Logstash深入收集Java日志
没有修改Json格式
在企业中,我们看到tomcat日志遇到异常(exception)一条日志可能是几行或者十几行甚至几十行,组成的,那么,我们需要将多行日志变成一行日志,来收集。
这里我们有几种方式可以实现:
1.将日志改成Json格式
在企业中,想要将java日志改成json格式,并没有那么容易。
格式不是你想改,想改就能改,让我挣开,让我明白,放手你的爱~~~~
因为将日志改成Json格式,查看起来会很难受,有些开发人员不希望将日志格式改成Json的,所以,在改日志格式之前需要跟开发人员进行沟通,那么将tomcat日志格式改成Json格式也有两种方式。
1)开发自己更改,通过程序代码,或者log4j
2)运维修改tomcat的server配置文件
准备tomcat环境
# 1.安装tomcat
[root@elkstack03 ~]# yum install -y tomcat
# 2.部署tomcat代码
[root@elkstack03 ~]# vim /usr/share/tomcat/webapps/ROOT/index.jsp
test tomcat
# 3.启动tomcat
[root@elkstack03 ~]# systemctl start tomcat
使用Logstash收集java日志
[root@elkstack03 tomcat]# vim /etc/logstash/conf.d/tomcat_file_es.conf
input{
file{
type => "tomcat_access_log"
path => "/var/log/tomcat/localhost_access_log.2022-09-07.txt"
start_position => "beginning"
}
}
output{
elasticsearch{
hosts => ["10.0.0.81:9200"]
index => "%{type}-%{+yyyy.MM.dd}"
}
}
[root@elkstack03 tomcat]# /usr/share/logstash/bin/logstash --path.data=/var/lib/logstash/tomcat_file_es -f /etc/logstash/conf.d/tomcat_file_es.conf &
修改tomcat日志格式为Json
[root@elkstack03 tomcat]# vim /etc/tomcat/server.xml
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="tomcat_access_log" suffix=".log"
pattern="{"clientip":"%h","ClientUser":"%l","authenticated":"%u","AccessTime":"%t","method":"%r","status":"%s","SendBytes":"%b","Query?string":"%q","partner":"%{Referer}i","AgentVersion":"%{User-Agent}i"}"/>
137 <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
138 prefix="localhost_access_log." suffix=".txt"
139 pattern="{"clientip":"%h","ClientUser":"%l","authenticated":"
%u","AccessTime":"%t","method":"%r","status":"%s","SendBytes&
quot;:"%b","Query?string":"%q","partner":"%{Referer}i","AgentVersion":&
quot;%{User-Agent}i"}" />
使用Logstash来解析json格式
vim tomcat_file_es_json.conf
input{
file{
type => "tomcat_access_log_json"
path => "/var/log/tomcat/localhost_access_log.*.txt"
start_position => "end"
}
}
output{
elasticsearch{
hosts => ["10.0.0.81:9200"]
index => "%{type}-%{+yyyy.MM.dd}"
codec => "json"
}
}
[root@elkstack03 tomcat]# /usr/share/logstash/bin/logstash --path.data=/var/lib/logstash/tomcat_access_json -f /etc/logstash/conf.d/tomcat_file_es_json.conf &
还是一坨
解析Json格式
[root@elkstack03 conf.d]# vim tomcat_file_es_json.conf
input{
file{
type => "tomcat_access_log_json"
path => "/var/log/tomcat/localhost_access_log.*.txt"
start_position => "end"
}
}
filter{
json{
source => "message"
}
}
output{
elasticsearch{
hosts => ["10.0.0.81:9200"]
index => "%{type}-%{+yyyy.MM.dd}"
codec => "json"
}
}
删除多余的message字段
[root@elkstack03 conf.d]# vim tomcat_file_es_json.conf
input{
file{
type => "tomcat_access_log_json"
path => "/var/log/tomcat/localhost_access_log.*.txt"
start_position => "end"
}
}
filter{
json{
source => "message"
remove_field => ["message"]
}
}
output{
elasticsearch{
hosts => ["10.0.0.81:9200"]
index => "%{type}-%{+yyyy.MM.dd}"
codec => "json"
}
}
[root@elkstack03 conf.d]# /usr/share/logstash/bin/logstash --path.data=/var/lib/logstash/tomcat_access_json -f /etc/logstash/conf.d/tomcat_file_es_json.conf &
Logstash收集catlina日志(异常错误日志)
[root@elkstack03 conf.d]# vim /etc/logstash/conf.d/catlina_file_es.conf
input{
file{
type => "tomcat_catlina_log"
path => "/var/log/tomcat/catalina.*.log"
start_position => "beginning"
}
}
output{
elasticsearch{
hosts => ["10.0.0.81:9200"]
index => "%{type}-%{+yyyy.MM.dd}"
}
}
[root@elkstack03 conf.d]# /usr/share/logstash/bin/logstash --path.data=/var/lib/logstash/tomcat_catlina/ -f /etc/logstash/conf.d/catlina_file_es.conf &
logstash多行合并
[root@elkstack03 conf.d]# vim /etc/logstash/conf.d/catlina_file_es.conf
input{
file{
type => "tomcat_catlina_log"
path => "/var/log/tomcat/catalina.*.log"
start_position => "beginning"
codec => multiline {
pattern => "^[A-Z]"
negate => true
what => "previous"
}
}
}
output{
elasticsearch{
hosts => ["10.0.0.81:9200"]
index => "%{type}-%{+yyyy.MM.dd}"
}
}
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/288156.html