有时候我们需要对一些服务器日志进行分析,并对其中错误的日志进行报警,在这里我们采用logstash来收集这些日志,和采用自己开发的邮件发送系统来发送错误日志数据。
例如我们有几个文件需要监控(BI日志)
我们可以通过配置logstash来收集这些文件日志
|
input{ file{ path=> "/diskb/bidir/smartbi_prd_*/apache-tomcat-5.5.25_prd_*/logs/catalina.out" start_position=> "beginning" sincedb_path=> "/diskb/logstashlog/log" codec => plain { charset => "GBK" } } } filter { multiline { pattern => "^\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}" negate => true what => "previous" } mutate{ add_field => { "logmessage" => "%{[message]}" } split => ["message"," "] add_field => { "logdate" => "%{[message][0]}" "logtime" => "%{[message][1]}" "logstate" => "%{[message][2]}" } remove_field => ["message"] } if [logdate] !~ /\d{2}-\d{2}/ { drop{} } urldecode { all_fields => true } } output{ #对错误的日志写入到文件中,供邮件发送使用的附件 #其实在这里可以直接使用logstash自带的邮件发送系统,只不过部门要求邮件发送的频率不能 #高于一分钟,故只能采用外部定时发送 if [logstate] =~ /ERROR/ { file { path => "/diskb/bi_error_log/bi_error.log" } } elasticsearch{ hosts => [ "10.130.2.53:9200","10.130.2.46:9200","10.130.2.54:9200" ] flush_size=>50000 workers => 5 index=> "logstash-bi-tomcat-log" } } |
通过启动这个conf文件,就可以把全部数据导入ES中,可由kibana展示,具体展示不再赘述;而同时把状态为error的日志导入到一个文本中,供邮件发送系统使用。至此完毕。
下附上:发送邮件脚本
|
#!/bin/sh #sendmail error log to someone #发送的附件路径 attachement="/diskb/bi_error_log/*.log" if [ ! -f $attachement ];then echo "file is not exist" exit 1 fi #收件人 maillist="[email protected]" cat > /etc/nail.rc<<EOF set [email protected] set smtp=60.28.250.158 set [email protected] set smtp-auth-password=****** set smtp-auth=login EOF #echo "邮件内容" | /usr/local/mailx-12.4/mailx -v -s "邮件标题" [-a "附件路径"] [-c "密送人mail"] 收件人 echo "Hello, please receive the error log for BI from hexun.bdc." | /usr/local/mailx-12.4/mailx -v -s "[The system sends]" -a $attachement $maillist #发送成功,删除文件 rm -fr $attachement |