logstash 收集tomcat异常信息
我所期望达到的效果,就是每个日期一条,在kibana界面也是一条。多行异常的也是一条。其实,很简单,就是加个反向判断。
logstash原理
一个客户端,一个服务器,就是这样的模式
没什么神奇的,最麻烦的正则匹配,不好弄。听说storm更好用。
1.client配置
cat /etc/logstash/conf.d/shipper.conf
input {
file {
path => ["/opt/src/logs/*/*/*/*"]
type => "service"
start_position => "beginning"
}
}
filter {
if == "service" {
multiline {
patterns_dir => "/etc/logstash/conf.d"
pattern => "(^%{MYTIMESTAMP})"
negate => true
what => "previous"
}
}
grok {
patterns_dir => "/etc/logstash/conf.d"
match => [ "message", "%{MYLOG}" ]
add_field => [ "log_ip", "随便写" ]
}
}
output {
stdout {}
redis {
host => "你的服务端ip"
port => 6379
password => "xx"
data_type => "list"
key => "key_count"
}
}patterns_dir => "/etc/logstash/conf.d" 这个东西就是正则表达式
新建一个文件 cat /etc/logstash/conf.d/j2ee
JAVACLASS (?:*\.)**
HTTPPORT(*\-)*()
JAVALOGMESSAGE (.*)
MYTIMESTAMP 20%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{HOUR}:%{MINUTE}:%{SECOND}
MYLOG %{MYTIMESTAMP:mytimestamp}\s\[%{HTTPPORT:port}\]\s%{LOGLEVEL:level}\s%{JAVACLASS:class}\s-%{JAVALOGMESSAGE:logmessage}我的日志格式是这样的
2016-10-2015:52:01.174 INFOc.e.w.c.... -resp:如果你的日志不一样,那么j2ee文件要做相应的修改
http://grokdebug.herokuapp.com/ 这个网站可以测试
比如
http://s2.运维网.com/wyfs02/M00/89/22/wKiom1gIjtTw1-TzAABvblyuSNE276.png-wh_500x0-wm_3-wmp_4-s_2078496716.png
启动脚本logstash.sh
#!/bin/bash
. /etc/init.d/functions
function start(){
cd /home/
/opt/logstash/bin/logstash -f /etc/logstash/conf.d/shipper.conf & >>/dev/null 2>&1
}
function stop(){
sudo kill -9 `ps -ef|grep logstash|grep -v grep|awk '{print $2}'`
#for i in `ps -ef|grep logstash|grep -v grep|awk '{print $2}'`
#do;sudo kill -9 $i;done
}
case $1 in
start)
start
;;
stop)
stop
;;
*)
printf "Usage sh *.sh start|stop"
;;
esacsh logstash.sh stop/start
2.server配置
cat /etc/logstash/conf.d/indexer.conf
input {
redis {
host => "你的服务端ip"
port => 6379
password => "xx"
type => "redis-input"
data_type => "list"
key => "key_count"
}
}
output {
stdout {}
elasticsearch {
cluster => "elasticsearch"
codec => "json"
protocol => "http"
}
}3.kibana效果
http://s4.运维网.com/wyfs02/M00/89/46/wKioL1gOuiaRdfbuAADZlql089g587.png-wh_500x0-wm_3-wmp_4-s_604642537.png
多行为一行就不截图了
注意有事启动了logstash,但是没有日志传送过来
[*]input file 匹配类型,正则有问题
[*]filter正则有问题
总而言之,就是配置有问题。
demo
client
cat demo.conf
input {
file {
path => ["/home/python/demo/*/*/*/*"]
type => "demo"
start_position => "beginning"
}
}
filter {
if == "demo" {
multiline {
patterns_dir => "/etc/logstash/conf.d/patterns"
pattern => "(^%{MYTIMESTAMP})"
negate => true
what => "previous"
}
}
grok {
patterns_dir => "/etc/logstash/conf.d/patterns"
match => [ "message", "%{MYLOG}" ]
add_field => [ "log_ip", "172.29.xx.xx" ]
}
}
output {
stdout {}
redis {
host => "172.29.xx.xx"
port => 6379
password => "xxxxxx"
data_type => "list"
key => "key_count"
}
}
cd /etc/logstash/conf.d/patterns
cat j2ee
JAVACLASS (?:*\.)**
HTTPPORT(*\-)*()
JAVALOGMESSAGE (.*)
MYTIMESTAMP 20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}
MYLOG %{MYTIMESTAMP:mytimestamp}\s\[%{HTTPPORT:port}\]\s%{LOGLEVEL:level}\s%{JAVACLASS:class}\s-%{JAVALOGMESSAGE:logmessage}
logstash-f /etc/logstash/conf.d/logstash-indexer.confor service logstash start
server
nohup /usr/share/elasticsearch/bin/elasticsearch &
nohup /usr/bin/kibana &
logstash-f /etc/logstash/conf.d/logstash-indexer.confor service logstash start还有es+gra+logstash
http://play.grafana.org/dashboard/db/elasticsearch-metrics doc
页:
[1]