• Post author:
  • Post category:Logstash
  • Post comments:0评论
Like
Like Love Haha Wow Sad Angry

以下 ELK 版本为7.10。
修改tomcat日志格式:

[root@web01 ~]# vim /etc/tomcat/server.xml 
......
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log." suffix=".txt"
               pattern="{"clientip":"%h","ClientUser":"%l","authenticated":"%u","AccessTime":"%t","method":"%r","status":"%s","SendBytes":"%b","Query?string":"%q","partner":"%{Referer}i","AgentVersion":"%{User-Agent}i"}"/>
......

测试查看日志:

[root@web01 ~]# systemctl restart tomcat
[root@web01 ~]# curl 10.0.0.8:8080
[root@web01 ~]# tail -n2 /var/log/tomcat/localhost_access_log.2020-12-11.txt 
10.0.0.8 - - [11/Dec/2020:17:27:34 +0800] "GET / HTTP/1.1" 200 5
{"clientip":"10.0.0.8","ClientUser":"-","authenticated":"-","AccessTime":"[11/Dec/2020:17:39:20 +0800]","method":"GET / HTTP/1.1","status":"200","SendBytes":"5","Query?string":"","partner":"-","AgentVersion":"curl/7.29.0"}

logstash收集:

[root@elkstack03 conf.d]# vim tomcat_es.yml
input {
  file {
    path => "/var/log/tomcat/localhost_access_log.2020-12-11.txt "
    start_position => "end"
    type => "tomcat_access"
    codec => json
  }
}
output {
  elasticsearch {
    hosts => "10.0.0.5:9200"
    index => "tomcat_access-%{+YYYY.MM.dd}"
  }
}

[root@web01 logstash]# logstash -f tomcat_es.yml -t
[root@web01 logstash]# logstash -f tomcat_es.yml &

使用Kibana查看Elasticsearch索引是否创建成功:

将索引添加到Kibana中展示查看:



Like
Like Love Haha Wow Sad Angry

发表评论