引言
在前面的博客中,我们知道在Linux下如何搭建ELK(ElasticSearch+Logstash+Kibana)以及它们的使用,如有兴趣的同学,可以参考下。
安装教程:
- 《分布式系列教程(27) -Linux环境下安装Elasticsearch》
- 《分布式系列教程(37) -Linux下搭建ElasticSearch集群》
- 《分布式系列教程(28) -Linux环境安装Kibana》
- 《分布式系列教程(40) -Linux下安装Logstash》
使用教程:
- 《分布式系列教程(29) -Kibana实现增删改查》
- 《分布式系列教程(32) -ElasticSearch条件查询》
- 《分布式系列教程(33) -ElasticSearch DSL语言查询与过滤》
- 《分布式系列教程(41) -Logtash的简单使用》
前面讲的都是ELK每个模块单独使用的,本文主要讲解三者是如何联合使用。
ELK配置使用流程
首先确保ELK已经成功的安装在Linux服务器上了。
1.配置Logstash,把ElasticSearch的日志POST到ElasticSearch服务器存储。在Logstash配置目录下新建文件myeslog.conf
cd /usr/local/logstash-6.4.3/config/
vi myeslog.conf
2.配置内容如下:
input {
# 从文件读取日志信息 输送到控制台
file {
path => "/usr/local/elasticsearch-6.4.3/logs/myes.log"
codec => "json" ## 以JSON格式读取日志
type => "elasticsearch"
start_position => "beginning"
}
}
# filter {
#
# }
output {
# 标准输出
# stdout {}
# 输出进行格式化,采用Ruby库来解析日志
stdout { codec => rubydebug }
elasticsearch {
hosts => ["192.168.162.131:9200"]
index => "es-%{+YYYY.MM.dd}"
}
}
3.先切换至用户账号,启动ES:
su ylw
/usr/local/elasticsearch-6.4.3/bin/elasticsearch
4.启动Logstash,这里前台启动,方便看控制台输出日志(-f表示前台启动,启动有点慢):
cd /usr/local/logstash-6.4.3/bin/
./logstash -f ../config/myeslog.conf
5.启动Kibana
cd /usr/local/kibana-6.4.3-linux-x86_64/bin/
./kibana
6.浏览器输入:http://192.168.162.131:5601/,在控制台输入es,会弹出提示,显示获取今天打印的日志:
7.查询所有日志,可以看出把日志都查询出来了,总共55条:
GET /es-2019.12.19/_search
8.也可以模糊查询,查询message里面含有Ov3Qy5c字符串的日志:
GET /es-2019.12.19/_search
{
"from": 0,
"size": 3,
"query": {
"match": {
"message": "Ov3Qy5c"
}
}
}
返回:
{
"took": 17,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 50,
"max_score": 0.34676385,
"hits": [
{
"_index": "es-2019.12.19",
"_type": "doc",
"_id": "fYDDHW8BMgxCikmkzC2N",
"_score": 0.34676385,
"_source": {
"@timestamp": "2019-12-19T10:46:04.605Z",
"path": "/usr/local/elasticsearch-6.4.3/logs/myes.log",
"type": "elasticsearch",
"host": "localhost.localdomain",
"message": "[2019-12-19T18:42:21,780][INFO ][o.e.p.PluginsService ] [Ov3Qy5c] loaded module [mapper-extras]",
"@version": "1",
"tags": [
"_jsonparsefailure"
]
}
},
{
"_index": "es-2019.12.19",
"_type": "doc",
"_id": "foDDHW8BMgxCikmkzC2N",
"_score": 0.34676385,
"_source": {
"@timestamp": "2019-12-19T10:46:04.607Z",
"path": "/usr/local/elasticsearch-6.4.3/logs/myes.log",
"type": "elasticsearch",
"host": "localhost.localdomain",
"message": "[2019-12-19T18:42:21,794][INFO ][o.e.p.PluginsService ] [Ov3Qy5c] loaded module [parent-join]",
"@version": "1",
"tags": [
"_jsonparsefailure"
]
}
},
{
"_index": "es-2019.12.19",
"_type": "doc",
"_id": "kIDDHW8BMgxCikmkzC2N",
"_score": 0.34676385,
"_source": {
"@timestamp": "2019-12-19T10:46:04.812Z",
"path": "/usr/local/elasticsearch-6.4.3/logs/myes.log",
"type": "elasticsearch",
"host": "localhost.localdomain",
"message": "[2019-12-19T18:42:21,796][INFO ][o.e.p.PluginsService ] [Ov3Qy5c] loaded plugin [analysis-ik]",
"@version": "1",
"tags": [
"_jsonparsefailure"
]
}
}
]
}
}
可以看出返回了两条数据!
9.也可以查询时间戳为2019-12-19T10:46:04.812Z的日志
GET /es-2019.12.19/_search
{
"from": 0,
"size": 3,
"query": {
"match": {
"@timestamp": "2019-12-19T10:46:04.812Z"
}
}
}
返回一条日志:
10.同时,也可以可视化查询
