.conf`" ] && sed -i 's@maxmemory <bytes>@maxmemory <bytes>\nmaxmemory 360000000@' /usr/local/redis/etc/redis.conf

# add chkconfig and start redis
wget http://www.dwhd.org/script/Redis-server-init-CentOS -O /etc/init.d/redis-server
chmod +x /etc/init.d/redis-server
chkconfig --add redis-server
chkconfig redis-server on
service redis-server start
[root@test2 ~]# bash auto_redis_install.sh

 

修改logstash配置
[root@iptables2 ~]# cat ver6.conf
input {
#    beats {
#        port => 5044
#        type => "syslog"
#    }
    redis {
        host => "192.168.40.103"
        data_type => "list"
        type => "redis-input"
        key => "filebeat"
    }
}

filter {
    if [type] == "filebeat" {
        grok {
            match => [ "message", "%{SYSLOGLINE}" ]
            overwrite => [ "message" ]
        }
    }
    date {
        match => [ "timestamp", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss" ]
    }
}

output {
    stdout {
        codec => rubydebug
    }
#    elasticsearch {
#        hosts => "192.168.40.105:9200"
#    }
}

修改filebeat配置
[root@test2 ~]# cat /etc/filebeat/filebeat.yml
##################################################### filebeat #######################################################
filebeat:
  prospectors:
    -
      paths:
        - /var/log/messages
      input_type: log
      document_type: messages

    -
      paths:
        - /var/log/secure
      input_type: syslog
      document_type: loginmsg

    -
      paths:
        - /var/log/nginx_access.log 
      input_type: log
      document_type: nginxacclog

      multiline:
          pattern: '^[[:space:]]'
          negate: true
          match: after

  registry_file: /var/lib/filebeat/registry

##################################################### output #######################################################
#output:
#  logstash:
#    hosts: ["192.168.40.83:5044"]
output:
  redis:
    host: "192.168.40.103"
    port: 6379
    save_topology: true
    index: "filebeat"
    db: 0
    db_topology: 1
    timeout: 5
    reconnect_interval: 1

##################################################### Logging #######################################################
logging:
  files:
    rotateeverybytes: 10485760 # = 10MB
重啓filebeat

啓動logstash
[root@iptables2 ~]# ./logstash-2.3.2/bin/logstash -f ver6.conf
Settings: Default pipeline workers: 2
Pipeline main started
{
    "@timestamp" => "2017-04-18T02:11:42.285Z",
          "beat" => {
        "hostname" => "test2",
            "name" => "test2"
    },
         "count" => 1,
        "fields" => nil,
    "input_type" => "log",
       "message" => "Apr 18 10:11:34 localhost sshd[10402]: Received disconnect from 192.168.40.26: 0: ",
        "offset" => 2839,
        "source" => "/var/log/secure",
          "type" => "loginmsg",
      "@version" => "1"
}
{
    "@timestamp" => "2017-04-18T02:11:42.285Z",
          "beat" => {
        "hostname" => "test2",
            "name" => "test2"
    },
         "count" => 1,
        "fields" => nil,
    "input_type" => "log",
       "message" => "Apr 18 10:11:34 localhost sshd[10402]: pam_unix(sshd:session): session closed for user root",
        "offset" => 2922,
        "source" => "/var/log/secure",
          "type" => "loginmsg",
      "@version" => "1"
}
操做test2回話，產生日誌，標準輸出中有了

修改logstash配置，把輸出放到Elasticsearch中和標準輸出中
[root@iptables2 ~]# cat ver6.conf
input {
#    beats {
#        port => 5044
#        type => "syslog"
#    }
    redis {
        host => "192.168.40.103"
        data_type => "list"
        type => "redis-input"
        key => "filebeat"
    }
}

filter {
    if [type] == "filebeat" {
        grok {
            match => [ "message", "%{SYSLOGLINE}" ]
            overwrite => [ "message" ]
        }
    }
    date {
        match => [ "timestamp", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss" ]
    }
}

output {
    stdout {
        codec => rubydebug
    }
    elasticsearch {
        hosts => "192.168.40.105:9200"
    }
}
啓動logstash，操做產生會話日誌
[root@iptables2 ~]# ./logstash-2.3.2/bin/logstash -f ver6.conf
Settings: Default pipeline workers: 2
Pipeline main started
{
    "@timestamp" => "2017-04-18T02:17:42.417Z",
          "beat" => {
        "hostname" => "test2",
            "name" => "test2"
    },
         "count" => 1,
        "fields" => nil,
    "input_type" => "log",
       "message" => "Apr 18 10:17:33 localhost sshd[10456]: Received disconnect from 192.168.40.26: 0: ",
        "offset" => 3218,
        "source" => "/var/log/secure",
          "type" => "loginmsg",
      "@version" => "1"
}
{
    "@timestamp" => "2017-04-18T02:17:42.417Z",
          "beat" => {
        "hostname" => "test2",
            "name" => "test2"
    },
         "count" => 1,
        "fields" => nil,
    "input_type" => "log",
       "message" => "Apr 18 10:17:33 localhost sshd[10456]: pam_unix(sshd:session): session closed for user root",
        "offset" => 3301,
        "source" => "/var/log/secure",
          "type" => "loginmsg",
      "@version" => "1"
}

訪問http://192.168.40.105:9200/_search?pretty
有數據

 

安裝kibana，在test5中安裝kibana

 

安裝kibana
tar xf /usr/local/src/kibana-4.5.3-linux-x64.tar.gz -C /usr/local
cd /usr/local/
ln -s kibana-4.5.3-linux-x64 kibana
cp kibana/config/kibana.yml kibaba/config/kibana.yml.bak_$(date +%F_%H:%M)
配置kibana.yml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.url: "http://192.168.40.105:9200"
其它內容不動
啓動kibana
./kibana/bin/kibana
訪問
http://192.168.40.105:5601/便可

訪問http://192.168.40.103/ 此時nginx產生了日誌 {     "@timestamp" => "2017-04-18T06:49:25.700Z",           "beat" => {         "hostname" => "test2",             "name" => "test2"     },          "count" => 1,         "fields" => nil,     "input_type" => "log",        "message" => "{\"@timestamp\":\"2017-04-18T14:49:24+08:00\",\"slbip\":\"192.168.40.26\",\"clientip\":\"-\",\"serverip\":\"192.168.40.103\",\"size\":\"2340\",\"responsetime\":\"0.751\",\"domain\":\"192.168.40.103\",\"method\":\"GET\",\"requesturi\":\"/\",\"url\":\"/\",\"appversion\":\"-\",\"referer\":\"-\",\"agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36\",\"status\":\"200\",\"devicecode\":\"-\"}",         "offset" => 471022,         "source" => "/var/log/nginx_access.log",           "type" => "nginxacclog",       "@version" => "1" } {     "@timestamp" => "2017-04-18T06:49:40.712Z",           "beat" => {         "hostname" => "test2",             "name" => "test2"     },          "count" => 1,         "fields" => nil,     "input_type" => "log",        "message" => "{\"@timestamp\":\"2017-04-18T14:49:40+08:00\",\"slbip\":\"192.168.40.26\",\"clientip\":\"-\",\"serverip\":\"192.168.40.103\",\"size\":\"5\",\"responsetime\":\"0.061\",\"domain\":\"192.168.40.103\",\"method\":\"GET\",\"requesturi\":\"/session\",\"url\":\"/session\",\"appversion\":\"-\",\"referer\":\"-\",\"agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36\",\"status\":\"302\",\"devicecode\":\"-\"}\n{\"@timestamp\":\"2017-04-18T14:49:43+08:00\",\"slbip\":\"192.168.40.26\",\"clientip\":\"-\",\"serverip\":\"192.168.40.103\",\"size\":\"8862\",\"responsetime\":\"2.946\",\"domain\":\"192.168.40.103\",\"method\":\"GET\",\"requesturi\":\"/session/\",\"url\":\"/session/\",\"appversion\":\"-\",\"referer\":\"-\",\"agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36\",\"status\":\"500\",\"devicecode\":\"-\"}",         "offset" => 471419,         "source" => "/var/log/nginx_access.log",           "type" => "nginxacclog",       "@version" => "1" }