一、安裝elasticsearch
可以查看前篇博客 elasticsearch安裝、elasticsearch-head 安裝
二、安裝 配置 logstash
1.安裝logstash
下載地址:https://www.elastic.co/downloads/logstash
wget https://artifacts.elastic.co/downloads/logstash/logstash-6.5.4.tar.gz
tar -zxvf logstash-6.5.4.tar.gz
2.為了方便統計,此處使用了自定義模板 springlog.json
{ "springboot-logback": { "order": 1, "index_patterns": [ "sspringboot-logback-*" ] }, "settings": { "number_of_shards": 5, "number_of_replics": 1 }, "mappings": { "properties": { "@timestamp": { "type": "date", "format": "yyyy-MM-dd HH:mm:ss||yyyy-MM-dd||epoch_millis" }, "thread": { "type": "text" }, "level": { "type": "text" }, "class": { "type": "text" }, "messge": { "type": "text" } } } }
3.配置logstash.conf 可以在config目錄中創建此文件
input { beats { port => 10515 ssl => false } } filter { if [fields][logtype] == "springboot-logback" { grok { match => { "message" => "%{TIMESTAMP_ISO8601:time} %{GREEDYDATA:thread} %{LOGLEVEL:level} (?<class>\bcom.idelan\S*) - %{GREEDYDATA:message}" } } mutate { remove_field => ["host","tags","beat","@version","prospector","input"] } } } output { if [fields][logtype] == "springboot-logback"{ elasticsearch { hosts => ["192.168.30.242:9200"] index => "logstash-%{+YYYY.MM.dd}" template => "/home/tools/logstash-6.5.4/template/springlog.json" #此文件中的內容即上面自定義的模板json template_name => "springboot-logback" template_overwrite => true } stdout { codec => rubydebug } #將日志打印到控制台調試,放在if中順便檢測 是否獲取到了[fields][logtype] 正式環境刪除此行配置
} }
4.啟動 logstash 進入logstash bin目錄
./logstash -f ../config/logstash.conf
后台啟動
./logstash -f ../config/logstash.conf &
5.grok 過濾規則配置
調試工具:http://grokdebug.herokuapp.com/
grok正則:https://github.com/logstash-plugins/logstash-patterns-core/tree/master/patterns
6.日志說明 springboot日志配置
日志格式
2019-01-04 16:08:36.487 [http-nio-8200-exec-10] INFO com.idelan.test.controller.TestController - hello info
grok配置
%{TIMESTAMP_ISO8601:time} %{GREEDYDATA:thread} %{LOGLEVEL:level} %{JAVACLASS:class} - %{GREEDYDATA:message}
由於我只想看屬於我自己包中的日志,所以此處我過濾了com.idelan包下的日志
%{TIMESTAMP_ISO8601:time} %{GREEDYDATA:thread} %{LOGLEVEL:level} (?<class>\bcom.idelan\S*) - %{GREEDYDATA:message}
自定義grok表達式
語法:(?<field_name>the pattern here)
三、安裝配置filebeat
1.下載filebeat
地址:https://www.elastic.co/downloads/beats/filebeat
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.5.4-linux-x86_64.tar.gz
tar -zxvf filebeat-6.5.4-linux-x86_64.tar.gz
2.配置filebeat.yml 如果沒有可以手動創建
filebeat.prospectors: - input_type: log paths: - /usr/local/logs/springboot-demo/*.log include_lines: [".*INFO.*",".*ERROR.*"] exclude_lines: [".*DEBUG.*",".*WARN.*"] exclude_files: [".*debug.*",".*warn.*"] multiline: pattern: '^\s*(\d{4}|\d{2})\-(\d{2}|[a-zA-Z]{3})\-(\d{2}|\d{4})' # 指定匹配的表達式(匹配以 2017-11-15 08:04:23:889 時間格式開頭的字符串) #pattern: '^\s*("{)' # 指定匹配的表達式(匹配以 "{ 開頭的字符串) negate: true # 是否匹配到 match: after # 合並到上一行的末尾 max_lines: 1000 # 最大的行數 timeout: 30s # 如果在規定的時候沒有新的日志事件就不等待后面的日志 fields: logtype: springboot-logback output.logstash: hosts: ["192.168.30.242:10515"]
3.啟動filebeat
調試命令:./filebeat -e -c filebeat.yml -d "publish"
后台啟動:./filebeat -e -c filebeat.yml &
四、成果展示
