环境准备
架构图
节点信息
- es:80.107
- logstash1:80.108
- redis:80.106
- nginx+lostash2:80.105
80.105上,由logstash收集nginx的日志信息,并输送到redis,再由logstash2节点从redis读取数据,再存储到es节点,最终由kibana界面查看;
经由redis收集系统日志
安装redis
[root@redis ~]# yum install -y redis
redis配置修改
[root@redis ~]# vim /etc/redis.conf
bind 0.0.0.0
requirepass 123456
[root@redis ~]# systemctl start redis
logstash2传输系统日志到redis
安装jdk和logstash
[root@logstash2 ~]# yum install -y java-1.8.0-openjdk-devel
[root@logstash2 ~]# source /etc/profile.d/java.sh
[root@logstash2 ~]# echo $JAVA_HOME
/usr/lib/jvm/java-1.8.0-openjdk
[root@logstash2 ~]# rpm -ivh logstash-6.8.1.rpm
warning: logstash-6.8.1.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:logstash-1:6.8.1-1 ################################# [100%]
Using provided startup.options file: /etc/logstash/startup.options
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/pleaserun-0.0.30/lib/pleaserun/platform/base.rb:112: warning: constant ::Fixnum is deprecated
Successfully created system startup script for Logstash
[root@logstash2 ~]# vim /etc/profile.d/logstash.sh
[root@logstash2 ~]# source !$
source /etc/profile.d/logstash.sh
测试logstash到redis的连通性
先测试将本地的系统日志传输到redis
[root@logstash2 ~]# cd /etc/logstash/conf.d/
[root@logstash2 conf.d]# vim redis-es.conf
[root@logstash2 conf.d]# cat !$
cat redis-es.conf
input {
file {
path => "/var/log/messages"
type => "mes-105"
start_position => "beginning"
stat_interval => "2"
}
}
output {
if [type] == "mes-105" {
redis {
host => "192.168.80.106"
port => "6379"
password => "123456"
db => "1"
key => "mes-105-key"
data_type => "list"
}
}
# 指明了redis的主机,端口,密码,选择序号为1的库,指定了存储key,类型为列表
}
[root@logstash2 conf.d]# chmod a+r /var/log/messages
[root@logstash2 conf.d]# logstash -f redis-es.conf -t
[root@logstash2 conf.d]# systemctl start logstash
redis查看,redis上正常接收到了logstash的数据
[root@redis ~]# redis-cli
127.0.0.1:6379> select 1
(error) NOAUTH Authentication required.
127.0.0.1:6379> auth 123456
OK
127.0.0.1:6379> select 1
OK
127.0.0.1:6379[1]> KEYS *
1) "mes-105-key"
127.0.0.1:6379[1]>
logstash1抽取redis数据
[root@logstash1 conf.d]# vim read-redis.conf
input {
redis {
host => "192.168.80.106"
port => "6379"
password => "123456"
db => "1"
key => "mes-105-key"
data_type => "list"
}
}
output {
if [type] == "mes-105" {
elasticsearch {
hosts => ["192.168.80.107:9200"]
index => "mes-105-%{+YYYY.MM.dd}"
}
}
}
[root@logstash1 conf.d]# logstash -f read-redis.conf -t
[root@logstash1 conf.d]# logstash -f read-redis.conf
logstash1成功启动后,在redis查看,数据已经被logstash1消费
127.0.0.1:6379[1]> KEYS *
1) "mes-105-key"
127.0.0.1:6379[1]> KEYS *
1) "mes-105-key"
127.0.0.1:6379[1]> KEYS *
(empty list or set)
kibana界面查看对应的索引并创建
discover界面查看
经由redis收集nginx日志
在上步实验中,证实了整个数据传输线路连通的情况下,只需在logstash2主机上,安装nginx,并根据相同的思路,传输到redis,再经由logstash1读取,存储到es中即可
安装nginx
[root@logstash2 ~]# yum install -y nginx
[root@logstash2 ~]# vim /etc/nginx/nginx.conf
log_format access_json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"size":$body_bytes_sent,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamhost":"$upstream_addr",'
'"http_host":"$host",'
'"url":"$uri",'
'"domain":"$host",'
'"http_user_agent":"$http_user_agent",'
'"xff":"$http_x_forwarded_for",'
'"referer":"$http_referer",'
'"status":"$status"}';
access_log /var/log/nginx/access.log access_json;
[root@logstash2 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@logstash2 ~]# nginx
将nginx日志改成json格式
[root@logstash2 ~]# chmod a+r /var/log/nginx/access.log
添加读权限
配置logstash2
[root@logstash2 conf.d]# cat nginx-redis-es.conf
input {
file {
path => "/var/log/nginx/access.log"
type => "nginx-105"
start_position => "beginning"
stat_interval => "2"
codec => "json"
}
}
output {
if [type] == "nginx-105" {
redis {
host => "192.168.80.105"
port => "6379"
password => "123456"
db => "1"
key => "nginx-105-key"
data_type => "list"
}
}
}
[root@logstash2 conf.d]# logstash -f nginx-redis-es.conf -t
[root@logstash2 conf.d]# systemctl restart logstash
检查redis数据
redis中有系统日志的key数据,但没有对应nginx的key数据,暂未排查到原因