以下 ELK 版本为7.10。
修改tomcat日志格式:
[root@web01 ~]# vim /etc/tomcat/server.xml
......
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="{"clientip":"%h","ClientUser":"%l","authenticated":"%u","AccessTime":"%t","method":"%r","status":"%s","SendBytes":"%b","Query?string":"%q","partner":"%{Referer}i","AgentVersion":"%{User-Agent}i"}"/>
......
测试查看日志:
[root@web01 ~]# systemctl restart tomcat
[root@web01 ~]# curl 10.0.0.8:8080
[root@web01 ~]# tail -n2 /var/log/tomcat/localhost_access_log.2020-12-11.txt
10.0.0.8 - - [11/Dec/2020:17:27:34 +0800] "GET / HTTP/1.1" 200 5
{"clientip":"10.0.0.8","ClientUser":"-","authenticated":"-","AccessTime":"[11/Dec/2020:17:39:20 +0800]","method":"GET / HTTP/1.1","status":"200","SendBytes":"5","Query?string":"","partner":"-","AgentVersion":"curl/7.29.0"}
logstash收集:
[root@elkstack03 conf.d]# vim tomcat_es.yml
input {
file {
path => "/var/log/tomcat/localhost_access_log.2020-12-11.txt "
start_position => "end"
type => "tomcat_access"
codec => json
}
}
output {
elasticsearch {
hosts => "10.0.0.5:9200"
index => "tomcat_access-%{+YYYY.MM.dd}"
}
}
[root@web01 logstash]# logstash -f tomcat_es.yml -t
[root@web01 logstash]# logstash -f tomcat_es.yml &
使用Kibana查看Elasticsearch索引是否创建成功:
将索引添加到Kibana中展示查看: