elk分析nginx、dns日志
部署环境
|
192.168.122.187 |
Logstash-1.5.1 elasticsearch-1.6.0 kibana-4.1.1 |
Centos6.4 |
|
192.168.122.1 |
Redis-2.8 |
Centos7.1 |
|
192.168.122.2 |
Nginx logstash-1.5.2 supervisor-2.1-9 java-1.7 |
Centos6.4 |
|
192.168.122.247 |
Bind9 logstash-1.5.2 supervisor-2.1-9 java-1.7 |
Centos6.2 |
安装过程就不复述了,参考http://kibana.logstash.es/content/logstash/get_start/install.html
安装时注意的几个地方
1、java最好是1.7
2、server上的logstash我直接用rpm装的就能用,但是agent端的就不好使,没有深究
3、elasticsearch、kibana还有agent端的logstash我都是用supervisor运行的
4、supervisor直接就是epel的yum装的
贴下配置
192.168.122.187上:
Logstash的配置
server端的logstash是rpm安装的
[[email protected] ~]# cat /etc/logstash/conf.d/central.conf
input {
redis {
host => "192.168.122.1"
port => 6379
type => "redis-input"
data_type => "list"
key => "logstash"
codec => ‘json‘
}
}
output {
elasticsearch {
host => "127.0.0.1"
}
}
elasticsearch
/usr/local/elasticsearch-1.6.0/config/elasticsearch.yml保持默认
Kibana
/usr/local/kibana-4.1.1-linux-x64/config/kibana.yml 保持默认
192.168.122.1上
Redis的配置也没动。。。
192.168.122.2上
Nginx的
#nginx这里的区别就是log这块的配置,配成json格式
log_format json ‘{"@timestamp":"$time_iso8601",‘
‘"host":"$server_addr",‘
‘"clientip":"$remote_addr",‘
‘"size":$body_bytes_sent,‘
‘"responsetime":$request_time,‘
‘"upstreamtime":"$upstream_response_time",‘
‘"upstreamhost":"$upstream_addr",‘
‘"http_host":"$host",‘
‘"url":"$uri",‘
‘"xff":"$http_x_forwarded_for",‘
‘"referer":"$http_referer",‘
‘"agent":"$http_user_agent",‘
‘"status":"$status"}‘;
-----------------------------
access_log /var/log/nginx/zabbix_access.log json;
logstash的
[[email protected] ~]# cat /usr/local/logstash-1.5.2/conf/shipper.conf
input {
file {
type => "test-nginx"
path => ["/var/log/nginx/zabbix_access.log"]
codec => "json"
}
}
output {
stdout {}
redis {
host => "192.168.122.1"
port => 6379
data_type => "list"
key => "logstash"
}
}
Supervisor的
[[email protected] ~]# cat /etc/supervisord.conf |grep -v \;
[supervisord]
[program:logstash]
command=/usr/local/logstash-1.5.2/bin/logstash agent --verbose --config /usr/local/logstash-1.5.2/conf/shipper.conf --log /usr/local/logstash-1.5.2/logs/stdout.log
process_name=%(program_name)s
numprocs=1
autostart=true
autorestart=true
startretries=5
exitcodes=0
stopsignal=KILL
stopwaitsecs=5
redirect_stderr=true
[supervisorctl]
192.168.122.247上
Bind的配置用默认的即可
Logstash的
[[email protected] ~]# cat /usr/local/logstash/conf/shipper.conf
input {
file {
type => "dnslog"
path => ["/home/dnslog/*.log"]
}
}
filter {
#由于dns日志没办法定义成json,我又不会grok,所以这里用mutate来切割
mutate {
gsub => ["message","#"," "]
split => ["message"," "]
}
mutate {
add_field => {
"client" => "%{[message][5]}"
"domain_name" => "%{[message][10]}"
"server" => "%{[message][14]}"
}
}
}
output {
stdout {}
redis {
host => "192.168.122.1"
port => 6379
data_type => "list"
key => "logstash"
}
}
Supervisor的
[[email protected] ~]# cat /etc/supervisord.conf |grep -v \;|grep -v ^$
[supervisord]
[supervisorctl]
[program:logstash]
command=/usr/local/logstash/bin/logstash agent --verbose --config /usr/local/logstash/conf/shipper.conf --log /usr/local/logstash/logs/stdout.log
process_name=%(program_name)s
numprocs=1
autostart=true
autorestart=true
startretries=5
exitcodes=0
stopsignal=KILL
stopwaitsecs=5
redirect_stderr=true
配置kibana
Nginx
1、在discover搜索nginx相关的日志,之后保存
2、在visualize部署单个的图表,之后保存
3、在dashboard将几个nginx的visualize的图表连起来
Dns
1、在discover搜索dns相关的日志,之后保存
2、在visualize部署单个的图表,之后保存
3、在dashboard将几个dns的visualize的图表连起来
遇到的问题
自定义的field在discover上能看到,但是在制作visualize时看不到
这种情况是由于没有刷新索引的field导致的,默认的索引用的是logstash-*,在“Settings”—Indices中看到,点击logstash-*进去之后,点击刷新按钮
时间: 2024-08-24 04:46:23