环境介绍
| server | 1台 |
| os版本 | centos7.4 |
| jdk | 1.8 |
| mariadb | 5.5.6 |
收集思路
| 软件 | 用途 |
| mariadb | 开启慢日志以便测试 |
| filebeat | 收集日志输出到logstash |
| logstash | 将日志json化输出到elasticsearch |
| elasticsearch | 收集日志生成索引供kibana展示 |
| kibana | 将索引展示到web端,提供可视化管理 |
安装配置流程
1. 安装数据库,配置所需环境
1.1安装数据库
[root@mode-01-0005 logstash]# yum -y install mariadb-server
1.2开启慢日志
[root@mode-01-0005 ~]# cat /etc/my.cnf |egrep -v "^#|^$"
slow_query_log ##开启慢日志功能
long_query_time=2 ##定义阈值单位's'
slow_query_log_file=/var/log/mariadb/web-slow.log ##指定慢日志路径
配置完成重启数据库
1.3生成数据文件,导入测试库
[root@mode-01-0005 ~]# seq 1 19999999 > /tmp/big
MariaDB [(none)]> create database db1;
MariaDB [(none)]> use db1
MariaDB [db1]> create table t1 (id int(10)not null)engine=innodb;
MariaDB [db1]> load data local infile '/tmp/big' into table t1;
MariaDB [db1]> select * from t1 where id=10;
查看是否生成慢日志
MariaDB [db1]> select * from t1 where id=10;
+----+
| id |
+----+
| 10 |
+----+
1 row in set (5.09 sec)
[root@mode-01-0005 ~]# tailf -100 /var/log/mariadb/web-slow.log
# Time: 181222 19:02:15
# User@Host: root[root] @ localhost []
# Thread_id: 13 Schema: db1 QC_hit: No
# Query_time: 5.091030 Lock_time: 0.000055 Rows_sent: 1 Rows_examined: 19999999
SET timestamp=1545476535;
select * from t1 where id=10;
2、filebeat+elk配置与测试
2.1yum环境配置:
[root@mode-01-0005 ~]# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
[root@mode-01-0005 yum.repos.d]# cat elk.repo
[elastic-6.x]
name=Elastic repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
2.2安装filebeat、elasticsearch、logstash、kibana
[root@mode-01-0005 yum.repos.d]# yum -y install filebeat elasticsearch logstash kibana
[root@mode-01-0005 yum.repos.d]# systemctl daemon-reload ##加载启动项
[root@mode-01-0005 yum.repos.d]# systemctl enable elasticsearch.service
[root@mode-01-0005 yum.repos.d]# systemctl enable kibana
[root@mode-01-0005 yum.repos.d]# systemctl enable elasticsearch.service
[root@mode-01-0005 yum.repos.d]# systemctl enable filebeat
2.2.1配置java环境,下载1.8版本jdk包
[root@mode-01-0005 local]# tar fx jdk-8u161-linux-x64.tar.gz
[root@mode-01-0005 local]# mv jdk1.8.0_161 jdk1.8
[root@mode-01-0005 local]# tail -5 /etc/profile
export JAVA_HOME=/usr/java/jdk1.8
export JRE_HOME=/usr/java/jdk1.8/jre
export CLASSPATH=.:/lib:/lib:
export PATH=/bin:/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
[root@mode-01-0005 local]# source /etc/profile
[root@mode-01-0005 local]# java -version
java version "1.8.0_161"
Java(TM) SE Runtime Environment (build 1.8.0_161-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12, mixed mode)
elasticsearch依赖java环境,启动会检查/usr/bin下是否有java命令,版本过高也会无法启动
注意:如果查询java版本时提示没有此命令,通过ln将jdk1.8/bin/java软连接到/usr/bin下,再次查询版本
2.3配置filebeat
#=========================== Filebeat inputs =============================
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/mariadb/web-slow.log
multiline.pattern: "^# User@Host:"
multiline.negate: true
multiline.match: after
multiline.pattern:正则表达式,匹配指定的行
multiline.negate:只有true和false两个参数,默认为false,作用是否将pattern匹配到的行及以下的行合并到上一行,这里指的是合并到pattern匹配到的行,false为不合并
multiline.match:after或before,将要合并的到上一行的内容,合并到结尾或开头
#================================ Outputs =====================================
#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
# Array of hosts to connect to.
#hosts: ["localhost:9200"]
#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["server_ip:5044"]
注意:Elasticsearch output需要注释掉,使logstash生效
启动filebeat查看能否正常启动
[root@mode-01-0005 ~]# systemctl restart filebeat
2.4配置logstash
2.4.1测试filebeat配置
[root@mode-01-0005 ~]# cp /etc/logstash/logstash-sample.conf conf.d/logstash_slow.conf
[root@mode-01-0005 ~]# cat /etc/logstash/conf.d/logstash_slow.conf
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => ["http://10.16.0.15:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
#user => "elastic"
#password => "changeme"
}
stdout {
codec => rubydebug ##将采集信息输出到屏幕一份,是一种交互的模式,可以查看采集配置是否正确
}
}
2.4.2启动logstash
[root@mode-01-0005 ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash_slow.conf ##-f:指定配置文件路径
2.4.3采集测试
MariaDB [db1]> select * from t1 where id=10;
+----+
| id |
+----+
| 10 |
+----+
1 row in set (5.09 sec)
查看logstash输出,message信息中,slow日志输出整合到一行,说明filebeat没有问题:
"message" => "# User@Host: root[root] @ localhost []\n# Thread_id: 14 Schema: db1 QC_hit: No\n# Query_time: 5.092556 Lock_time: 0.000057 Rows_sent: 1 Rows_examined: 19999999\nSET timestamp=1545485471;\nselect * from t1 where id=10;",
2.4.4 message信息json化处理
[root@mode-01-0005 ~]# cat /etc/logstash/conf.d/logstash_slow.conf
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
beats {
port => 5044
}
}
filter {
##通过grok正则匹配需要json化得字段
grok {
match => [ "message", "(?m)^# User@Host: %{USER:query_user}\[[^\]]+\] @ (?:(?<query_host>\S*) )?\[(?:%{IP:query_ip})?\]\s# Thread_id:\s+%{NUMBER:thread_id:int}\s+Schema: %{USER:schema}\s+QC_hit: %{WORD:QC_hit}\s*# Query_time: %{NUMBER:query_time:float}\s+Lock_time: %{NUMBER:lock_time:float}\s+Rows_sent: %{NUMBER:rows_sent:int}\s+Rows_examined: %{NUMBER:rows_examined:int}\s*(?:use %{DATA:database};\s*)?SET timestamp=%{NUMBER:timestamp};\s*(?<query>(?<action>\w+)\s+.*)" ]
}
##匹配message中Time字段,利用tag标签为drop
grok {
match => { "message" => "# Time: " }
add_tag => [ "drop" ]
tag_on_failure => []
}
##if判断是否drop
if "drop" in [tags] {
drop {}
}
##时间格式及时区
date {
match => ["mysql.slowlog.timestamp", "UNIX", "YYYY-MM-dd HH:mm:ss"]
target => "@timestamp"
timezone => "Asia/Shanghai"
}
ruby {
code => "event.set('[@metadata][today]', Time.at(event.get('@timestamp').to_i).localtime.strftime('%Y.%m.%d'))"
}
##删除message字段
mutate {
remove_field => [ "message" ]
}
}
output {
elasticsearch {
hosts => ["http://10.16.0.15:9200"]
##传递给elasticsearch得索引名称
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
#user => "elastic"
#password => "changeme"
}
#stdout {
# codec => rubydebug
#}
}
2.4.5 启动logstash测试配置信息
[root@mode-01-0005 ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash_slow.conf
MariaDB [db1]> select * from t1 where id=20;
+----+
| id |
+----+
| 20 |
+----+
1 row in set (5.08 sec)
logstash输出内容
{
"query_user" => "root",
"query" => "select * from t1 where id=20;",
"rows_examined" => 19999999,
"thread_id" => 14,
"offset" => 510,
"prospector" => {
"type" => "log"
},
"rows_sent" => 1,
"QC_hit" => "No",
"input" => {
"type" => "log"
},
"host" => {
"id" => "fd73dfefb69a4e4183fd3f86ccc29526",
"architecture" => "x86_64",
"containerized" => true,
"os" => {
"platform" => "centos",
"codename" => "Core",
"version" => "7 (Core)",
"family" => "redhat"
},
"name" => "mode-01-0005.novalocal"
},
"meta" => {
"cloud" => {
"instance_name" => "mode-01-0005.novalocal",
"instance_id" => "i-002e3ff6",
"availability_zone" => "cn-north-1a",
"machine_type" => "c3.xlarge.2",
"provider" => "openstack"
}
},
"log" => {
"flags" => [
[0] "multiline"
]
},
"schema" => "db1",
"timestamp" => "1545486467",
"lock_time" => 4.7e-05,
"source" => "/var/log/mariadb/web-slow.log",
"query_host" => "localhost",
"@timestamp" => 2018-12-22T13:47:56.165Z,
"query_time" => 5.085401,
"@version" => "1",
"tags" => [
[0] "beats_input_codec_plain_applied"
],
"action" => "select",
"beat" => {
"hostname" => "mode-01-0005.novalocal",
"version" => "6.5.4",
"name" => "mode-01-0005.novalocal"
}
}
注意:如果出现"_grokparsefailure"请自行调整grok语句
采集成功后注释掉logstash的前台显示采用nohup+&后台启动logstash
2.5配置 elasticsearch
[root@mode-01-0005 ~]# cat /etc/elasticsearch/elasticsearch.yml | egrep -v "^$|^#"
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 10.16.0.15
http.port: 9200
启动elasticsearch
[root@mode-01-0005 ~]# systemctl restart elasticsearch
通过logstash重新输出一次,查看elasticsearch是否有接收到索引
输出内容有filebeat即为成功
[root@mode-01-0005 ~]# curl http://10.16.0.15:9200/_cat/indices
green open .kibana_1 gP6vi3f8Q6WgspSrA7f7KQ 1 0 4 0 21.2kb 21.2kb
yellow open filebeat-6.5.4-2018.12.22 MCLaTgk2Tb6G3rmmuNCQIQ 5 1 7 0 121kb 121kb
2.6配置kibana
[root@mode-01-0005 ~]# cat /etc/kibana/kibana.yml | egrep -v "^$|^#"
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.url: "http://10.16.0.15:9200"
启动kibana
[root@mode-01-0005 ~]# systemctl restart kibana
通过web端访问ip:port即可配置索引及图形信息
