前面我們瞭解了elk叢集中的logstash的用法,使用logstash處理日誌挺好的,但是有一個缺陷,就是太慢了;當然logstash慢的原因是它依賴jruby虛擬機器,jruby虛擬機器就是用java語言開發的ruby虛擬機器,本身java程式執行在jvm上就已經很慢了,而logstash還要執行在用java語言開發的ruby虛擬機器上,就相當於虛擬機器上跑一個虛擬機器,可想而知;如果我們只需要收集和處理日誌,在agent端如果執行logstash,顯得格外的消耗資源;為了解決這種問題,elastic開發了一款更加輕量級的日誌收集器beats;而filebeat只是其中的一種,它是基於收集本地日誌檔案中的內容,然後輸出到某個地方;中間不會對日誌做過多的處理;有點類似rsyslog,只做日誌轉發;如果我們需要對日誌做處理,我們可以把filebeat的輸出源配置成logstash,讓logstash執行在一個獨立的伺服器上,專門做日誌處理;
filebeat收集日誌過程
提示:以上是filebeat收集日誌,然後把日誌轉發給logstash進行分析,然後logstash把filebeat傳送過來的日誌,做切詞,分析,處理以後,然後在把日誌傳送給elasticsearch儲存;
提示:如果後端的filebeat一旦增多,logstash的壓力會非常大,為了解決這樣的問題,我們可在中間加redis是做臨時快取;然後logstash就到redis裡讀日誌;然後再把讀到的日誌儲存到elasticsearch中;當然filebeat也是可以直接將日誌資料傳送給elasticsearch進行儲存;
filebeat安裝
下載同elasticsearch版本的filebeat rpm包
[root@node03 ~]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.8.12-x86_64.rpm --2020-10-04 14:03:03-- https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.8.12-x86_64.rpm Resolving artifacts.elastic.co (artifacts.elastic.co)... 151.101.230.222, 2a04:4e42:36::734 Connecting to artifacts.elastic.co (artifacts.elastic.co)|151.101.230.222|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 11904164 (11M) [application/octet-stream] Saving to: ‘filebeat-6.8.12-x86_64.rpm’ 100%[================================================================================>] 11,904,164 9.76KB/s in 16m 35s 2020-10-04 14:19:41 (11.7 KB/s) - ‘filebeat-6.8.12-x86_64.rpm’ saved [11904164/11904164] [root@node03 ~]# ll total 184540 -rw-r--r-- 1 root root 11904164 Aug 18 19:35 filebeat-6.8.12-x86_64.rpm -rw-r--r-- 1 root root 177059640 Aug 18 19:41 logstash-6.8.12.rpm [root@node03 ~]#
安裝filebeat-6.8.12.rpm包
[root@node03 ~]# yum install ./filebeat-6.8.12-x86_64.rpm -y Loaded plugins: fastestmirror Examining ./filebeat-6.8.12-x86_64.rpm: filebeat-6.8.12-1.x86_64 Marking ./filebeat-6.8.12-x86_64.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package filebeat.x86_64 0:6.8.12-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================================== Package Arch Version Repository Size ========================================================================================================================== Installing: filebeat x86_64 6.8.12-1 /filebeat-6.8.12-x86_64 38 M Transaction Summary ========================================================================================================================== Install 1 Package Total size: 38 M Installed size: 38 M Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : filebeat-6.8.12-1.x86_64 1/1 Verifying : filebeat-6.8.12-1.x86_64 1/1 Installed: filebeat.x86_64 0:6.8.12-1 Complete! [root@node03 ~]#
示例:配置filebeat收集httpd的日誌,然後將收集的日誌輸出到logstash
提示:以上配置表示開啟filebeat外掛收集/var/log/httpd/access_log中的日誌;
提示:以上配置表示把filebeat收集的日誌傳送給node03:5044;
配置node03的logstash輸入資料監聽5044埠
提示:以上配置表示啟動logstash中的beats外掛作為資料輸入,並監聽5044埠;然後logstash將處理後端日誌資料輸出到標準輸出;
啟動filebeat和logstash
提示:可以看到logstash啟動時,它監聽5044埠;
用其他主機模擬網際網路使用者訪問node03的httpd提供的頁面
[root@node01 ~]# curl -H "X-Forwarded-For:$[$RANDOM%223+1].$[RANDOM%255].$[RANDOM%255].$[RANDOM%255]" http://node03/test$[$RANDOM%20+1].html page 18 [root@node01 ~]#
在node03的logstash的標準輸出上,看看是否收集到httpd的訪問日誌?
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
"host" => {
"os" => {
"platform" => "centos",
"version" => "7 (Core)",
"family" => "redhat",
"name" => "CentOS Linux",
"codename" => "Core"
},
"containerized" => false,
"architecture" => "x86_64",
"name" => "node03.test.org",
"id" => "002f3e572e3e4886ac9e98db8584b467"
},
"prospector" => {
"type" => "log"
},
"auth" => "-",
"clientip" => "25.99.168.124",
"agent" => "\"curl/7.29.0\"",
"tags" => [
[0] "beats_input_codec_plain_applied"
],
"@timestamp" => 2020-10-04T06:49:34.000Z,
"@version" => "1",
"bytes" => "8",
"offset" => 0,
"verb" => "GET",
"referrer" => "\"-\"",
"source" => "/var/log/httpd/access_log",
"log" => {
"file" => {
"path" => "/var/log/httpd/access_log"
}
},
"clientipInfo" => {
"continent_code" => "EU",
"longitude" => -0.1224,
"country_code2" => "GB",
"ip" => "25.99.168.124",
"country_name" => "United Kingdom",
"country_code3" => "GB",
"location" => {
"lat" => 51.4964,
"lon" => -0.1224
},
"timezone" => "Europe/London",
"latitude" => 51.4964
},
"beat" => {
"hostname" => "node03.test.org",
"version" => "6.8.12",
"name" => "node03.test.org"
},
"request" => "/test18.html",
"input" => {
"type" => "log"
},
"ident" => "-",
"response" => "200",
"httpversion" => "1.1"
}
提示:在node03的標準輸出上能夠看到我們剛才訪問httpd的訪問日誌;
示例:配置filebeat將日誌輸出到elasticsearch
重啟filebeat
驗證:訪問httpd看看elasticsearch中是否有儲存httpd的訪問日誌?
在elasticsearch中檢視是否有新的index生成?
提示:可以看到es上有一個新的index生成;
檢視es上儲存的日誌內容
提示:從上面的返回的日誌,存放在es中的日誌並沒有做拆分,說明filebeat只是把httpd的日誌當作message欄位的值處理,並沒有去把ip地址資訊做拆分;所以要想實現把日誌內容拆分成不同欄位,我們可以藉助logstash,當然也可以在httpd上直接將日誌格式記錄為json格式,然後再由filebeat將日誌資訊傳給es儲存;
示例:配置filebeat將收集的日誌資訊輸出到redis
提示:以上配置是配置filebeat將收集到的日誌輸出到redis;這裡需要注意一點,這個配置檔案是yml格式的檔案,需要注意下面的縮排關係要對其;其次filebeat它不支援多路輸出,例如,配置filebeat 輸出到logstash,又配置filebeat輸出到redis,這個它不支援,它支援單路輸出;
重新啟動filebeat
用其他主機模擬訪問httpd
驗證:去node04上的redis 3號庫檢視是否有key生成?是否有資料?
提示:可以看到此時redis的3號庫有指定key生成,對應key裡面也存了httpd的訪問日誌;
配置logstash到redis上讀資料,並刪除filebeat的冗餘欄位
[root@node03 ~]# cat /etc/logstash/conf.d/httpd-es.conf
input {
redis {
host => ["node04"]
port => 6379
password => "admin"
key => "filebeat-node03-httpd-access_log"
db => 3
data_type => "list"
}
}
filter {
grok {
match => {"message" => "%{HTTPD_COMBINEDLOG}" }
remove_field => "message"
}
date {
match => ["timestamp","dd/MMM/YYYY:H:m:s Z"]
remove_field => "timestamp"
}
geoip {
source => "clientip"
target => "geoip"
database => "/etc/logstash/geoip/GeoLite2-City.mmdb"
}
mutate {
rename => ["geoip", "clientipInfo" ]
remove_field => ["@metadata","prospector","input","beat","host","id","containerized"]
}
}
output {
# elasticsearch {
# hosts => ["http://node01:9200","http://node02:9200"]
# index => "httpd.log"
# codec => "rubydebug"
# }
stdout { codec => "rubydebug" }
}
[root@node03 ~]#
測試語法
啟動logstash
檢視輸出到標準輸出的日誌資訊是否還有filebeat生成的多餘欄位?
提示:現在從redis讀出來的資料,然後經由logstash處理以後,filebeat生成的多餘欄位就刪除了;後續我們就可以直接將這些日誌資料放到es中儲存;