当前位置 博文首页 > 江晓龙的博客:配置logstash从redis读取filebeat收集的日志(上
常规的日志收集方式都是由filebeat收集完直接输出给es集群,如果当后端应用访问量大,产生的日志也特别巨大,这时再由filebeat收集日志直接传输给es,会给es带来特别大的压力,如果es这时挂掉,filebeat依然在收集日志,这时filebeat找不到es集群,则会把收集来的日志丢弃
针对日志量大的问题可以在es集群前面增加redis和logstash,filebeat收集完日志交给redis,由logstash从redis中读取收集来的日志数据传输给es集群,最终在kibana上进行展示
logstash只需要部署一台即可,只是用于将redis收集来的日志传输给es集群
由于redis属于缓存数据库,当logstash把数据从redis上取完后,会自动把key删掉
logstash并不是读完redis中所有的数据后直接传输给es,而是读完一条redis的数据后,就往es上存储一条,这样就不会减轻es集群的压力
环境准备
| IP地址 | 服务 |
|---|---|
| 192.168.81.210 | es+kibana+logstash |
| 192.168.81.220 | es+redis |
| 192.168.81.230 | filebeat+nginx |
1.安装redis(epel源中有redis的rpm包)
[root@node-2 ~]# yum -y install redis
2.启动redis
[root@node-2 ~]# systemctl start redis
[root@node-2 ~]# systemctl enable redis
3.查看端口号
[root@node-2 ~]# netstat -lnpt | grep redis
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 94345/redis-server
4.登陆redis
[root@node-2 ~]# redis-cli
127.0.0.1:6379>
5.配置redis允许任何主机访问
[root@node-2 /etc/filebeat]# vim /etc/redis.conf
bind 0.0.0.0
[root@node-2 /etc/filebeat]# systemctl restart redis
1.设置一个key
127.0.0.1:6379>set key
OK
2.查看一个key
127.0.0.1:6379> keys *
1) "key"
3.查看key类型
127.0.0.1:6379> type test
none
4.查看数据
127.0.0.1:6379> LRANGE test 0 -1
(empty list or set)
inputs还是一致的,只是outpot换成了redis
配置语法:
output.redis:
hosts: [“192.168.81.220:6379”] #redis地址
key: “nginx-www” #存储的库名
db: 0
timeout: 5
收集前要确保nginx应用的日志输出为json格式,在使用ab命令生成日志
1.配置filebeat
[root@nginx ~]# !vim /etc/filebeat/filebeat.yml
#定义收集什么日志
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/www_access.log
json.keys_under_root: true
json.overwrite_keys: true
#定义modules模块路径
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
#指定kibana地址
setup.kibana:
host: "192.168.81.210:5601"
#定义redis集群地址以及定义索引名
output.redis:
hosts: ["192.168.81.220:6379"] #redis地址
key: "nginx-www" #存储的库名
db: 0
timeout: 5
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true
2.重启filebeat
[root@nginx ~]# systemctl restart filebeat
由于我们nginx的日志是中文的,因此在使用redis-cli时要增加raw参数,否则看到的都是乱码
[root@node-2 ~]# redis-cli --raw
127.0.0.1:6379> KEYS *
1) "key"
2) "nginx-www"
127.0.0.1:6379> TYPE nginx-www
list
127.0.0.1:6379> LRANGE nginx-www 0 -1
已经有nginx-www key了,并且数据也都是刚刚filebeat传输过来的nginx 日志
解析正常
1.下载logstash
https://repo.huaweicloud.com/logstash/6.6.0/logstash-6.6.0.rpm
2.安装logstash
[root@elasticsearch ~/soft]# rpm -ivh logstash-6.6.0.rpm
警告:logstash-6.6.0.rpm: 头V4 RSA/SHA512 Signature, 密钥 ID d88e42b4: NOKEY
准备中... ################################# [100%]
正在升级/安装...
1:logstash-1:6.6.0-1 ################################# [100%]
Using provided startup.options file: /etc/logstash/startup.options
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
Successfully created system startup script for Logstash
配置文件含义
input { //从哪里读取数据
redis { //数据源是从redis读取
host => “192.168.81.220” //redis地址
port => “6379” //redis端口
db => “0”
key => “nginx-www” //从哪个key读取数据
data_type => “list” //key的类型
}
}output { //存储到哪
stdout{}
elasticsearch { //存储到es
hosts => “http://192.168.81.210:9200” //es地址
manage_template => false
index => “nginx-www-access-%{+yyyy.MM.dd}” //索引名
}
}
1.配置logstash
[root@elasticsearch ~]# vim /etc/logstash/conf.d/redis.conf
input {
redis {
host => "192.168.81.220"
port => "6379"
db => "0"
key => "nginx-www"
data_type => "list"
}
}
output {
stdout{}
elasticsearch {
hosts => "http://192.168.81.210:9200"
manage_template => false
index => "nginx-www-access-%{+yyyy.MM.dd}"
}
}
2.启动logstash
[root@elasticsearch ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/redis.conf
启动成功会输出很多读取来的日志内容,最好用nohup来启动,启动过程特别耗时间
nohup /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/redis.conf &
每次收集过来的日志都会输出在大屏上个,用了nohup后会输出到nohup.out文件,还是比较方便的
收集过来23条
点击Discovery—选择索引
字段也都是可以过滤匹配的
4之前都是一台机器上的所有日志都存储到redis的一个key中,显然有点不合理,因此需要针对每一个收集的日志文件让其存储到不同的key中。
配置和存储到es集群差不多,不同日志存储到redis不同key,其实思路和存储到es是一样的,做一个tag标签,当tag值为xxx就创建xxx的key
keys:
- key: "www" //当tags为www就创建www的key
when.contains:
tags: "www"
- key: "bbs"
when.contains:
tags: "bbs"
[root@nginx ~]# vim /etc/filebeat/filebeat.yml
#定义收集什么日志
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/www_access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["nginx-www"]
- type: log
enabled: true
paths:
- /var/log/nginx/bbs_access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["nginx-bbs"]
#定义modules模块路径
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
#指定kibana地址
setup.kibana:
host: "192.168.81.210:5601"
#定义redis集群地址以及定义索引名
output.redis:
hosts: ["192.168.81.220:6379"]
#key: "nginx-www"
keys:
- key: "nginx-www"
when.contains:
tags: "nginx-www"
- key: "nginx-bbs"
when.contains:
tags: "nginx-bbs"
db: 0
timeout: 5
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true
[root@nginx ~]# systemctl restart filebeat
1.产生日志
[root@elasticsearch ~]# ab -c 100 -n 2000 http://www.jiangxl.com/
[root@elasticsearch ~]# ab -c 100 -n 2000 http://bbs.jiangxl.com/
2.查看redis上生成的key
127.0.0.1:6379> keys *
1) "nginx-bbs"
2) "filebeat"
3) "nginx-www"
127.0.0.1:6379> LLEN nginx-bbs #查key里面有多少条数据
2000
127.0.0.1:6379> LLEN nginx-www
2000
语法格式:
if “nginx-www” in [tags] { //当标签为nginx-www时,就创建nginx-www-access索引库,如果要写多组自定义索引就填写几个if即可
stdout{}
elasticsearch {
hosts => “http://192.168.81.210:9200”
manage_template => false
index => “nginx-www-access-%{+yyyy.MM.dd}”
}
}
input {
redis {
host => "192.168.81.220"
port => "6379"
db => "0"
key => "nginx-www"
data_type => "list"
}
redis {
host => "192.168.81.220"
port => "6379"
db => "0"
key => "nginx-bbs"
data_type => "list"
}
}
output {
if "nginx-www" in [tags] {
stdout{}
elasticsearch {
hosts => "http://192.168.81.210:9200"
manage_template => false
index => "nginx-www-access-%{+yyyy.MM.dd}"
}
}
if "nginx-bbs" in [tags] {
stdout{}
elasticsearch {
hosts => "http://192.168.81.210:9200"
manage_template => false
index => "nginx-bbs-access-%{+yyyy.MM.dd}"
}
}
}
[root@elasticsearch ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/redis.conf
logstash并不是全部收集完在传输给es集群,而是收集过来一条就传输给es一条,这样一样就减轻了es的压力
127.0.0.1:6379> LLEN nginx-www
0
127.0.0.1:6379> LLEN nginx-bbs
0
nginx-www-access索引
nginx-bbs-access索引
nginx-www-access索引
nginx-bbs-access索引
启动提示如下,一直不动
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
[root@elasticsearch ~]# vim /etc/logstash/jvm.options
-Xms256m
-Xmx256m
-XX:-AssumeMP
配置完重启即可
