1 安裝及配置filebeat

1.1 安裝

文件filebeat-7.15.2-linux-x86_64.tar.gz下載至/opt/src目錄

[root@neiwang ~]# cd /opt/src/
[root@neiwang src]# tar -zxvf filebeat-7.15.2-linux-x86_64.tar.gz -C /opt/
[root@neiwang ~]# cd /opt/
[root@neiwang opt]# mv filebeat-7.15.2-linux-x86_64/ filebeat-7.15.2/

1.2 配置

[root@neiwang ~]# cd /opt/filebeat-7.15.2
[root@neiwang config]# vim filebeat-demo.yml

在filebeat-demo.yml添加如下配置

#用于緩沖要發(fā)布的事件的內(nèi)部隊(duì)列配置
queue:
  #內(nèi)存隊(duì)列
  mem:
    #內(nèi)存隊(duì)列的最大緩沖事件數(shù)
    events: 2048
    #發(fā)布所需的最小事件數(shù)，設(shè)置為0則發(fā)布事件直接輸出，無(wú)需等待
    flush.min_events: 1536
    #達(dá)到flush.min_events的最大等待事件，設(shè)置為0則無(wú)需等待
    flush.timeout: 1s
#設(shè)置可以同時(shí)執(zhí)行的最大CPU數(shù)。默認(rèn)值為系統(tǒng)中可用的邏輯CPU的數(shù)量
max_procs: 1

filebeat.inputs:
#日志輸入
- type: log
  #配置生效
  enabled: true
  #采集日志路徑
  paths:
    - /data/ecms-8030.log
    - /data/ecms-8031.log
  #包含的正則表達(dá)式列表，只采集包含ERROR的記錄
  include_lines: ['ERROR']
  #50k 每個(gè)收割機(jī)獲取文件時(shí)使用的緩沖區(qū)大小
  harvester_buffer_size: 51200
  #10M 單個(gè)日志消息的最大字節(jié)數(shù)，超出部分丟棄
  max_bytes: 10485760
  #掃描頻率，默認(rèn)10秒
  scan_frequency: 10s
  #匹配所有以 [ 開頭的行，并且后面非以 [ 開頭的行將被追加到匹配的那一行。
  #multiline.pattern: '^\['
  #匹配所有以 [xxxx-xx-xx 開頭的行，并且后面非以 [xxxx-xx-xx 開頭的行將被追加到匹配的那一行。
  multiline.pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}'
  multiline.negate: true
  multiline.match: after
  #屬性中添加附加信息的可選字段，區(qū)分?jǐn)?shù)據(jù)來(lái)源
  fields:
    type: ecms
    env: prod
  #將自定義字段作為頂級(jí)字段存儲(chǔ)到到輸出文檔中，默認(rèn)false
  fields_under_root: true

#日志輸入
- type: log
  #配置生效
  enabled: true
  #采集日志路徑
  paths:
    - /opt/logstash-7.15.2/logs/logstash-plain.log
  #包含的正則表達(dá)式列表，只采集包含ERROR的記錄
  include_lines: ['ERROR']
  #50k 每個(gè)收割機(jī)獲取文件時(shí)使用的緩沖區(qū)大小
  harvester_buffer_size: 51200
  #10M 單個(gè)日志消息的最大字節(jié)數(shù)，超出部分丟棄
  max_bytes: 10485760
  #掃描頻率，默認(rèn)10秒
  scan_frequency: 10s
  #屬性中添加附加信息的可選字段，區(qū)分?jǐn)?shù)據(jù)來(lái)源
  fields:
    type: logstash
    env: prod
  #將自定義字段作為頂級(jí)字段存儲(chǔ)到到輸出文檔中，默認(rèn)false
  fields_under_root: true

output.logstash:
  hosts: ["127.0.0.1:5044"]

1.3 啟動(dòng)

[root@neiwang ~]# /opt/filebeat-7.15.2/filebeat -e -c /opt/filebeat-7.15.2/filebeat-demo.yml

2 安裝及配置logstash

2.1 安裝

文件logstash-7.15.2-linux-x86_64.tar.gz下載至/opt/src目錄

[root@neiwang ~]# cd /opt/src/
[root@neiwang src]# tar -zxvf logstash-7.15.2-linux-x86_64.tar.gz -C /opt/

2.2 配置

處理Filebeat發(fā)來(lái)的數(shù)據(jù)

[root@neiwang ~]# cd /opt/logstash-7.15.2/config/
[root@neiwang config]# vim logstash-demo.conf

在logstash-demo.conf添加如下配置

input {
  beats {
    port => "5044"
  }
}

filter {
  if [type] == "ecms" {
    #Grok正則捕獲，從非結(jié)構(gòu)化數(shù)據(jù)中派生出結(jié)構(gòu)
    grok {
      match => [
        "message", "\[%{TIMESTAMP_ISO8601:log_date}\] \[%{DATA:thread}\] %{LOGLEVEL:log_level} %{DATA:class} \- %{GREEDYDATA:log_msg}"
      ]
    }
    
    #預(yù)警-數(shù)值統(tǒng)計(jì)
    metrics {
      #定義metrics計(jì)數(shù)器數(shù)據(jù)保存的字段名
      meter => [ "ecms_event_%{log_level}" ]
      #給該metrics添加tag標(biāo)簽，用于區(qū)分metrics
      add_tag => [ "ecms_metric" ]
      #每隔5分鐘統(tǒng)計(jì)一次
      flush_interval => 300
      #每隔5分鐘清空計(jì)數(shù)器
      clear_interval => 300
    }
  
    if "ecms_metric" in [tags] {
      ruby {
        #5分鐘內(nèi)異常日志數(shù)量大于等于1報(bào)警
        path => "/etc/logstash/warning.rb"
        script_params => { "quantity" => 1 }
      }
    }

    mutate {
      remove_field => ["message", "log_msg"]
    }
  }

  if [type] == "logstash" {
    #預(yù)警-數(shù)值統(tǒng)計(jì)
    metrics {
      #定義metrics計(jì)數(shù)器數(shù)據(jù)保存的字段名
      meter => [ "logstash_event_error" ]
      #給該metrics添加tag標(biāo)簽，用于區(qū)分metrics
      add_tag => [ "logstash_metric" ]
      #每隔5分鐘統(tǒng)計(jì)一次
      flush_interval => 300
      #每隔5分鐘（flush_interval + 1秒）清空計(jì)數(shù)器
      clear_interval => 301
      #10秒內(nèi)的message數(shù)據(jù)才統(tǒng)計(jì)，避免延遲
      ignore_older_than => 10
    }
  
    if "logstash_metric" in [tags] {
      ruby {
        #如果日志級(jí)別是ERROR的日志count小于1條，就忽略此事件(即不發(fā)送任何消息)。
        code => 'event.cancel if event.get("[logstash_event_error][count]") < 1'
      }
    }
  }
}

output {
  if "ecms_metric" in [tags] {
    email {
      port           =>    "587"
      address        =>    "smtp-n.global-mail.cn"
      username       =>    "from@qq.com"
      password       =>    "123456"
      use_tls        =>    "true"
      from           =>    "from@qq.com"
      subject        =>    "萬(wàn)古云簽日志報(bào)警-PROD"
      to             =>    "to@qq.com"
      via            =>    "smtp"
      body           =>    "預(yù)警：萬(wàn)古云簽存在ERROR日志，請(qǐng)注意排查！"
    }
  }

  if "logstash_metric" in [tags] {
    email {
      port           =>    "587"
      address        =>    "smtp-n.global-mail.cn"
      username       =>    "from@qq.com"
      password       =>    "123456"
      use_tls        =>    "true"
      from           =>    "from@qq.com"
      subject        =>    "Logstash日志報(bào)警-PROD"
      to             =>    "to@qq.com"
      via            =>    "smtp"
      body           =>    "預(yù)警：Logstash存在ERROR日志，請(qǐng)注意排查！"
    }
  }
  
  if [type] == "ecms" {
    #輸出到Redis
    redis {
      data_type => "list"
      key => "logstash-%{[type]}-%{[env]}-%{+yyyy.MM.dd}"
      host => "127.0.0.1"
      port => 6379
      db => 0
    }
  }

  if [type] == "logstash" {
    #輸出到Redis
    redis {
      data_type => "list"
      key => "logstash-%{[type]}-%{[env]}-%{+yyyy.MM.dd}"
      host => "127.0.0.1"
      port => 6379
      db => 0
    }
  }
}

warning.rb

def register(params)
    @limited_quantity = params["quantity"]
end

def filter(event)
    if event.get("[ecms_event_ERROR][count]") >= @limited_quantity
        return [event]
    else
        return [] # return empty array to cancel event
    end
end

2.3 啟動(dòng)

[root@neiwang ~]# /opt/logstash-7.15.2/bin/logstash -f /opt/logstash-7.15.2/config/logstash-demo.conf

2.4 logback日志格式

<!-- 日志輸出格式 -->
<!--格式化輸出：%d表示日期，%thread表示線程名，%-5level：級(jí)別從左顯示5個(gè)字符寬度%msg：日志消息，%n是換行符-->
<property name="log.pattern" value="[%d{yyyy-MM-dd HH:mm:ss.SSS}] [%thread] %-5level %logger{50} - %msg%n"/>

2.5 grok調(diào)試

1. 安裝并啟動(dòng)elasticsearch&kibana
2. 訪問grok調(diào)試地址
   http://115.28.77.238:5601/app/dev_tools#/grokdebugger

3 supervisor長(zhǎng)期運(yùn)行

在/opt/supervisor/conf/conf.d目錄下增加配置

• logstash配置

[program:logstash]
user=root
directory=/opt/logstash-7.15.2
command=/opt/logstash-7.15.2/bin/logstash -f /opt/logstash-7.15.2/config/logstash-demo.conf
autostart=true
autorestart=true

• filebeat配置

[program:filebeat]
user=root
directory=/opt/filebeat-7.15.2
command=/opt/filebeat-7.15.2/filebeat -c /opt/filebeat-7.15.2/filebeat-demo.yml
autostart=true
autorestart=true

• 常用命令

#加載配置
supervisorctl -c /opt/supervisor/conf/supervisord.conf update
#全部啟動(dòng)
supervisorctl -c /opt/supervisor/conf/supervisord.conf start all
#指定關(guān)閉
supervisorctl -c /opt/supervisor/conf/supervisord.conf stop filebeat
supervisorctl -c /opt/supervisor/conf/supervisord.conf stop logstash
supervisorctl -c /opt/supervisor/conf/supervisord.conf stop all
#指定啟動(dòng)
supervisorctl -c /opt/supervisor/conf/supervisord.conf start logstash
supervisorctl -c /opt/supervisor/conf/supervisord.conf start filebeat
#指定重啟
supervisorctl -c /opt/supervisor/conf/supervisord.conf restart logstash
#查看狀態(tài)
supervisorctl -c /opt/supervisor/conf/supervisord.conf status

4 文獻(xiàn)

elastic stack：https://www.elastic.co/cn/elastic-stack/
beats：https://www.elastic.co/cn/beats/
Filebeat Reference：https://www.elastic.co/guide/en/beats/filebeat/current/index.html
logstash：https://www.elastic.co/cn/logstash/
Logstash Reference：https://www.elastic.co/guide/en/logstash/current/index.html
grok-patterns：https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns
Logstash 實(shí)用介紹：https://www.elastic.co/cn/blog/a-practical-introduction-to-logstash