ElK分析tomcat的Catalina.out日志

34212131

场景：生产环境可集中式分析特定日志，便于管理，以及快速解决程序问题等。
常见：nginx、apache的访问日志，错误日志 catalina.out日志等。可以把错误日志提取出并解决。
安装方式：
1）编译安装 常用组合 ELK+Reids+插件
1.1）优点：方便管理
1.2）缺点：需要手动安装配置，相对yum繁琐
2）yum安装  
2.1）优点：安装配置方便
2.2）缺点：相对编译不太好管理（依赖关系等因素）

---

My eg：

注意事项：elk安装比较简单，但是要注意最低配置。这里我个人用的是编译安装，并且自己写的脚本。yum安装脚本可直接用。

1 2 3 4 5 6 7 8 9 10 11

[iyunv@elk config]# /etc/init.d/node-elasticsearch status node(elasticsearch) is running... [iyunv@elk config]# /etc/init.d/elasticsearch status elasticsearch  is already running... [iyunv@elk config]# java -version java version "1.8.0_112" Java(TM) SE Runtime Environment (build 1.8.0_112-b15) Java HotSpot(TM) 64-Bit Server VM (build 25.112-b15, mixed mode) [iyunv@elk config]# /etc/init.d/kibana status kibana is running... [iyunv@elk config]#

注意地方：

elasticsearch.yml：

1 2 3 4 5 6 7 8 9 10 11

[iyunv@elk config]# cat elasticsearch.yml|grep -v"$^"|grep -v "#" cluster.name: elk node.name: node1 network.host: 0.0.0.0 http.port: 9200 http.cors.enabled: true http.cors.allow-origin: "*" [iyunv@elk config]# #elasticsearch配置允许跨域访问，这样head插件可以访问es。 #http.cors.enabled: true #http.cors.allow-origin: "*"

kibana.yml ：

1 2 3 4

[iyunv@elk config]# cat kibana.yml |grep elasticsearch.url #elasticsearch.url: “http://localhost:9200” elasticsearch.url: “http://192.168.1.225:9200” #url访问

logstash获取日志样板：（重点）

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

[iyunv@elk config]# [iyunv@elk config]# cat catalinalog.conf input {   file {     path => "/usr/local/tomcat-7.x/logs/catalina.out"  #tomcat的Catalina.out日志路径     start_position => "beginning"   } } filter {   if [path] =~ "access" {     mutate { replace => { "type" => "tomcat catalina.out" } }     grok {       match => { "message" => "%{COMBINEDAPACHELOG}" }     }   }   date {     match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]   } } output {   elasticsearch {     hosts => ["192.168.1.225:9200"]   #elasticsearch地址   }   stdout { codec => rubydebug } } [iyunv@elk config]#

启动：logstash -f catalinalog.conf （测试）

kibana访问：

摘取tomcat最后启动成功状态日志：

1 2 3

January 11th 2017, 15:39:52.990path:/usr/local/tomcat-7.x/logs/catalina.out @timestamp:January 11th 2017, 15:39:52.990 @version:1 host:0.0.0.0 message:信息: Destroying ProtocolHandler ["ajp-bio-8009"] tags: _id:AVmMeAegJ7ojQvedm4_L _type:logs _index:logstash-2017.01.11 _score: - January 11th 2017, 15:39:52.989path:/usr/local/tomcat-7.x/logs/catalina.out @timestamp:January 11th 2017, 15:39:52.989 @version:1 host:0.0.0.0 message:信息: Stopping ProtocolHandler ["ajp-bio-8009"] tags: _id:AVmMeAegJ7ojQvedm4_H _type:logs _index:logstash-2017.01.11 _score: - January 11th 2017, 15:39:52.989path:/usr/local/tomcat-7.x/logs/catalina.out @timestamp:January 11th 2017, 15:39:52.989 @version:1 host:0.0.0.0 message:信息: Stopping ProtocolHandler ["http-bio-80"] tags: _id:AVmMeAegJ7ojQvedm4_F _type:logs _index:logstash-2017.01.11 _score: -