前言
在平时工作中,我们需要对相关日志进行分析,随着平台的允许,日志会越来越大,不便于分析,此时我们需要将日志写入es,在这个过程中logstash起到中间转发的作用,类似于ETL工具。
1、搭建EL环境(此处没有使用Kibana)
(1)、安装es(5.6.16)
下载地址:https://elasticsearch.cn/download/
安装步骤:https://www.cnblogs.com/cq-yangzhou/p/9310431.html
(2)、安装logstash
下载地址:https://elasticsearch.cn/download/
安装步骤:解压即可。
(3)、安装IK分词器
下载地址:https://github.com/medcl/elasticsearch-analysis-ik/releases
安装步骤:解压,将里面的内容拷贝到es的plugins/ik(ik目录自己创建)目录下面,重启es即可
2、搭建springboot+logstash环境
(1)、引入logstash的mven依赖
<dependency>
<groupId>net.logstash.logback</groupId>
<artifactId>logstash-logback-encoder</artifactId>
<version>5.1</version>
</dependency>
(2)、编写logback-spring.xml放在resources目录下面
<?xml version="1.0" encoding="UTF-8" ?>
<configuration>
<!--日志写入logstash-->
<appender name="logstash" class="net.logstash.logback.appender.LogstashTcpSocketAppender">
<destination>127.0.0.1:4567</destination>
<encoder charset="UTF-8" class="net.logstash.logback.encoder.LogstashEncoder" />
</appender>
<!--监控指定的日志类-->
<logger name="com.example.demo.logutil.LogStashUtil" level="INFO">
<appender-ref ref="logstash"/>
</logger>
</configuration>
(3)、编写日志类LogStashUtil
@Slf4j public class LogStashUtil { public static void sendMessage(String username, String type, String content, Date createTime,String parameters){ JSONObject jsonObject = new JSONObject(); jsonObject.putOpt("username",username); jsonObject.putOpt("type",type); jsonObject.putOpt("content",content); jsonObject.putOpt("parameters",parameters); jsonObject.putOpt("createTime", createTime); log.info(jsonObject.toString()); } }
(4)、编写logstash对应的日志收集配置文件
input { tcp { mode => "server" host => "0.0.0.0" port => 4567 codec => json{ charset=>"UTF-8" } } } filter { json { source => "message" #移除的字段,不会存入es remove_field => ["message","port","thread_name","logger_name","@version","level_value","tags"] } date { match => [ "createTime", "UNIX_MS" ] target => "@timestamp" } ruby { code => "event.set('timestamp', event.get('@timestamp').time.localtime + 8*60*60)" } ruby { code => "event.set('@timestamp',event.get('timestamp'))" } mutate { remove_field => ["timestamp"] } date { match => [ "createTime", "UNIX_MS" ] target => "createTime" } ruby { code => "event.set('createTime', event.get('createTime').time.localtime + 8*60*60)" #时间加8个小时 } } output { elasticsearch { hosts => "localhost:9200" index => "springboot-logstash-%{+YYYY.MM}" document_type => access
#关闭模板管理,使用es通过API创建的模板
manage_template => false
#es中模板的名称
template_name => "message"
} }
补充:模板编写
{ "template": "springboot-logstash_*", "settings": { "index.number_of_shards": 5, "number_of_replicas": 0 }, #指定ik分词 "analysis":{ "analyzer":{ "ik":{ "tokenizer":"ik_max_word" } } }, "mappings": { "_default_": { "_all": { "enabled": true, "omit_norms": true }, ##指定字段type需要进行ik分词 ik_max_word 最大粒度分词,ik_smart粗粒度分词 "dynamic_templates": [{ "message_field": { "match": "type", "match_mapping_type": "string", "mapping": { "type": "string", "index": "analyzed", "analyzer":"ik_max_word" } } }, { "string_fields": { "match": "*", "match_mapping_type": "string", "mapping": { "type": "string", "index": "not_analyzed", "doc_values": true } } }], "properties": { "@timestamp": { "type": "date" }, "@version": { "type": "string", "index": "not_analyzed" } /*, "geoip": { "dynamic": true, "properties": { "ip": { "type": "ip" }, "location": { "type": "geo_point" }, "latitude": { "type": "float" }, "longitude": { "type": "float" } } }*/ } } } }
模板创建好之后,调用es的创建模板接口,传入参数进行创建
#创建模板(覆盖模板) PUT _template/template_name #查看模板 GET _template/template_name #删除模板 DELETE _template/template_name
栗子:
(5)、启动es和logstash
1、启动es 进入es的bin目录 elasticsearch -d p pid
(-p:在文件中记录进程id)
2、启动logstash logstash -f message.conf(指定对应的日志配置文件路径) -d(后台运行)
(6)、单元测试,调用日志收集类LogStashUtil
@Test public void contextLoads() { LogStashUtil.sendMessage( "admin","添加年度管理计划","测试",new Date(),"测试"); }
(7)、查看es中的结果
