elk分析nginx日志和tomcat日志
一、介绍Elasticsearch + Logstash + Kibana(ELK)是一套开源的日志管理方案。
Elasticsearch是个开源分布式搜索引擎,它的特点有:分布式,零配置,自动发现,索引自动分片,索引副本机制,restful风格接口,多数据源,自动搜索负载等。
Logstash是一个完全开源的工具,它可以对你的日志进行收集、分析,并将其存储供以后使用
kibana 是一个开源和免费的工具,它可以为 Logstash 和 ElasticSearch 提供的日志分析友好的 Web 界面,可以帮助您汇总、分析和搜索重要数据日志。
ELK官网:https://www.elastic.co/
ELK官网文档:https://www.elastic.co/guide/index.html
ELK中文手册:http://kibana.logstash.es/content/elasticsearch/monitor/logging.html
二、本次试验环境说明
系统:centos6.5_x86_64
软件:elasticsearch-6.1.2、kibana-6.1.2-linux-x86_64、logstash-6.1.2、redis-3.2.6、jdk1.8
1、服务端(所有软件全部安装)
ip:10.10.123.201
公网ip:123.206.57.23
hostname:VM_123_201_centos
2、客户端(安装jdk和logstash)
ip:10.10.30.86
hostname:VM_30_86_centos
三、服务端安装配置
1、安装redis
#!/bin/bash
yum -y install make gcc gcc-c++ zlib-devel openssl openssl-devel pcre-devel patch perl tcl
cd /var/ftp/
tar xf redis-3.2.6.tar.gz
mv redis-3.2.6 /usr/local/redis
cd /usr/local/redis
make && make test && make install
if [ ! -d"/usr/local/bin" ];
then
mkdir -p /usr/local/bin
fi
ln -s/usr/local/redis/redis.conf/etc/redis.conf
sed -i '/^daemonize no/cdaemonize yes' /etc/redis.conf
redis-server /etc/redis.conf #启动redis服务
echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf
sysctl -p
cat> /etc/init.d/redis"123.206.57.23"
key => "tomcat"
data_type => 'list'
port => "6379"
db => "6"
}
redis {
type => "nginx-10.10.30.86"
host => "123.206.57.23"
key => "nginx"
data_type => 'list'
port => "6379"
db => "6"
}
filter {
if == "nginx-10.10.30.86"{
geoip {
source => "clientip"
target => "geoip"
database => "/usr/deploy/elk/GeoLite2-City.mmdb"
add_field => [ "", "%{}" ]
add_field => [ "", "%{}"]
}
}
}
output {
if == "tomcat-10.10.30.86" {
elasticsearch {
hosts => ["123.206.57.23:9200"]
index => "logstash-tomcat-10.10.30.86-%{+YYYY.MM.dd}"
}
}
if == "nginx-10.10.30.86" {
elasticsearch {
hosts => ["123.206.57.23:9200"]
index => "logstash-nginx-10.10.30.86-%{+YYYY.MM.dd}"
}
}
}
# cd /usr/deploy/elk/
# wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz #地图的库
# gzip -d GeoLite2-City.mmdb.gz
# logstash-plugin install logstash-filter-geoip
# /data/elk/logstash-6.1.2/bin/logstash -f/data/elk/logstash-6.1.2/config/input.conf #启动logstash服务
4、安装kibana
# cd /data/elk/
# tar zxvfkibana-6.1.2-linux-x86_64.tar.gz
# vim /usr/deploy/elk/kibana-6.1.2-linux-x86_64/config/kibana.yml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.url: http://10.10.123.201:9200
kibana.index: ".kibana"
tilemap.url: http://webrd02.is.autonavi.com/appmaptile?lang=zh_cn&size=1&scale=1&style=7&x={x}&y={y}&z={z} #地图显示链接
# /data/elk/kibana-6.1.2-linux-x86_64/bin/kibana & #后台运行kibana服务
四、客户端安装配置
# cd /data/elk/
# tar zxf jdk-8u162-linux-x64.tar.gz
# mvjdk-8u162-linux-x64/opt/jdk1.8
# vim /etc/profile
export JAVA_HOME=/opt/jdk1.8
exportPATH=$JAVA_HOME/bin:$PATH
# source /etc/profile
# tar zxvf logstash-6.1.2.tar.gz
# vim /data/elk/logstash-6.1.2/config/output.conf
input {
file {
path => "/usr/deploy/server/tomcat/tomcat1/logs/catalina*"
type => "tomcat-10.10.30.86"
start_position => "beginning"
codec => multiline {
pattern => "^\["
negate => true
what => "previous"
}
}
file {
path => "/usr/deploy/server/openresty/nginx/logs/access_json.log"
codec => json
type => "nginx-10.10.30.86"
start_position => "beginning"
}
}
output {
if == "tomcat-10.10.30.86" {
redis {
host => "123.206.57.23"
key => "tomcat"
data_type => 'list'
port => "6379"
db => "6"
}
}
if == "nginx-10.10.30.86" {
redis {
host => "123.206.57.23"
key => "nginx"
data_type => 'list'
port => "6379"
db => "6"
}
}
}
客户端nginx日志设置为json格式的日志,方便显示地图分布图
log_format json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"size":$body_bytes_sent,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamhost":"$upstream_addr",'
'"http_host":"$host",'
'"url":"$uri",'
'"domain":"$host",'
'"xff":"$http_x_forwarded_for",'
'"referer":"$http_referer",'
'"agent":"$http_user_agent",'
'"status":"$status"}';
access_log /usr/deploy/server/openresty/nginx/logs/access_json.logjson;
# /data/elk/logstash-6.1.2/bin/logstash -f/data/elk/logstash-6.1.2/config/input.conf #启动logstash服务
在浏览器访问:
http://123.206.57.23:5601
五、常用浏览器分析设置
1、显示top10 的ip地址条形统计图
2、在地图上显示访问ip的分布
3、饼状图显示各个时间段的访问数量
4、可以下载到本地的ip统计数据
图形定义完成后保存,在Dashboard面板添加定义好的图形,就显示一组我们需要的图形了。
Dashboard显示如下图:
页:
[1]