-
Day06-filebeat,logstash多实例,pipline,ElasticStack项目架构梳理及实战案例
Day06-filebeat,logstash多实例,pipline,ElasticStack项目架构梳理及实战案例
0、昨日内容:
-
logstash
-
input:
用于接收数据:
-
beats
- kafka
- stdin
-
-
filter:
- date
处理日期字段。对时间字段进行格式化并转换为date类型。 - grok
基于正则匹配文本,将该字段提取出来。 - geoip
将公网IP地址进行解析,可以解析经纬度,国家,城市等信息。 - mutate
- user_agent
- json
- date
-
output:
将数据发送到目的端。
- elasticsearch
- stdout
-
测试数据:
OLDBOYedu2023 教室07grok自定义正则模式:
[root@elk101.oldboyedu.com ~]# cat oldboyedu-linux85-patterns/jiaoshi07 YEAR [\d]{4} CLASSROOMNUMBER [0-9]{2} TEACHER [A-Z]+ [root@elk101.oldboyedu.com ~]#1、logstash的单分支和双分支
[root@elk101.oldboyedu.com ~]# cat config/06-tcp-grok_custom_pattern-es.conf input { beats { port => 8888 type => "beats" } tcp { port => 9999 type => "tcp" } http { type => "http" } } filter { if [type] == "beats" { grok { match => { "message" => "%{HTTPD_COMBINEDLOG}" } remove_field => [ "agent","log","input","host","ecs","tags" ] } geoip { source => "clientip" add_field => {"custom-type" => "jiaoshi07-beats"} } date { match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] timezone => "Asia/Shanghai" target => "oldboyedu-linux85-date" } } if [type] == "tcp" { grok { # 指定加载pattern匹配模式的目录,可以是相对路径,也可以是绝对路径 patterns_dir => ["./oldboyedu-linux85-patterns"] # 基于指定字段进行匹配 # match => { "message" => "%{TEACHER:teacher}edu%{YEAR:year} 教室%{CLASSROOMNUMBER:classroom_number}"} match => { "message" => "%{TEACHER:teacher}.{3}%{YEAR:year} 教室%{CLASSROOMNUMBER:classroom_number}"} add_field => {"custom-type" => "jiaoshi07-tcp"} } }else { mutate { add_field => { "school" => "oldboyedu" "class" => "linux85" "custom-type" => "jiaoshi07-http" } } } } output { stdout {} # elasticsearch { # hosts => ["http://localhost:9200"] # index => "oldboyedu-linux85-logstash-nginx" # } } [root@elk101.oldboyedu.com ~]#2、logstash的多分支案例
[root@elk101.oldboyedu.com ~]# cat config/07-tcp-grok_custom_pattern_if-es.conf input { beats { port => 8888 type => "beats" } tcp { port => 9999 type => "tcp" } http { type => "http" } } filter { if [type] == "beats" { grok { match => { "message" => "%{HTTPD_COMBINEDLOG}" } remove_field => [ "agent","log","input","host","ecs","tags" ] } geoip { source => "clientip" add_field => {"custom-type" => "jiaoshi07-beats"} } date { match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] timezone => "Asia/Shanghai" target => "oldboyedu-linux85-date" } } else if [type] == "tcp" { grok { # 指定加载pattern匹配模式的目录,可以是相对路径,也可以是绝对路径 patterns_dir => ["./oldboyedu-linux85-patterns"] # 基于指定字段进行匹配 # match => { "message" => "%{TEACHER:teacher}edu%{YEAR:year} 教室%{CLASSROOMNUMBER:classroom_number}"} match => { "message" => "%{TEACHER:teacher}.{3}%{YEAR:year} 教室%{CLASSROOMNUMBER:classroom_number}"} add_field => {"custom-type" => "jiaoshi07-tcp"} } }else { mutate { add_field => { "school" => "oldboyedu" "class" => "linux85" "custom-type" => "jiaoshi07-http" } } } } output { stdout {} # elasticsearch { # hosts => ["http://localhost:9200"] # index => "oldboyedu-linux85-logstash-nginx" # } } [root@elk101.oldboyedu.com ~]#使用多分支语法分别将"beat,tcp,http"这3个输入类型写入ES集群对应不同的索引:
oldboyedu-linux85-beats
oldboyedu-linux85-tcp
oldboyedu-linux85-http3、filebeat多实例案例
[root@elk103.oldboyedu.com filebeat-7.17.5-linux-x86_64]# filebeat -e -c config/01-stdin-to-console.yaml [root@elk103.oldboyedu.com filebeat-7.17.5-linux-x86_64]# filebeat -e -c config/02-tcp-to-console.yaml --path.data /tmp/oldboyedu-linux85-filebeat4、logstash多实例
[root@elk101.oldboyedu.com ~]# cat config/09-multiple_instance-beats.conf input { beats { port => 8888 type => "beats" } } filter { grok { match => { "message" => "%{HTTPD_COMBINEDLOG}" } remove_field => [ "agent","log","input","host","ecs","tags" ] } geoip { source => "clientip" add_field => {"custom-type" => "jiaoshi07-beats"} } date { match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] timezone => "Asia/Shanghai" target => "oldboyedu-linux85-date" } } output { # stdout {} elasticsearch { hosts => ["http://localhost:9200"] index => "oldboyedu-linux85-multiple_instance-beats" } } [root@elk101.oldboyedu.com ~]# [root@elk101.oldboyedu.com ~]# logstash -rf config/09-multiple_instance-beats.conf [root@elk101.oldboyedu.com ~]# cat config/09-multiple_instance-http.conf input { http { type => "http" } } filter { mutate { add_field => { "school" => "oldboyedu" "class" => "linux85" "custom-type" => "jiaoshi07-http" } } } output { # stdout {} elasticsearch { hosts => ["http://localhost:9200"] index => "oldboyedu-linux85-multiple_instance-http" } } [root@elk101.oldboyedu.com ~]# [root@elk101.oldboyedu.com ~]# logstash -rf config/09-multiple_instance-http.conf --path.data /tmp/oldboyedu-linux85-http [root@elk101.oldboyedu.com ~]# cat config/09-multiple_instance-tcp.conf input { tcp { port => 9999 type => "tcp" } } filter { grok { # 指定加载pattern匹配模式的目录,可以是相对路径,也可以是绝对路径 patterns_dir => ["./oldboyedu-linux85-patterns"] # 基于指定字段进行匹配 # match => { "message" => "%{TEACHER:teacher}edu%{YEAR:year} 教室%{CLASSROOMNUMBER:classroom_number}"} match => { "message" => "%{TEACHER:teacher}.{3}%{YEAR:year} 教室%{CLASSROOMNUMBER:classroom_number}"} add_field => {"custom-type" => "jiaoshi07-tcp"} } } output { # stdout {} elasticsearch { hosts => ["http://localhost:9200"] index => "oldboyedu-linux85-multiple_instance-tcp" } } [root@elk101.oldboyedu.com ~]# [root@elk101.oldboyedu.com ~]# logstash -rf config/09-multiple_instance-tcp.conf --path.data /tmp/oldboyedu-linux85-tcp5、logstash的pipline案例
(1)编写配置文件
[root@elk101.oldboyedu.com ~]# cat config/10-pipeline-beats.conf input { beats { port => 8888 type => "beats" } } filter { grok { match => { "message" => "%{HTTPD_COMBINEDLOG}" } remove_field => [ "agent","log","input","host","ecs","tags" ] } geoip { source => "clientip" add_field => {"custom-type" => "jiaoshi07-beats"} } date { match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] timezone => "Asia/Shanghai" target => "oldboyedu-linux85-date" } } output { # stdout {} elasticsearch { hosts => ["http://localhost:9200"] index => "oldboyedu-linux85-pipeline-beats" } } [root@elk101.oldboyedu.com ~]# [root@elk101.oldboyedu.com ~]# [root@elk101.oldboyedu.com ~]# cat config/10-pipeline-http.conf input { http { type => "http" } } filter { mutate { add_field => { "school" => "oldboyedu" "class" => "linux85" "custom-type" => "jiaoshi07-http" } } } output { # stdout {} elasticsearch { hosts => ["http://localhost:9200"] index => "oldboyedu-linux85-pipeline-http" } } [root@elk101.oldboyedu.com ~]# [root@elk101.oldboyedu.com ~]# [root@elk101.oldboyedu.com ~]# cat config/10-pipeline-tcp.conf input { tcp { port => 9999 type => "tcp" } } filter { grok { # 指定加载pattern匹配模式的目录,可以是相对路径,也可以是绝对路径 patterns_dir => ["./oldboyedu-linux85-patterns"] # 基于指定字段进行匹配 # match => { "message" => "%{TEACHER:teacher}edu%{YEAR:year} 教室%{CLASSROOMNUMBER:classroom_number}"} match => { "message" => "%{TEACHER:teacher}.{3}%{YEAR:year} 教室%{CLASSROOMNUMBER:classroom_number}"} add_field => {"custom-type" => "jiaoshi07-tcp"} } } output { # stdout {} elasticsearch { hosts => ["http://localhost:9200"] index => "oldboyedu-linux85-pipeline-tcp" } } [root@elk101.oldboyedu.com ~]#(2)修改pipline的配置文件
[root@elk101.oldboyedu.com ~]# yy /oldboyedu/softwares/logstash-7.17.5/config/pipelines.yml - pipeline.id: oldboyedu-linux85-pipeline-beats path.config: "/root/config/10-pipeline-beats.conf" - pipeline.id: oldboyedu-linux85-pipeline-tcp path.config: "/root/config/10-pipeline-tcp.conf" - pipeline.id: oldboyedu-linux85-pipeline-http path.config: "/root/config/10-pipeline-http.conf"(3)启动logstash实例
logstash6、logstash的useragent过滤器及kibana出图展示
(1)filebeat采集日志
[root@elk103.oldboyedu.com filebeat-7.17.5-linux-x86_64]# cat config/20-nginx-to-logstash.yaml filebeat.inputs: - type: log paths: - /var/log/nginx/access.log* json: keys_under_root: true add_error_key: true overwrite_keys: true # 将数据输出到logstash中 output.logstash: # 指定logstash的主机和端口 hosts: ["10.0.0.101:8888"] [root@elk103.oldboyedu.com filebeat-7.17.5-linux-x86_64]# [root@elk103.oldboyedu.com filebeat-7.17.5-linux-x86_64]# filebeat -e -c config/20-nginx-to-logstash.yaml(2)logstash分析数据
[root@elk101.oldboyedu.com ~]# cat config/11-beats-grok_geoip_date_useragent-es.conf input { beats { port => 8888 } } filter { mutate { remove_field => [ "agent","log","input","host","ecs","tags" ] } geoip { source => "clientip" } date { match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] timezone => "Asia/Shanghai" } # 用于分析客户端设备类型的插件 useragent { # 指定基于哪个字段分析设备 source => "http_user_agent" # 指定将解析的数据放在哪个字段,若不指定,则默认放在顶级字段中 target => "oldboyedu-linux85-agent" } } output { # stdout {} elasticsearch { hosts => ["http://localhost:9200"] index => "oldboyedu-linux85-logstash-nginx-useragent" } } [root@elk101.oldboyedu.com ~]# [root@elk101.oldboyedu.com ~]# logstash -rf config/11-beats-grok_geoip_date_useragent-es.conf(3)kibana出图展示
7、mutate组件数据准备-python脚本
cat > generate_log.py <<EOF #!/usr/bin/env python # -*- coding: UTF-8 -*- # @author : Jason Yin import datetime import random import logging import time import sys LOG_FORMAT = "%(levelname)s %(asctime)s [com.oldboyedu.%(module)s] - %(message)s " DATE_FORMAT = "%Y-%m-%d %H:%M:%S" # 配置root的logging.Logger实例的基本配置 logging.basicConfig(level=logging.INFO, format=LOG_FORMAT, datefmt=DATE_FORMAT, filename=sys.argv[1] , filemode='a',) actions = ["浏览页面", "评论商品", "加入收藏", "加入购物车", "提交订单", "使用优惠券", "领取优惠券", "搜索", "查看订单", "付款", "清空购物车"] while True: time.sleep(random.randint(1, 5)) user_id = random.randint(1, 10000) # 对生成的浮点数保留2位有效数字. price = round(random.uniform(15000, 30000),2) action = random.choice(actions) svip = random.choice([0,1]) logging.info("DAU|{0}|{1}|{2}|{3}".format(user_id, action,svip,price)) EOF nohup python generate_log.py /tmp/apps.log &>/dev/null &logstash编写:
[root@elk101.oldboyedu.com ~]# cat config/12-beats-mutate-es.conf input { beats { port => 9999 } } filter { mutate { remove_field => [ "agent","log","input","host","ecs","tags" ] } mutate { # 将message字段使用"|"进行切分 split => { "message" => "|" } } mutate { add_field => { userid => "%{[message][1]}" verb => "%{[message][2]}" svip => "%{[message][3]}" price => "%{[message][4]}" } } mutate { rename => { "verb" => "action" } } mutate { convert => { "userid" => "integer" "svip" => "boolean" "price" => "float" } } } output { # stdout {} elasticsearch { hosts => ["http://localhost:9200"] index => "oldboyedu-linux85-logstash-nginx-mutate" } } [root@elk101.oldboyedu.com ~]# [root@elk101.oldboyedu.com ~]# logstash -rf config/12-beats-mutate-es.conffilebeat编写:
[root@elk103.oldboyedu.com filebeat-7.17.5-linux-x86_64]# cat config/21-apps-to-logstash.yaml filebeat.inputs: - type: log paths: - /tmp/apps.log output.logstash: hosts: ["10.0.0.101:9999"] [root@elk103.oldboyedu.com filebeat-7.17.5-linux-x86_64]# [root@elk103.oldboyedu.com filebeat-7.17.5-linux-x86_64]# filebeat -e -c config/21-apps-to-logstash.yaml8、将nginx日志分析,通过kibana展示数据,pv,带宽总量,公网IP的Top10统计等信息。
项目案例:
logstash配置文件[root@elk101.oldboyedu.com ~]# cat config/13-procect.conf input { beats { port => 7777 } } filter { mutate { remove_field => [ "agent","log","input","host","ecs","tags" ] } geoip { source => "clientip" } date { match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] timezone => "Asia/Shanghai" } useragent { source => "http_user_agent" # target => "oldboyedu-linux85-agent" } } output { # stdout {} elasticsearch { hosts => ["http://localhost:9200"] index => "oldboyedu-linux85-logstash-nginx-project-%{+yyyy.MM.dd}" } } [root@elk101.oldboyedu.com ~]#filebeat配置:
[root@elk103.oldboyedu.com ~]# cat /oldboyedu/softwares/filebeat-7.17.5-linux-x86_64/config/22-project.yaml filebeat.inputs: - type: log paths: - /var/log/nginx/access.log* json: keys_under_root: true add_error_key: true overwrite_keys: true output.logstash: hosts: ["10.0.0.101:7777"] [root@elk103.oldboyedu.com ~]#9、地理位置案例
01-创建索引映射
PUT http://10.0.0.103:9200/oldboyedu-map { "mappings": { "properties": { "location": { "type": "geo_point" } } } }02-写入地理位置-lat代表纬度,lon代表经度
POST http://10.0.0.103:9200/oldboyedu-map/_doc { "location": { "lat": 39.914, "lon": 116.386 } }03-批量地理位置
{ "create" : { "_index" : "oldboyedu-map" } } { "location": { "lat": 24,"lon": 121 }} { "create" : { "_index" : "oldboyedu-map" } } { "location": { "lat": 36.61,"lon": 114.488 }} { "create" : { "_index" : "oldboyedu-map" } } { "location": { "lat": 39.914,"lon": 116.386 }}10、修复nginx日志解析经纬度问题故障演练
01-修改nginx的索引的地理位置映射
PUT http://10.0.0.103:9200/oldboyedu-linux82-project-nginx { "mappings": { "properties": { "geoip": { "properties": { "location": { "type": "geo_point" } } } } } }02-批量创建测试地理位置数据
POST http://10.0.0.103:9200/_bulk { "create" : { "_index" : "oldboyedu-linux82-project-nginx" } } { "geoip.location": { "lat": 25,"lon": 121 }} { "create" : { "_index" : "oldboyedu-linux82-project-nginx" } } { "geoip.location": { "lat": 35.61,"lon": 114.488 }} { "create" : { "_index" : "oldboyedu-linux82-project-nginx" } } { "geoip.location": { "lat": 35.914,"lon": 116.386 }} { "create" : { "_index" : "oldboyedu-linux82-project-nginx" } } { "geoip.location": { "lat": 45.914,"lon": 118.386 }} { "create" : { "_index" : "oldboyedu-linux82-project-nginx" } } { "geoip.location": { "lat": 55.914,"lon": 126.386 }} { "create" : { "_index" : "oldboyedu-linux82-project-nginx" } } { "geoip.location": { "lat": 75.914,"lon": 26.386 }} { "create" : { "_index" : "oldboyedu-linux82-project-nginx" } } { "geoip.location": { "lat": 85.914,"lon": 16.386 }}
filebeat的modules实战案例-了解
[root@elk103 filebeat-7.17.5-linux-x86_64]# filebeat modules list Enabled: Disabled: activemq apache auditd aws awsfargate .... [root@elk103 filebeat-7.17.5-linux-x86_64]# ll modules.d/ 总用量 300 -rw-r--r-- 1 root root 484 2022-06-24 07:24 activemq.yml.disabled -rw-r--r-- 1 root root 476 2022-06-24 07:24 apache.yml.disabled -rw-r--r-- 1 root root 281 2022-06-24 07:24 auditd.yml.disabled -rw-r--r-- 1 root root 2112 2022-06-24 07:24 awsfargate.yml.disabled -rw-r--r-- 1 root root 10575 2022-06-24 07:24 aws.yml.disabled -rw-r--r-- 1 root root 1707 2022-06-24 07:24 azure.yml.disabled ... [root@elk103 filebeat-7.17.5-linux-x86_64]# filebeat modules enable nginx tomcat Enabled nginx Enabled tomcat [root@elk103 filebeat-7.17.5-linux-x86_64]# filebeat modules list Enabled: nginx tomcat Disabled: activemq apache auditd aws ... [root@elk103 filebeat-7.17.5-linux-x86_64]# filebeat modules disable tomcat Disabled tomcat [root@elk103 filebeat-7.17.5-linux-x86_64]# filebeat modules list Enabled: nginx Disabled: activemq apache auditd [root@elk103 filebeat-7.17.5-linux-x86_64]# cat modules.d/nginx.yml # Module: nginx # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.17/filebeat-module-nginx.html - module: nginx # Access logs access: enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. var.paths: ["/tmp/oldboyedu-linux85/access.log"] # Error logs error: enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: # Ingress-nginx controller logs. This is disabled by default. It could be used in Kubernetes environments to parse ingress-nginx logs ingress_controller: enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths:
今日作业:
完成的课堂的所有练习并整理思维导图. -
-
相关阅读:
推荐一款功能强大的 GPT 学术优化开源项目GPT Academic:学术研究的智能助手
PTE-精听学习(三)
房产网小程序源码 房产中介小程序源码 房产网源码
星起航:卖家要想保持市场活跃和竞争力,要尤为注重新产品的开发
虚幻引擎:数据表格的C++常用API
抽象工厂
一夜之间,3.0万 Star,全部清零。。
【大摆子 做 摆烂题】【C++】
【云原生之Docker实战】使用Docker部署Kavita 个人漫画服务器
计组与操作系统
- 原文地址:https://blog.csdn.net/dws123654/article/details/140438190