Elk使用笔记

2021-01-12 2021-01-12 4 分钟读完 (大约 672 个字) 0次访问

ELK使用笔记

filebeat

输出

filebeat.inputs:
- type: log
  tail_files: true
  backoff: "1s"
  paths:
      - /var/log/nginx/*.log
# 输出到文件,一般用于调试日志输出格式
output.file:
  path: "/tmp/filebeat"
  filename: filebeat
  
# 输出到logstash
output:
  logstash:
    hosts: ["192.168.238.90:5044"]
    
# 输出到ES
output:
  elasticsearch:
    hosts: ["192.168.238.90:9200", "192.168.238.92:9200"]
    username: elastic
    password: sjgpwd
    index: "sjgfb-secure-%{+YYYY.MM.dd}"

多行日志合并

日志模板
cat <<EOF >>/var/log/tomcat
07-Aug-2020 20:15:41.950 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log SessionListener: contextInitialized()
07-Aug-2020 20:15:45.954 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log ContextListener: attributeAdded('StockTicker', 'async.Stockticker@5b24dcf6')
07-Aug-2020 20:15:47.959 SEVERE [http-nio-8080-exec-1] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [jsp] in context with path [/sjg] threw exception [java.lang.ArithmeticException: / by zero] with root cause
at org.apache.jsp.sjg_jsp._jspService(sjg_jsp.java:110)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:71)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
EOF

Filebeat提取多行日志看是否正常
filebeat.inputs:
- type: log
  tail_files: true
  backoff: "1s"
  paths:
      - /var/log/tomcat
  multiline:
    pattern: '^\d+-[a-zA-Z]+-\d+ \d+:\d+:\d+.\d+'
    negate: true
    match: after

processors:
# 去除多余日志
- drop_fields:
    fields: ["agent","ecs","log","input"]

output.file:
  path: "/tmp/filebeat"
  filename: filebeat

^\d+-[a-zA-Z]+-\d+ \d+:\d+:\d+.\d+	07-Aug-2020 20:15:41.950
正则匹配以 07-Aug-2020 20:15:41.950	不匹配的的行合并匹配行,

例子2 zookeeper日志

2021-01-08 15:48:50,834 [myid:0] - INFO  [NIOWorkerThread-5:NIOServerCnxn@507] - Processing srvr command from /127.0.0.1:37336
2021-01-08 15:52:10,926 [myid:0] - WARN  [NIOWorkerThread-7:NIOServerCnxn@364] - Unexpected exception
EndOfStreamException: Unable to read additional data from client, it probably closed the socket: address = /127.0.0.1:37344, session = 0x0
        at org.apache.zookeeper.server.NIOServerCnxn.handleFailedRead(NIOServerCnxn.java:163)
        at org.apache.zookeeper.server.NIOServerCnxn.doIO(NIOServerCnxn.java:326)
        at org.apache.zookeeper.server.NIOServerCnxnFactory$IOWorkRequest.doWork(NIOServerCnxnFactory.java:522)
        at org.apache.zookeeper.server.WorkerService$ScheduledWorkRequest.run(WorkerService.java:154)

| %{TIMESTAMP_ISO8601:timestamp} [myid:\d] - %{LOGLEVEL:loglevel} (?(\s+.)+) | |
| ———————————————————— | —- |
| (\s+.)+ 匹配了 WARN后的所有内容 | |

正则基础

| \S：匹配非空 | |
| —————————————– | —- |
| \d：匹配单个数字 | |
| +：匹配前一个字符至少出现一次 | |
| ?：匹配前一个字符最多出现一次 | |
| *：匹配前一个字符出现任意次数（包括０次） | |
| {n}：匹配妻哪一个字符出现n次 | |

Grok提取利器

如何日志无法json化输出就需要用到正则匹配提取所需字段了

Kinaba自带一个正则匹配工具,并有内置的正则

(?\d+-\d+-\d+ \d+:\d+:\d+)	正则匹配模式
%{WORD:host}	Grok内置匹配模式

目标	grok	正则
2021-01-08 07:16:24,407	%{TIMESTAMP_ISO8601:time}

/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-patterns-core-4.1.2/patterns/grok-patterns

可以视情况混合使用两种匹配模式

logstash

Filter-grok

filter {
# grok正则提取日志
  grok {
  # 指定对哪个字段进行正则提取
    match => {
      "message" => '(?<timestamp>\d+-\d+-\d+ \d+:\d+:\d+) %{WORD:host} sshd\[%{NUMBER}\]: %{WORD:loginstatus} password for %{USER:user} from %{IP:remote_ip}'
    }
    # 删除原始字段
    remove_field => ["message"]
}

filter-mutate

filter {
  mutate {
  # 字段特殊处理 去除双引号
    gsub => [ "http_user_agent",'"',"" ]
    gsub => [ "url",'"',"" ]
    # 字符串转整型
    convert => { "status" => "integer" }
    convert => { "body_bytes_sent" => "integer" }
    # 删除字段
    remove_field => ["time_local"]
  }
  }

本文标题：Elk使用笔记
本文作者：jing&kong
本文链接：https://liuxinglan13.github.io/2021/01/12/Elk%E4%BD%BF%E7%94%A8%E7%AC%94%E8%AE%B0/
发布时间：2021-01-12
版权声明：本博客所有文章除特别声明外，均采用 CC BY-NC-SA 4.0 许可协议。转载请注明出处！