官网:https://www.elastic.co
Logash+Elasticsearch+Kibana 日志系统安装部署
环境
类型 |
操作系统 |
IP |
软件包 |
||
服务端 |
Centos 6.5 X64 |
192.168.0.100 |
JDK1.8 |
Elasticsearch-2.4.1 |
Kibana-4.6.1 |
客户端 |
Centos 6.5 X64 |
192.168.0.101 |
JDK1.8 |
Logash-2.4.0 |
注:Logash、Elasticsearch、Kibana运行需要JDK。
JDK安装
#yum install java-1.8.0-openjdk
#cat /opt/logstash-2.4.0/conf/nginx_log.conf
内容如下:
input {
file
{
type
=>
"nginx_log"
path =>
"/opt/nginx/logs/access.log"
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
host =>
"192.168.0.100:9200"
}
}
创建nginx日志格式配置文件
注: path => "/opt/nginx/logs/access.log" #Nginx日志文件
match => {
"message"
=>
"%{NGINXACCESS}"
}
#Nginx日志格式,变量%{NGINXACCESS}会自动在/opt/logstash-1.4.2/patterns 目录下查找。
host =>
"192.168.0.100"
# elasticsearch 服务端IP
port =>
"9200"
# elasticsearch 服务端端口
#cat /opt/logstash-1.4.2/patterns/nginx
NGUSERNAME [a-zA-Z\.\@\-\+_%]+
NGUSER %{NGUSERNAME}
NGINXACCESS %{IPORHOST:remote_addr} - - \[%{HTTPDATE:time_local}\] "%{WORD:method} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{INT:status} %{INT:body_bytes_sent} %{QS:http_referer} %{QS:http_user_agent}
#/opt/logstash-2.4.0/bin/logstash -f /opt/logstash-2.4.0/conf/nginx_log.conf > /dev/null 2>&1 &
Logash 添加IP查询
#gunzip GeoLiteCity.dat.gz
#mv GeoLiteCity.dat /opt/logstash-2.4.0/conf
在/opt/logstash-2.4.0/conf/nginx_log.conf 配置文件filter{} 加入以下内容:
geoip {
source
=>
"remote_addr"
target =>
"geoip"
database =>
"/opt/logstash-2.4.0/conf/GeoLiteCity.dat"
add_field => [
"[geoip][coordinates]"
,
"%{[geoip][longitude]}"
]
add_field => [
"[geoip][coordinates]"
,
"%{[geoip][latitude]}"
]
}
mutate {
convert => [
"[geoip][coordinates]"
,
"float"
]
}
}
}