前言:
logstash 和filebeat都具有日志收集功能,filebeat更輕量,占用資源更少,但logstash 具有filter功能,能過濾分析日志。一般結構都是filebeat采集日志,然后發送到消息隊列,redis,kafka。然后logstash去獲取,利用filter功能過濾分析,然后存儲到elasticsearch中
1. 拉取logstash鏡像
sudo docker pull logstash:7.6.0
2. Docker構建logstash容器
創建一個logstash容器:
sudo docker run -it -d -p 5044:5044 -p 5045:5045 --name logstash1 --net mynetwork logstash:7.6.0
把容器的配置文件拷貝出來到宿主機中,進行修改修改
sudo docker cp logstash1:/usr/share/logstash/config/ /home/xujk/Work/Docker/elasticsearch/logstash
sudo docker cp logstash1:/usr/share/logstash/pipeline/ /home/xujk/Work/Docker/elasticsearch/logstash
sudo docker cp logstash1:/usr/share/logstash/logstash-core/lib/jars/ /web/logstash/
創建logstash容器,進行配置文件掛載,方便修改
sudo docker run -d -p 5044:5044 -p 5045:5045 \ --privileged=true -v /home/xujk/Work/Docker/elasticsearch/logstash/config/:/usr/share/logstash/config/ -v /home/xujk/Work/Docker/elasticsearch/logstash/pipeline/:/usr/share/logstash/pipeline/ --name=logstash1 logstash:7.6.0
修改配置文件:/config/logstash.yml
http.host: "0.0.0.0"
#xpack.monitoring.elasticsearch.hosts: [ "http://elasticsearch:9200" ]
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: xujingkun
xpack.monitoring.elasticsearch.hosts: [ "http://192.168.231.132:9200" ]
修改配置文件:/pipeline/logstash.conf
input {
beats {
port => 5044
}
}
filter {
dissect {
mapping => { "message" => "[%{Time}] %{LogLevel} %{message}" }
}
}
output {
elasticsearch {
hosts => "192.168.231.132:9200"
index => "xujktest_log"
timeout => 300
user=>"elastic"
password=>"xujingkun"
}
stdout {
codec => rubydebug
}
}
logstash配置好,上一文中的filebeat修改配置文件,輸出到logstash中,詳情見上一文
Logstash使擁過濾插件dissect:
dissect的應用有一定的局限性:主要適用於每行格式相似且分隔符明確簡單的場景
FAQ&遇到問題:
logstash同步日志數據,只有一條數據
至此,ELK日志收集實踐告一段落!
