前面我們了解了elk集群中的logstash的用法,使用logstash處理日志挺好的,但是有一個缺陷,就是太慢了;當然logstash慢的原因是它依賴jruby虛擬機,jruby虛擬機就是用java語言開發的ruby虛擬機,本身java程序運行在jvm上就已經很慢了,而logstash還要運行在用java語言開發的ruby虛擬機上,就相當於虛擬機上跑一個虛擬機,可想而知;如果我們只需要收集和處理日志,在agent端如果運行logstash,顯得格外的消耗資源;為了解決這種問題,elastic開發了一款更加輕量級的日志收集器beats;而filebeat只是其中的一種,它是基於收集本地日志文件中的內容,然后輸出到某個地方;中間不會對日志做過多的處理;有點類似rsyslog,只做日志轉發;如果我們需要對日志做處理,我們可以把filebeat的輸出源配置成logstash,讓logstash運行在一個獨立的服務器上,專門做日志處理;
filebeat收集日志過程
提示:以上是filebeat收集日志,然后把日志轉發給logstash進行分析,然后logstash把filebeat發送過來的日志,做切詞,分析,處理以后,然后在把日志發送給elasticsearch存儲;
提示:如果后端的filebeat一旦增多,logstash的壓力會非常大,為了解決這樣的問題,我們可在中間加redis是做臨時緩存;然后logstash就到redis里讀日志;然后再把讀到的日志存儲到elasticsearch中;當然filebeat也是可以直接將日志數據發送給elasticsearch進行存儲;
filebeat安裝
下載同elasticsearch版本的filebeat rpm包
[root@node03 ~]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.8.12-x86_64.rpm --2020-10-04 14:03:03-- https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.8.12-x86_64.rpm Resolving artifacts.elastic.co (artifacts.elastic.co)... 151.101.230.222, 2a04:4e42:36::734 Connecting to artifacts.elastic.co (artifacts.elastic.co)|151.101.230.222|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 11904164 (11M) [application/octet-stream] Saving to: ‘filebeat-6.8.12-x86_64.rpm’ 100%[================================================================================>] 11,904,164 9.76KB/s in 16m 35s 2020-10-04 14:19:41 (11.7 KB/s) - ‘filebeat-6.8.12-x86_64.rpm’ saved [11904164/11904164] [root@node03 ~]# ll total 184540 -rw-r--r-- 1 root root 11904164 Aug 18 19:35 filebeat-6.8.12-x86_64.rpm -rw-r--r-- 1 root root 177059640 Aug 18 19:41 logstash-6.8.12.rpm [root@node03 ~]#
安裝filebeat-6.8.12.rpm包
[root@node03 ~]# yum install ./filebeat-6.8.12-x86_64.rpm -y Loaded plugins: fastestmirror Examining ./filebeat-6.8.12-x86_64.rpm: filebeat-6.8.12-1.x86_64 Marking ./filebeat-6.8.12-x86_64.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package filebeat.x86_64 0:6.8.12-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================================== Package Arch Version Repository Size ========================================================================================================================== Installing: filebeat x86_64 6.8.12-1 /filebeat-6.8.12-x86_64 38 M Transaction Summary ========================================================================================================================== Install 1 Package Total size: 38 M Installed size: 38 M Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : filebeat-6.8.12-1.x86_64 1/1 Verifying : filebeat-6.8.12-1.x86_64 1/1 Installed: filebeat.x86_64 0:6.8.12-1 Complete! [root@node03 ~]#
示例:配置filebeat收集httpd的日志,然后將收集的日志輸出到logstash
提示:以上配置表示開啟filebeat插件收集/var/log/httpd/access_log中的日志;
提示:以上配置表示把filebeat收集的日志發送給node03:5044;
配置node03的logstash輸入數據監聽5044端口
提示:以上配置表示啟動logstash中的beats插件作為數據輸入,並監聽5044端口;然后logstash將處理后端日志數據輸出到標准輸出;
啟動filebeat和logstash
提示:可以看到logstash啟動時,它監聽5044端口;
用其他主機模擬互聯網用戶訪問node03的httpd提供的頁面
[root@node01 ~]# curl -H "X-Forwarded-For:$[$RANDOM%223+1].$[RANDOM%255].$[RANDOM%255].$[RANDOM%255]" http://node03/test$[$RANDOM%20+1].html page 18 [root@node01 ~]#
在node03的logstash的標准輸出上,看看是否收集到httpd的訪問日志?
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
"host" => {
"os" => {
"platform" => "centos",
"version" => "7 (Core)",
"family" => "redhat",
"name" => "CentOS Linux",
"codename" => "Core"
},
"containerized" => false,
"architecture" => "x86_64",
"name" => "node03.test.org",
"id" => "002f3e572e3e4886ac9e98db8584b467"
},
"prospector" => {
"type" => "log"
},
"auth" => "-",
"clientip" => "25.99.168.124",
"agent" => "\"curl/7.29.0\"",
"tags" => [
[0] "beats_input_codec_plain_applied"
],
"@timestamp" => 2020-10-04T06:49:34.000Z,
"@version" => "1",
"bytes" => "8",
"offset" => 0,
"verb" => "GET",
"referrer" => "\"-\"",
"source" => "/var/log/httpd/access_log",
"log" => {
"file" => {
"path" => "/var/log/httpd/access_log"
}
},
"clientipInfo" => {
"continent_code" => "EU",
"longitude" => -0.1224,
"country_code2" => "GB",
"ip" => "25.99.168.124",
"country_name" => "United Kingdom",
"country_code3" => "GB",
"location" => {
"lat" => 51.4964,
"lon" => -0.1224
},
"timezone" => "Europe/London",
"latitude" => 51.4964
},
"beat" => {
"hostname" => "node03.test.org",
"version" => "6.8.12",
"name" => "node03.test.org"
},
"request" => "/test18.html",
"input" => {
"type" => "log"
},
"ident" => "-",
"response" => "200",
"httpversion" => "1.1"
}
提示:在node03的標准輸出上能夠看到我們剛才訪問httpd的訪問日志;
示例:配置filebeat將日志輸出到elasticsearch
重啟filebeat
驗證:訪問httpd看看elasticsearch中是否有保存httpd的訪問日志?
在elasticsearch中查看是否有新的index生成?
提示:可以看到es上有一個新的index生成;
查看es上存儲的日志內容
提示:從上面的返回的日志,存放在es中的日志並沒有做拆分,說明filebeat只是把httpd的日志當作message字段的值處理,並沒有去把ip地址信息做拆分;所以要想實現把日志內容拆分成不同字段,我們可以借助logstash,當然也可以在httpd上直接將日志格式記錄為json格式,然后再由filebeat將日志信息傳給es存儲;
示例:配置filebeat將收集的日志信息輸出到redis
提示:以上配置是配置filebeat將收集到的日志輸出到redis;這里需要注意一點,這個配置文件是yml格式的文件,需要注意下面的縮進關系要對其;其次filebeat它不支持多路輸出,例如,配置filebeat 輸出到logstash,又配置filebeat輸出到redis,這個它不支持,它支持單路輸出;
重新啟動filebeat
用其他主機模擬訪問httpd
驗證:去node04上的redis 3號庫查看是否有key生成?是否有數據?
提示:可以看到此時redis的3號庫有指定key生成,對應key里面也存了httpd的訪問日志;
配置logstash到redis上讀數據,並刪除filebeat的冗余字段
[root@node03 ~]# cat /etc/logstash/conf.d/httpd-es.conf
input {
redis {
host => ["node04"]
port => 6379
password => "admin"
key => "filebeat-node03-httpd-access_log"
db => 3
data_type => "list"
}
}
filter {
grok {
match => {"message" => "%{HTTPD_COMBINEDLOG}" }
remove_field => "message"
}
date {
match => ["timestamp","dd/MMM/YYYY:H:m:s Z"]
remove_field => "timestamp"
}
geoip {
source => "clientip"
target => "geoip"
database => "/etc/logstash/geoip/GeoLite2-City.mmdb"
}
mutate {
rename => ["geoip", "clientipInfo" ]
remove_field => ["@metadata","prospector","input","beat","host","id","containerized"]
}
}
output {
# elasticsearch {
# hosts => ["http://node01:9200","http://node02:9200"]
# index => "httpd.log"
# codec => "rubydebug"
# }
stdout { codec => "rubydebug" }
}
[root@node03 ~]#
測試語法
啟動logstash
查看輸出到標准輸出的日志信息是否還有filebeat生成的多余字段?
提示:現在從redis讀出來的數據,然后經由logstash處理以后,filebeat生成的多余字段就刪除了;后續我們就可以直接將這些日志數據放到es中存儲;