v5tech/ELK v5tech/ELK

  • Stars
    star
    775
  • Rank 58,632 (Top 2 %)
  • Language
  • Created over 8 years ago
  • Updated almost 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
v5tech/ELK
github

v5tech

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

搭建ELK日志分析平台。

ELK

环境:
Vagrant 1.8.1
CentOS 7.2 192.168.0.228
Elasticsearch 2.3.2
logstash 2.2.4
Kibana 4.4.2
filebeat 1.2.2
topbeat 1.2.2

搭建ELK日志分析平台。此处为其核心配置文件。具体搭建过程请参考ELK环境搭建.docx文档

Screenshots

elasticsearch索引列表

Nginx日志分析

Syslog系统日志分析

Tomcat日志分析

系统日志分析

Topbeat Dashboard

logstash命令

logstash命令帮助

$ /opt/logstash/bin/logstash -h
Usage:
    /bin/logstash agent [OPTIONS]

Options:
    -f, --config CONFIG_PATH      Load the logstash config from a specific file
                                  or directory.  If a directory is given, all
                                  files in that directory will be concatenated
                                  in lexicographical order and then parsed as a
                                  single config file. You can also specify
                                  wildcards (globs) and any matched files will
                                  be loaded in the order described above.
    -e CONFIG_STRING              Use the given string as the configuration
                                  data. Same syntax as the config file. If no
                                  input is specified, then the following is
                                  used as the default input:
                                  "input { stdin { type => stdin } }"
                                  and if no output is specified, then the
                                  following is used as the default output:
                                  "output { stdout { codec => rubydebug } }"
                                  If you wish to use both defaults, please use
                                  the empty string for the '-e' flag.
                                   (default: "")
    -w, --pipeline-workers COUNT  Sets the number of pipeline workers to run.
                                   (default: 1)
    -b, --pipeline-batch-size SIZE Size of batches the pipeline is to work in.
                                   (default: 125)
    -u, --pipeline-batch-delay DELAY_IN_MS When creating pipeline batches, how long to wait while polling
                                  for the next event.
                                   (default: 5)
    --filterworkers COUNT         DEPRECATED. Now an alias for --pipeline-workers and -w
    -l, --log FILE                Write logstash internal logs to the given
                                  file. Without this flag, logstash will emit
                                  logs to standard output.
    -v                            Increase verbosity of logstash internal logs.
                                  Specifying once will show 'informational'
                                  logs. Specifying twice will show 'debug'
                                  logs. This flag is deprecated. You should use
                                  --verbose or --debug instead.
    --quiet                       Quieter logstash logging. This causes only 
                                  errors to be emitted.
    --verbose                     More verbose logging. This causes 'info' 
                                  level logs to be emitted.
    --debug                       Most verbose logging. This causes 'debug'
                                  level logs to be emitted.
    --debug-config                translation missing: en.logstash.runner.flag.debug_config (default: false)
    -V, --version                 Emit the version of logstash and its friends,
                                  then exit.
    -p, --pluginpath PATH         A path of where to find plugins. This flag
                                  can be given multiple times to include
                                  multiple paths. Plugins are expected to be
                                  in a specific directory hierarchy:
                                  'PATH/logstash/TYPE/NAME.rb' where TYPE is
                                  'inputs' 'filters', 'outputs' or 'codecs'
                                  and NAME is the name of the plugin.
    -t, --configtest              Check configuration for valid syntax and then exit.
    --[no-]allow-unsafe-shutdown  Force logstash to exit during shutdown even
                                  if there are still inflight events in memory.
                                  By default, logstash will refuse to quit until all
                                  received events have been pushed to the outputs.
                                   (default: false)
    -h, --help                    print help

检查指定logstash配置文件

$ /opt/logstash/bin/logstash agent -f /etc/logstash/conf.d/14-log4j_to_es.conf -t

收集指定配置文件日志

$ /opt/logstash/bin/logstash agent -f /etc/logstash/conf.d/14-log4j_to_es.conf

查看logstash服务状态

$ sudo service logstash status 
logstash is running

$ sudo service logstash start|stop|restart

kibana

修改/opt/kibana/config

server.port: 5601
server.host: "192.168.0.228"
elasticsearch.url: "http://192.168.0.228:9200"
kibana.index: ".kibana"

ELK使用场景配置示例

syslog日志

logstash filter配置

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

java日志收集

http://kibana.logstash.es/content/logstash/examples/java.html

  • log4j SocketAppender

logstash配置

input {
  # log4j SocketAppender
  log4j {
    mode => "server"
    host => "192.168.0.228"
    port => 4560
    type => "log4j"
  }
}

filter {
}

output {
  if [type] == "log4j" {
    elasticsearch {
      action => "index"
      hosts  => "192.168.0.228:9200"
      index  => "log4j-access-%{+yyyy.MM.dd}"
    }
    redis {
      host => "192.168.0.46"
      port => 6379
      data_type => "list"
      key => "logstash:log4j"
    }
  } 
}

log4j.properties

log4j.rootLogger=logstash

###SocketAppender###
log4j.appender.logstash=org.apache.log4j.net.SocketAppender
# logstash中log4j input中的端口号
log4j.appender.logstash.Port=4560
# logstash所在机器IP
log4j.appender.logstash.RemoteHost=192.168.0.228
log4j.appender.logstash.ReconnectionDelay=60000
log4j.appender.logstash.LocationInfo=true
log4j.appender.logstash.Application=elk-log4j-simple
  • log4j-jsonevent-layout

logstash配置

input {
  # log4j-jsonevent-layout
  file {
    codec => json
    path => "/home/vagrant/tomcat-7.0.69/bin/target/*.log"
    type => "log4j"
    start_position => "beginning"
    sincedb_path => "/dev/null"
  }
}

filter {
}

output {
  if [type] == "log4j" {
    elasticsearch {
      action => "index"
      hosts  => "192.168.0.228:9200"
      index  => "log4j-access-%{+yyyy.MM.dd}"
    }
    redis {
      host => "192.168.0.46"
      port => 6379
      data_type => "list"
      key => "logstash:log4j"
    }
  } 
}

<!-- 将lo4j日志输出为json -->
<dependency>
    <groupId>net.logstash.log4j</groupId>
    <artifactId>jsonevent-layout</artifactId>
    <version>1.7</version>
</dependency>

注:outputelasticsearch项中index为当前被索引文档在elasticsearch中索引名称。使用kibana搜索的时候需要事先根据该值创建一个index pattern

tomcat日志

logstash pattern配置

JAVACLASS (?:[a-zA-Z0-9-]+\.)+[A-Za-z0-9$]+

JAVALOGMESSAGE (.*)

# MMM dd, yyyy HH:mm:ss eg: Jan 9, 2014 7:13:13 AM
CATALINA_DATESTAMP %{MONTH} %{MONTHDAY}, 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) (?:AM|PM)

# yyyy-MM-dd HH:mm:ss,SSS ZZZ eg: 2014-01-09 17:32:25,527 -0800
TOMCAT_DATESTAMP 20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) %{ISO8601_TIMEZONE}

CATALINALOG %{CATALINA_DATESTAMP:timestamp} %{JAVACLASS:class} %{JAVALOGMESSAGE:logmessage}

# 2014-01-09 20:03:28,269 -0800 | ERROR | com.example.service.ExampleService - something compeletely unexpected happened...
TOMCATLOG %{TOMCAT_DATESTAMP:timestamp} \| %{LOGLEVEL:level} \| %{JAVACLASS:class} - %{JAVALOGMESSAGE:logmessage}

logstash filter配置

filter {
  if [type] == "tomcat_access" {
    grok {
      match => [ "message", "%{TOMCATLOG}", "message", "%{CATALINALOG}" ]
    }
    date {
      match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS Z", "MMM dd, yyyy HH:mm:ss a" ]
    }
  }
}

apache日志

logstash filter配置

filter {
  if [type] == "apache-access" {
    grok {
      match => { "message" => "%{COMBINEDAPACHELOG}" }
    }
  }
}

nginx访问日志

logstash pattern配置

NGUSERNAME [a-zA-Z\.\@\-\+_%]+
NGUSER %{NGUSERNAME}
NGINXACCESS %{IPORHOST:clientip} %{NGUSER:ident} %{NGUSER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:"(?:%{URI:referrer}|-)"|%{QS:referrer}) %{QS:agent}

logstash filter配置

filter {
  if [type] == "nginx-access" {
    grok {
      match => { "message" => "%{NGINXACCESS}" }
    }
    geoip {
      source => "clientip"
      target => "geoip"
      database => "/etc/logstash/GeoLiteCity.dat"
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
    }
    mutate {
      convert => [ "[geoip][coordinates]", "float"]
    }
  }
}

nginx access日志转化为json格式

http://kibana.logstash.es/content/logstash/examples/nginx-access.html

http://kibana.logstash.es/content/logstash/plugins/codec/json.html

nginx.conf

log_format json '{"@timestamp":"$time_iso8601",'
                 '"host":"$server_addr",'
                 '"clientip":"$remote_addr",'
                 '"size":$body_bytes_sent,'
                 '"responsetime":$request_time,'
                 '"upstreamtime":"$upstream_response_time",'
                 '"upstreamhost":"$upstream_addr",'
                 '"http_host":"$host",'
                 '"url":"$uri",'
                 '"xff":"$http_x_forwarded_for",'
                 '"referer":"$http_referer",'
                 '"agent":"$http_user_agent",'
                 '"status":"$status"}';
access_log  /var/log/nginx/access.log  json;

logstash配置

input {
  file {             #从nginx日志读入
    type => "nginx-access"
    path => "/var/log/nginx/access.log"
    start_position => "beginning"
    sincedb_path => "/dev/null"
    codec => "json"  #这里指定codec格式为json
  }
}

filter {
    mutate {
        split => [ "upstreamtime", "," ]
    }
    mutate {
        convert => [ "upstreamtime", "float" ]
    }
}

output {
  if [type] == "nginx-access" {
    elasticsearch {
      hosts => ["192.168.0.228:9200"]
      index => "nginx-access-%{+yyyy.MM.dd}"
    }
  }
}

mysql慢日志

http://kibana.logstash.es/content/logstash/examples/mysql-slow.html

logstash配置

input {
  file {
   type => "mysql-slow"
   path => "/var/log/mysql/mysql-slow.log"
   start_position => "beginning"
   sincedb_path => "/dev/null"
   codec => multiline {         #这里用到了logstash的插件功能,将本来属于一行的多行日志条目整合在一起,让他属于一条   
     pattern => "^# User@Host"  #用到了正则去匹配
     negate => true
     what => "previous"
   }
  }
}

filter {
  # drop sleep events
  grok {
    match => { "message" => "SELECT SLEEP" }
    add_tag => [ "sleep_drop" ]
    tag_on_failure => [] # prevent default _grokparsefailure tag on real records
  }
  if "sleep_drop" in [tags] {
    drop {}
  }
  grok {
    match => [ "message", "(?m)^# User@Host: %{USER:user}\[[^\]]+\] @ (?:(?<clienthost>\S*) )?\[(?:%{IP:clientip})?\]\s*# Query_time: %{NUMBER:query_time:float}\s+Lock_time: %{NUMBER:lock_time:float}\s+Rows_sent: %{NUMBER:rows_sent:int}\s+Rows_examined: %{NUMBER:rows_examined:int}\s*(?:use %{DATA:database};\s*)?SET timestamp=%{NUMBER:timestamp};\s*(?<query>(?<action>\w+)\s+.*)\n# Time:.*$" ]
  }
  date {
    match => [ "timestamp", "UNIX" ]
    remove_field => [ "timestamp" ]
  }
}

output {
  if [type] == "mysql-slow" {
     elasticsearch {
        action => "index"
        hosts  => "192.168.0.228:9200"
        index  => "mysql-slow-%{+yyyy.MM.dd}"
     }
  }
}

平台搭建参考文章

https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elk-stack-on-centos-7

https://www.digitalocean.com/community/tutorials/how-to-gather-infrastructure-metrics-with-topbeat-and-elk-on-centos-7

https://www.digitalocean.com/community/tutorials/adding-logstash-filters-to-improve-centralized-logging

https://www.digitalocean.com/community/tutorials/how-to-use-kibana-dashboards-and-visualizations

https://www.digitalocean.com/community/tutorials/how-to-map-user-location-with-geoip-and-elk-elasticsearch-logstash-and-kibana

yml语法校验

http://yaml-online-parser.appspot.com/

http://www.yamllint.com/

linux平台系统运维教程集

https://www.digitalocean.com/community/tutorials

http://www.unixmen.com/

http://linoxide.com/

tomcat日志分析参考

https://aggarwalarpit.wordpress.com/2015/12/03/configuring-elk-stack-to-analyse-apache-tomcat-logs/

https://www.systemcodegeeks.com/web-servers/apache/configuring-elk-stack-analyse-apache-tomcat-logs/

http://stackoverflow.com/questions/25429377/how-can-i-integrate-tomcat6s-catalina-out-file-with-logstash-elasticsearch

https://blog.codecentric.de/en/2014/10/log-management-spring-boot-applications-logstash-elastichsearch-kibana/

https://blog.lanyonm.org/articles/2014/01/12/logstash-multiline-tomcat-log-parsing.html

https://spredzy.wordpress.com/2013/03/02/monitor-your-cluster-of-tomcat-applications-with-logstash-and-kibana/

log4j日志分析

https://qbox.io/blog

https://github.com/logstash/log4j-jsonevent-layout

https://www.elastic.co/guide/en/logstash/current/plugins-inputs-log4j.html

https://blog.lanyonm.org/articles/2015/12/29/log-aggregation-log4j-spring-logstash.html

http://www.tianmaying.com/tutorial/elastic-logstash-kibana

More Repositories

1

awesome-ios-animation

A curated list of awesome iOS animation, including Objective-C and Swift libraries
5,134
star
2

awesome-ios-chart

A curated list of awesome iOS chart libraries, including Objective-C and Swift
1,526
star
3

notes

notes
Shell
1,513
star
4

oltu-oauth2-example

使用Apache Oltu 搭建Oauth2 Server及Client开放授权
Java
339
star
5

spring-quartz-cluster-sample

Spring整合Quartz基于数据库的分布式定时任务,可动态添加、删除、修改定时任务。
Java
313
star
6

vagrant-kubernetes-cluster

Vagrant一键安装Kubernetes集群。安装 Metrics Server 、Kuboard 、Kubernetes Dashboard、KubePi、Kubernetes集群监控prometheus-operator
Shell
284
star
7

maven-framework-project

基于maven的多框架和多视图融合技术(Struts1、Struts2、Spring、SpringMVC、Hibernate、Ibatis、MyBatis、Spring Data JPA、DWR)
Java
212
star
8

FoodPin

用Swift写的一个简单的App
Swift
199
star
9

elasticsearch-jest-example

ElasticSearch Java Rest Client Examples
Java
189
star
10

Swift-PM25

一个基于Swift实现的PM2.5查询示例
Swift
137
star
11

cas-server-webapp

CAS Server 4.0二次开发。添加登录错误三次及以上验证码校验、用户登录数据库认证、CAS Server REST等
Java
123
star
12

shiro-jwt-springboot

shiro整合jwt前后端分离权限认证示例
Java
104
star
13

cas-sso-samples

CAS单点登录案例。整合了CAS OAuth2、Apache Shiro、Spring Security等
HTML
66
star
14

spring-activiti-webapp

Spring整合Activiti的简单例子
Java
59
star
15

NotifyQQ

基于Mojo-WebQQ的Jenkins构建后QQ提醒插件
Java
57
star
16

activiti-demo

一个基于Activiti5.13和Bootstrap3.0.3的请假流程
Java
56
star
17

elasticsearch

elasticsearch中文版,基于elasticsearch-1.7.1。集成常用的各种插件,不定期更新
JavaScript
55
star
18

cloud

云计算之hadoop、hive、hue、oozie、sqoop、hbase、zookeeper环境搭建及配置文件
Shell
51
star
19

sharding-jdbc-sample

基于当当Sharding-JDBC数据库分库分表访问示例程序
Java
46
star
20

GolangStudy

用Swift写的Golang学习App
Swift
45
star
21

springboot-dubbox-simple

Dubbox整合Spring Boot基于Avro、Thrift协议构建REST服务
Java
40
star
22

spring-boot-oauth2-example

Java
32
star
23

dubbo-example

dubbo example
Java
25
star
24

spring-boot-apollo-sample

Demo project for Spring Boot Apollo
Java
22
star
25

WebIM

JavaScript/jQuery、HTML、CSS 构建 Web IM 远程及时聊天通信程序
JavaScript
20
star
26

bing-wallpaper

Java
20
star
27

mybatis-spring

MyBatis整合Spring并使用log4jdbc或者p6spy输出真实的sql语句
Java
17
star
28

tomcat7-nginx-redis-memcached-cluster

使用Redis或Memcached实现Tomcat7+Nginx集群及Session共享
Nginx
17
star
29

FullCalendar

基于FullCalendar二次开发,支持农历功能。中文测试OK
JavaScript
15
star
30

distributed-lock-examples

史上最全的分布式锁案例合辑。我们不造轮子,只需用好轮子!
Java
14
star
31

kafka-log4j

使用kafka实现log4j日志集中管理
Java
13
star
32

graphql-example

graphql spring boot example
Java
11
star
33

springboot-weixin-mp

SpringBoot整合weixin-java-tools实现微信公众号登录授权
Java
11
star
34

docker-hub

Shell
11
star
35

mina-examples

一个简单的spring整合mina实例
Java
11
star
36

programminghive

Programming Hive读书笔记
11
star
37

MovieSite

Mahout入门实例-基于 Apache Mahout 构建社会化推荐引擎-实战(参考IBM)
Java
10
star
38

hibernate-search-example

hibernate search example(分别使用hibernate、jpa两种方式实现,使用IKAnalyzer、paoding两种分词器实现中文分词)
Java
10
star
39

spring-data-elasticsearch-example

Spring Data Elasticsearch Example
Java
9
star
40

storm-example

a storm kafka examples
Java
9
star
41

apache2-tomcat7-cluster

Apache、Tomcat7集群session共享及负载均衡
ApacheConf
8
star
42

SpringQuartzClusterSample

Spring Quartz分布式集群配置
Java
8
star
43

activemq-example

ActiveMQ Spring Jms Example
Java
8
star
44

cas-oauth-example-3.5.x

cas通用公共组件,基于数据库和oauth认证。
Java
7
star
45

swagger-springmvc-example

使用Swagger构建SpringMVC REST服务API文档
JavaScript
7
star
46

springcloud-zookeeper-example

Java
7
star
47

solr-ik-database

solr3.6.1整合tomcat及中文分词,并索引mysql数据库实现搜索功能
Shell
6
star
48

zipkin-server-example

Java
6
star
49

resteasy-restfull-examples

基于resteasy的restfull api接口示例
Java
6
star
50

weibo-trending-hot-search

Python
6
star
51

spring-log4j-activemq

将log4j日志输出到activemq
Java
6
star
52

javaagent-samples

java instrument samples
Java
6
star
53

k8s-example

Spring Boot整合Kubernetes
Java
5
star
54

mybatis-generator-example

mybatis-generator-example
Java
5
star
55

52pojie_sign_bot

Python
5
star
56

k3s-istio-lab

搭建k3s集群和istio环境
Shell
5
star
57

Nutch1.0

Nutch1.0修改版(整合中文分词)源码修改,编译打包。
Java
4
star
58

sqoop-tutorial

Sqoop 2 Java Tutorial
Java
4
star
59

spring-boot-docker-example

Demo project for Spring Boot Docker
Java
4
star
60

spring-boot-oauth2-jdbc-simple

Java
4
star
61

jersey2-restfull-examples

基于jersey2的restfull api接口示例
Java
4
star
62

springcloud-alibaba-example

Spring Cloud Alibaba全家桶整合,一路踩坑(基于最新版本)
Java
4
star
63

springboot-package-example

spring boot 应用多环境打包部署,增量更新、自动化shell脚本
Shell
4
star
64

struts2-spring-compass

Struts2整合Spring3、Hibernate、Compass实现全文检索(基于lucene2.4.1和极易中文分词器)
Java
3
star
65

goblog

基于beego的简易博客
JavaScript
3
star
66

mvn-project-demo

一个maven的项目,含继承和聚合,使用分模块管理和开发
Java
3
star
67

spring-boot-prometheus-grafana-example

Demo project for Spring Boot Prometheus Grafana Sample
Java
3
star
68

spring-mybatis-example

spring-mybatis-example
Java
3
star
69

maven-repo

一个建立在github上的简易maven repo
3
star
70

solr-nutch

solr集成nutch环境(将nutch从互联网上爬取的索引,导入到solr的环境中。使用solr来查询nutch的索引),可以使用solrj api来操作。只是集成环境,solrj的使用参考官方wiki文档
Shell
3
star
71

spring-boot-data-rest-example

Java
2
star
72

shiro-quickstart

shiro-quickstart
Java
2
star
73

image-syncer

aliyun image-syncer https://github.com/AliyunContainerService/image-syncer
2
star
74

spring-cloud-kubernetes-samples

spring-cloud-kubernetes云原生
Java
2
star
75

hive-tutorial

hive jdbc tutorial
Java
2
star
76

hello-spring-cloud-alibaba

spring-cloud-alibaba
Java
2
star
77

taobao-tfs-example

taobao tfs install and config
Java
2
star
78

jbpm4mail

jbpm4之邮件发送例子
Java
2
star
79

netty-chat

Java
2
star
80

websocket

分布式websocket
Java
2
star
81

ebook-downloader

一个现代、实用的国家中小学电子教材下载客户端,使用 Python + flet 构建,支持Windows和macOS平台。
Python
2
star
82

ameizi

2
star
83

sync-docker-image

Sync Docker Image to Docker Hub
Shell
1
star
84

concurrency

java concurrency test
Java
1
star
85

javassist-example

Java
1
star
86

mybatis-plus-codegen

mybatis-plus-codegen
Java
1
star
87

rabbitmq-examples

RabbitMQ使用案例合辑
Java
1
star
88

spring-security-oauth2-samples

spring-security-oauth2-samples
Java
1
star
89

MyBatisGenerator

使用Ant构建MyBatis配置文件
Java
1
star
90

spring-cloud-consul-example

Java
1
star
91

geoip

数据来源 https://dev.maxmind.com/geoip
Shell
1
star
92

spring-boot-jwt-sample

spring-boot-jwt-sample
Java
1
star
93

traefik-lab

Shell
1
star
94

auto-green

1
star
95

jmh-benchmark-sample

jmh benchmark sample
Java
1
star
96

argocd-in-action

1
star
97

springcloud-microservices-sample

Java
1
star
98

go-micro-springcloud-grpc-with-consul

Java
1
star
99

spring-cloud-alibaba-dubbo

spring-cloud-alibaba-dubbo
Java
1
star
100

nats-example

Demo project for Spring Boot NATS
Java
1
star