1. 需求分析
1.1 日志类型
访问日志:Apache访问日志、Nginx访问日志、Tomcat等
错误日志:error log、java日志
系统日志:/var/log/*、syslog
运行日志:程序定义的
网络日志:防火墙、路由器、交换机的日志
1.2 日志收集方法
file - filter
直接收集或需要处理(java日志)
file - json
syslog、rsyslog
2. 如何收集日志
2.1 标准化
日志存放路径:如/data/logs
格式要求:JSON
命名规则:access_log、error_log、runtime_log等
日志如何回滚:按月、按天、按小时(crontab使用脚本进行切分),所有的原始文件rsync到NAS后删除X天前的日志(日志量大最好不要用NFS,性能和安全性存在隐患)
3. logstash收集方案
线上日志收集示例(有多个依次追加,根据type定义来判断)
input { file { path => "/var/log/httpd/access_log" start_position => "beginning" type => "apache-accesslog" } file { path => "/var/log/elasticsearch/myes.log" type => "es-log" start_position => "beginning" codec => multiline{ pattern => "^\[" negate => true what => "previous" } } } output { if [type] == "apache-accesslog" { redis { host => "192.168.56.12" port => "6379" db => "6" data_type => "list" key => "apache-accesslog" } } if [type] == "es-log" { redis { host => "192.168.56.12" port => "6379" db => "6" data_type => "list" key => "es-log" } } }使用Redis写入ES
input { syslog { type => "system-syslog" port => 514 } redis { type => "apache-accesslog" host => "192.168.56.12" port => "6379" db => "6" data_type => "list" key => "apache-accesslog" } redis { type => "es-log" host => "192.168.56.12" port => "6379" db => "6" data_type => "list" key => "es-log" } } filter { if [type] == "apache-accesslog" { grok { match => { "message" => "%{COMBINEDAPACHELOG}" } } } } output { if [type] == "apache-accesslog" { elasticsearch { hosts => ["192.168.56.11:9200"] index => "apache-accesslog-%{+YYYY.MM.dd}" } } if [type] == "es-log" { elasticsearch { hosts => ["192.168.56.11:9200"] index => "es-log-%{+YYYY.MM}" } } if [type] == "system-syslog" { elasticsearch { hosts => ["192.168.56.11:9200"] index => "system-syslog-%{+YYYY.MM}" } } }
注意:
如果使用redis list作为ELKStack的消息队列,需对所有list key的长度进行监控(llen key_name),根据实际情况,例如超过"10万"就报警。
