ELK-Redis缓存以及日志分流
安装步骤在此不再赘述。
注意点:
-
logstash并不是全部收集完在传输给es集群,而是收集过来一条就传输给es一条,这样一样就减轻了es的压力
-
常规的日志收集方式都是由filebeat收集完直接输出给es集群,如果当后端应用访问量大,产生的日志也特别巨大,这时再由filebeat收集日志直接传输给es,会给es带来特别大的压力,如果es这时挂掉,filebeat依然在收集日志,这时filebeat找不到es集群,则会把收集来的日志丢弃
针对日志量大的问题可以在es集群前面增加redis和logstash,filebeat收集完日志交给redis,由logstash从redis中读取收集来的日志数据传输给es集群,最终在kibana上进行展示
logstash只需要部署一台即可,只是用于将redis收集来的日志传输给es集群
-
由于redis属于缓存数据库,当logstash把数据从redis上取完后,会自动把key删掉
配置filebeat收集日志并自定义redis key:
[root@nginx ~]\# vim /etc/filebeat/filebeat.yml#定义收集什么日志filebeat.inputs:- type: log enabled: true paths: - /var/log/nginx/www_access.log json.keys_under_root: true json.overwrite_keys: true tags: ["nginx-www"]
- type: log enabled: true paths: - /var/log/nginx/bbs_access.log json.keys_under_root: true json.overwrite_keys: true tags: ["nginx-bbs"]
#定义modules模块路径filebeat.config.modules: path: ${path.config}/modules.d/*.yml reload.enabled: false
#指定kibana地址setup.kibana: host: "192.168.81.210:5601"
#定义redis集群地址以及定义索引名output.redis: hosts: ["192.168.81.220:6379"] #key: "nginx-www" keys: - key: "nginx-www" when.contains: tags: "nginx-www" - key: "nginx-bbs" when.contains: tags: "nginx-bbs" db: 0 timeout: 5
setup.template.name: "nginx"setup.template.pattern: "nginx-*"setup.template.enabled: falsesetup.template.overwrite: true
[root@nginx ~]\# systemctl restart filebeatoption2(将所有的日志都存在于同一个key中,只用tag来标识):
这样做的好处是减少工作量,不然每增加一个日志,就得向filebeat中增加一小段配置,不是很方便;
[root@nginx /etc/filebeat]\# vim filebeat.yml#定义收集什么日志filebeat.inputs:- type: log enabled: true paths: - /var/log/nginx/www_access.log json.keys_under_root: true json.overwrite_keys: true tags: ["nginx-www"]
- type: log enabled: true paths: - /var/log/nginx/bbs_access.log json.keys_under_root: true json.overwrite_keys: true tags: ["nginx-bbs"]
#定义redis集群地址以及定义索引名output.redis: hosts: ["192.168.81.220:6379"] key: "nginx-all-key" db: 0 timeout: 5
setup.template.name: "nginx"setup.template.pattern: "nginx-*"setup.template.enabled: falsesetup.template.overwrite: true配置logstash指定不同的索引库:
input { redis { host => "192.168.81.220" port => "6379" db => "0" key => "nginx-www" data_type => "list" }
redis { host => "192.168.81.220" port => "6379" db => "0" key => "nginx-bbs" data_type => "list" }
}
output { if "nginx-www" in [tags] { stdout{} elasticsearch { hosts => "http://192.168.81.210:9200" manage_template => false index => "nginx-www-access-%{+yyyy.MM.dd}" } }
if "nginx-bbs" in [tags] { stdout{} elasticsearch { hosts => "http://192.168.81.210:9200" manage_template => false index => "nginx-bbs-access-%{+yyyy.MM.dd}" } }}option2(只留一个key,同样根据标签不同来创建不同的索引库):
#input { redis { host => "192.168.81.220" port => "6379" db => "0" key => "nginx-all-key" data_type => "list" }}
output { if "nginx-www" in [tags] { stdout{} elasticsearch { hosts => "http://192.168.81.210:9200" manage_template => false index => "nginx-www-access-%{+yyyy.MM.dd}" } }
if "nginx-bbs" in [tags] { stdout{} elasticsearch { hosts => "http://192.168.81.210:9200" manage_template => false index => "nginx-bbs-access-%{+yyyy.MM.dd}" } }
}