ELK之-redis(错误,警告)日志使用filebeat收集

处理redis日志展示

收集redis警告和错误日志即可

filebeat include_lines: ["WARNING","ERROR"] include_lines 一个正则表达式的列表，以匹配您希望Filebeat包含的行。Filebeat仅导出与列表中正则表达式匹配的行。默认情况下，导出所有行。 参考：https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html

kibana展示效果

filebeat安装配置

[root@elk-node01 var]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.6.0-x86_64.rpm [root@elk-node01 var]# yum install filebeat-6.6.0-x86_64.rpm [root@elk-node01 var]# cat /etc/filebeat/filebeat.yml #主要通过log_type来判断 filebeat.prospectors: - input_type: log paths: - /data/wwwlogs/access_nginx.log fields: log_source: nginx log_type: nginx - input_type: log paths: - /var/log/messages fields: log_source: messages log_type: messages - input_type: log paths: - /usr/local/redis/var/redis.log include_lines: ["WARNING","ERROR"] fields: log_source: redis log_type: redis output.redis: hosts: ["127.0.0.1:6379"] key: "defaul_list" db: 5 timeout: 5 

logstash配置

 input { redis { key => "defaul_list" data_type => "list" db => "5" host => "127.0.0.1" port => "6379" threads => "5" codec => "json" } } filter { if [fields][log_type] == "redis" { grok { patterns_dir => "/data/elk-services/logstash/patterns.d" match => { "message" => "%{REDISLOG}" } } mutate { gsub => [ "loglevel", "\.", "debug", "loglevel", "\-", "verbose", "loglevel", "\*", "notice", "loglevel", "\#", "warring", "role","X","sentinel", "role","C","RDB/AOF writing child", "role","S","slave", "role","M","master" ] } date { match => [ "timestamp" , "dd MMM HH:mm:ss.SSS" ] target => "@timestamp" remove_field => [ "timestamp" ] } } if [fields][log_type] == "nginx" { grok { patterns_dir => [ "/data/elk-services/logstash/patterns.d" ] match => { "message" => "%{NGINXACCESS}" } overwrite => [ "message" ] } geoip { source => "clent_ip" target => "geoip" database => "/data/soft/GeoLite2-City_20190409/GeoLite2-City.mmdb" } useragent { source => "User_Agent" target => "userAgent" } urldecode { all_fields => true } mutate { gsub => ["User_Agent","[\"]",""] #将user_agent中的 " 换成空 convert => [ "response","integer" ] convert => [ "body_bytes_sent","integer" ] convert => [ "bytes_sent","integer" ] convert => [ "upstream_response_time","float" ] convert => [ "upstream_status","integer" ] convert => [ "request_time","float" ] convert => [ "port","integer" ] } date { match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ] } } } output { if [fields][log_type] == "redis" { elasticsearch { hosts => ["192.168.1.252:9200"] index => "252-redis-%{+YYYY.MM.dd}" action => "index" } } if [fields][log_type] == "nginx" { elasticsearch { hosts => ["192.168.1.252:9200"] index => "252-nginx-%{+YYYY.MM.dd}" action => "index" } } }

查看nginx和redis的patterns

[root@elk-node01 var]# cat /data/elk-services/logstash/patterns.d/redis EDISTIMESTAMP %{MONTHDAY} %{MONTH} %{TIME} REDISLOG %{POSINT:pid}\:%{WORD:role} %{REDISTIMESTAMP:timestamp} %{DATA:loglevel} %{GREEDYDATA:msg} [root@elk-node01 var]# cat /data/elk-services/logstash/patterns.d/nginx NGUSERNAME [a-zA-Z\.\@\-\+_%]+ NGUSER %{NGUSERNAME} NGINXACCESS %{IP:clent_ip} (?:-|%{USER:ident}) \[%{HTTPDATE:log_date}\] \"%{WORD:http_verb} (?:%{PATH:baseurl}\?%{NOTSPACE:params}(?: HTTP/%{NUMBER:http_version})?|%{DATA:raw_http_request})\" (%{IPORHOST:url_domain}|%{URIHOST:ur_domain}|-)\[(%{BASE16FLOAT:request_time}|-)\] %{NOTSPACE:request_body} %{QS:referrer_rul} %{GREEDYDATA:User_Agent} \[%{GREEDYDATA:ssl_protocol}\] \[(?:%{GREEDYDATA:ssl_cipher}|-)\]\[%{NUMBER:time_duration}\] \[%{NUMBER:http_status_code}\] \[(%{BASE10NUM:upstream_status}|-)\] \[(%{NUMBER:upstream_response_time}|-)\] \[(%{URIHOST:upstream_addr}|-)\]

nginx的配置参考：https://blog.51cto.com/9025736/2377352

启动检查数据

[root@elk-node01 config]# /etc/init.d/filebeat restart Restarting filebeat (via systemctl): [ OK ] [root@elk-node01 config]# ../bin/logstash -f filebeat-nginx-redis.yml