linuxea:ELK5.5-redis日志grok处理(filebeat)


收集notice的log日志,日志中有很多信息,常规的收集一些报错信息即可,所以就在收集时候做了控制,只收集错误日志和警告日志

include_lines: ["WARNING","ERR"]

include_lines 一个正则表达式的列表,以匹配您希望Filebeat包含的行。Filebeat仅导出与列表中正则表达式匹配的行。默认情况下,导出所有行。
exclude_files 一个正则表达式的列表,以匹配您想要Filebeat忽略的文件。默认情况下不排除文件
参考:https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html
多行参考:https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html#multiline

I. 日志示例

1:M 08 Sep 11:42:43.806 # Server started, Redis version 3.2.9
1:M 08 Sep 11:41:44.806 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
1:M 08 Sep 11:12:32.806 # WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
1:M 08 Sep 11:12:32.822 * DB loaded from disk: 0.016 seconds
1:M 08 Sep 11:12:32.822 * The server is now ready to accept connections on port 6379
                _._                                                  
           _.-``__ ''-._                                             
      _.-``    `.  `_.  ''-._           Redis 3.2.9 (00000000/0) 64 bit
  .-`` .-```.  ```\/    _.,_ ''-._                                   
 (    '      ,       .-`  | `,    )     Running in standalone mode
 |`-._`-...-` __...-.``-._|'` _.-'|     Port: 6379
 |    `-._   `._    /     _.-'    |     PID: 1
  `-._    `-._  `-./  _.-'    _.-'                                   
 |`-._`-._    `-.__.-'    _.-'_.-'|                                  
 |    `-._`-._        _.-'_.-'    |           http://redis.io        
  `-._    `-._`-.__.-'_.-'    _.-'                                   
 |`-._`-._    `-.__.-'    _.-'_.-'|                                  
 |    `-._`-._        _.-'_.-'    |                                  
  `-._    `-._`-.__.-'_.-'    _.-'                                   
      `-._    `-.__.-'    _.-'                                       
          `-._        _.-'                                           
              `-.__.-'    
1:M 08 Sep 11:40:45.806 # ERROR 123

最终收集的效果如下:
ERR

WARNING

II. 安装redis

curl -Lks4 https://raw.githubusercontent.com/LinuxEA-Mark/docker-alpine-Redis/master/Sentinel/install_redis.sh|bash

III. redis日志配置

loglevel notice
logfile "/data/logs/redis_6379.log"

配置文件示例:

[root@linuxea.com-Node98 /data/rds]# cat /etc/redis/redis.conf
bind 0.0.0.0
protected-mode yes
port 6379
tcp-backlog 511
timeout 0
tcp-keepalive 300
daemonize no
supervised no
pidfile "/var/run/redis_6379.pid"
loglevel notice
logfile "/data/logs/redis_6379.log"
databases 8
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename "dump.rdb"
dir "/data/redis"
slave-serve-stale-data yes
slave-read-only yes
repl-diskless-sync no
repl-diskless-sync-delay 5
repl-disable-tcp-nodelay no
slave-priority 100
appendonly no
appendfilename "appendonly.aof"
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
aof-load-truncated yes
lua-time-limit 5000
slowlog-log-slower-than 100
slowlog-max-len 1000
latency-monitor-threshold 0
notify-keyspace-events ""
hash-max-ziplist-entries 512
hash-max-ziplist-value 64
list-max-ziplist-size -2
list-compress-depth 0
set-max-intset-entries 512
zset-max-ziplist-entries 128
zset-max-ziplist-value 64
hll-sparse-max-bytes 3000
activerehashing yes
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit slave 256mb 64mb 60
client-output-buffer-limit pubsub 32mb 8mb 60
hz 10
aof-rewrite-incremental-fsync yes

masterauth "OTdmOWI4ZTM4NTY1M2M4OTZh"
requirepass "OTdmOWI4ZTM4NTY1M2M4OTZh"
# Generated by CONFIG REWRITE
#slaveof 172.25. 6379

IV. filebeat配置

[root@linuxea.com-Node117 /data/logs]# cat /etc/filebeat/filebeat.yml 
filebeat.prospectors:
 - input_type: log
   paths:
    - /data/logs/access_nginx.log
   document_type: nginx-access-117
 - input_type: log
   paths:
    - /data/logs/slow_log.CSV
   document_type: mysql-slow-117
 - input_type: log
   paths:
    - /data/logs/redis_6379.log
   document_type: redis-6379-117
   include_lines: ["WARNING","ERR"]
output.redis:
  hosts: ["10.10.0.98"]
  password: "OTdmOWI4ZTM4NTY1M2M4OTZh"
  key: "default_list"
  db: 5
  timeout: 5
  keys:
    - key: "%{[type]}"
      mapping:
      "nginx-access-117": "nginx-access-117"
      "mysql-slow-117" : "mysql-slow-117"
      "redis-6379-117" : "redis-6379-117"

V. logstash配置

patterns

[root@linuxea.com-Node49 /etc/logstash/patterns.d]# cat redis 
REDISTIMESTAMP %{MONTHDAY} %{MONTH} %{TIME}
REDISLOG %{POSINT:pid}\:%{WORD:role} %{REDISTIMESTAMP:timestamp} %{DATA:loglevel} %{GREEDYDATA:msg}

logstash配置文件
input

   redis {
        host => "10.10.0.98"
        port => "6379"
        key => "redis-6379-117"
        data_type => "list"
        password => "OTdmOWI4ZTM4NTY1M2M4OTZh"
        threads => "5"
        db => "5"
      }

filter

    if [type] == "redis-6379-117" {
     grok {
      patterns_dir => "/etc/logstash/patterns.d"
      match => { "message" => "%{REDISLOG}" }
    }
    mutate {
      gsub => [
       "loglevel", "\.", "debug",
       "loglevel", "\-", "verbose",
       "loglevel", "\*", "notice",
       "loglevel", "\#", "warring",
       "role","X","sentinel",
       "role","C","RDB/AOF writing child",
       "role","S","slave",
       "role","M","master"
      ]
    }
    date {
       match => [ "timestamp" , "dd MMM HH:mm:ss.SSS" ]
       target => "@timestamp"
       remove_field => [ "timestamp" ]
    }
  }

output

   if [type] == "redis-6379-117" {
   elasticsearch {
       hosts => ["10.0.1.49:9200"]
       index => "logstash-redis-6379-117-%{+YYYY.MM.dd}"
       user => "elastic"
       password => "linuxea"
   }
0 分享

您可以选择一种方式赞助本站

支付宝扫码赞助

支付宝扫码赞助

日期: 2017-09-10分类: ELK Stack

标签: elk

发表评论