12.log-center模塊 · open-capacity-platform

# **日志中心** ## 日志處理流程 ![](https://box.kancloud.cn/926dd5b6dbdc5fa90b65844e9fdfb14c_1581x368.png) ![](https://box.kancloud.cn/7bec6d917700607b454082de7ac270a4_1068x531.png) 需要依賴log-core ![](https://box.kancloud.cn/de5c9a6e7828bbedd0c6284940f6f6ac_1672x526.png) 此處修改 ``` <springProperty name="LOG_FILE" scope="context" source="logging.file" defaultValue="/logs/${APP_NAME}"/> ``` 在部署微服務的機器中執行 mkdir /logs chmod -R 777 /logs 日志中心展現elk抽取的數據 ![](https://img.kancloud.cn/41/f9/41f9254fcc6fdb6d100512cdc48d0314_1116x541.png) 啟動 log-center ，之前需要部署 ELK+Filebeat # elasticearch安裝 ``` mkdir /app cd /app wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.5.4.tar.gz tar -zxvf elasticsearch-6.5.4.tar.gz useradd es 修改config/jvm.options為內存的一半大小 vi config/jvm.options -Xms512m -Xmx512m 修改 max file 和 max virtual memory 參數用root 或 sudo 用戶 vi /etc/sysctl.conf 添加下面配置： vm.max_map_count=655360 并執行命令： sysctl -p grep -q "* - nofile" /etc/security/limits.conf || cat >> /etc/security/limits.conf << EOF ######################################## nofile 1048576 nproc 65536 stack 65536 EOF grep -q "ulimit -n" /etc/profile || cat >> /etc/profile << EOF ######################################## ulimit -n 1048576 ulimit -u 65536 ulimit -s 65536 EOF vi /app/elasticsearch-6.5.4/config/elasticsearch.yml cluster.name: elasticsearch node.name: node-1 network.host: 0.0.0.0 http.port: 9200 node.max_local_storage_nodes: 2 http.cors.enabled: true http.cors.allow-origin: "*" chown -R es:es /app/elasticsearch-6.5.4/ su - es -c '/app/elasticsearch-6.5.4/bin/elasticsearch -d' ``` # logstash 安裝配置 ``` cd /app wget https://artifacts.elastic.co/downloads/logstash/logstash-6.5.4.tar.gz tar -zxvf logstash-6.5.4.tar.gz cd logstash-6.5.4/ ls cd bin vi logstash.conf ``` # logstash.conf如下 ``` input { beats { port => 5044 } } filter { if [fields][docType] == "sys-log" { grok { match => { "message" => "\[%{NOTSPACE:appName}\:%{NOTSPACE:serverIp}\:%{NOTSPACE:serverPort}\] %{TIMESTAMP_ISO8601:logTime} %{LOGLEVEL:logLevel} %{WORD:pid} \[%{MYTHREADNAME:threadName}\] %{NOTSPACE:classname} %{GREEDYDATA:message}" } overwrite => ["message"] } date { match => ["logTime","yyyy-MM-dd HH:mm:ss.SSS"] } date { match => ["logTime","yyyy-MM-dd HH:mm:ss.SSS"] target => "timestamp" } mutate { remove_field => "logTime" remove_field => "@version" remove_field => "host" remove_field => "offset" } } if [fields][docType] == "point-log" { grok { patterns_dir => ["/app/logstash-6.5.4/patterns"] match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}\|%{MYAPPNAME:appName}\|%{WORD:resouceid}\|%{MYAPPNAME:type}\|%{GREEDYDATA:object}" } } kv { source => "object" field_split => "&" value_split => "=" } } } output { if [fields][docType] == "sys-log" { elasticsearch { hosts => ["35.192.230.214:9200"] manage_template => false index => "ocp-log-%{+YYYY.MM.dd}" document_type => "%{[@metadata][type]}" } } if [fields][docType] == "point-log" { elasticsearch { hosts => ["35.192.230.214:9200"] manage_template => false index => "point-log-%{+YYYY.MM.dd}" document_type => "%{[@metadata][type]}" } } } ``` ## 在Logstash中使用grok ~~~ mkdir -p /app/logstash-6.5.4/patterns cd /app/logstash-6.5.4/patterns vi java # user-center MYAPPNAME ([0-9a-zA-Z_-]*) MYTHREADNAME ([0-9a-zA-Z._-]|$|$|\s)* ls nohup ./logstash -f logstash.conf >&/dev/null & ~~~ # filebeat filebeat(收集、聚合) ->logstash(過濾結構化) -> ES ![](https://box.kancloud.cn/c07fb298e033603ef6992a906a5105ac_918x717.png) filebeat 抽取的是/logs/*/*.log的日志，可以建立軟連接，將不同模塊的日志都方式/logs下面 ![](https://img.kancloud.cn/af/ff/afffa195eff090341fa5daa8867ac7ca_1051x120.png) ``` cd /app wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.5.4-linux-x86_64.tar.gz tar -zxvf filebeat-6.5.4-linux-x86_64.tar.gz cd /app/filebeat-6.5.4-linux-x86_64 vi filebeat.yml # filebeat.yml配置 `###################### Filebeat Configuration Example ######################### # This file is an example configuration file highlighting only the most common # options. The filebeat.reference.yml file from the same directory contains all the # supported options with more comments. You can use it as a reference. # # You can find the full configuration reference here: # https://www.elastic.co/guide/en/beats/filebeat/index.html # For more available modules and options, please see the filebeat.reference.yml sample # configuration file. #=========================== Filebeat inputs ============================= filebeat.inputs: # Each - is an input. Most options can be set at the input level, so # you can use different inputs for various configurations. # Below are the input specific configurations. - type: log enabled: true paths: #- /var/log/*.log - /logs/*/*.log exclude_lines: ['^DEBUG'] ##增加字段 fields: docType: sys-log project: open-capacity-platform #聚合日志 multiline: pattern: '^\[\S+ - \S+ - \d{2,}] ' negate: true match: after # timeout: 5s - type: log enabled: true paths: - /logs/point/*.log fields: docType: point-log project: open-capacity-platform # Exclude lines. A list of regular expressions to match. It drops the lines that are # matching any regular expression from the list. #exclude_lines: ['^DBG'] # Include lines. A list of regular expressions to match. It exports the lines that are # matching any regular expression from the list. #include_lines: ['^ERR', '^WARN'] # Exclude files. A list of regular expressions to match. Filebeat drops the files that # are matching any regular expression from the list. By default, no files are dropped. #exclude_files: ['.gz$'] # Optional additional fields. These fields can be freely picked # to add additional information to the crawled log files for filtering #fields: # level: debug # review: 1 ### Multiline options # Multiline can be used for log messages spanning multiple lines. This is common # for Java Stack Traces or C-Line Continuation # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [ #multiline.pattern: ^\[ # Defines if the pattern set under pattern should be negated or not. Default is false. #multiline.negate: false # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern # that was (not) matched before or after or as long as a pattern is not matched based on negate. # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash #multiline.match: after #============================= Filebeat modules =============================== filebeat.config.modules: # Glob pattern for configuration loading path: ${path.config}/modules.d/*.yml # Set to true to enable config reloading reload.enabled: false # Period on which files under path should be checked for changes #reload.period: 10s #==================== Elasticsearch template setting ========================== setup.template.settings: index.number_of_shards: 3 setup.template.name: "filebeat" setup.template.pattern: "filebeat-*" #index.codec: best_compression #_source.enabled: false #================================ General ===================================== # The name of the shipper that publishes the network data. It can be used to group # all the transactions sent by a single shipper in the web interface. #name: # The tags of the shipper are included in their own field with each # transaction published. #tags: ["service-X", "web-tier"] # Optional fields that you can specify to add additional information to the # output. #fields: # env: staging #============================== Dashboards ===================================== # These settings control loading the sample dashboards to the Kibana index. Loading # the dashboards is disabled by default and can be enabled either by setting the # options here, or by using the `-setup` CLI flag or the `setup` command. #setup.dashboards.enabled: false # The URL from where to download the dashboards archive. By default this URL # has a value which is computed based on the Beat name and version. For released # versions, this URL points to the dashboard archive on the artifacts.elastic.co # website. #setup.dashboards.url: #============================== Kibana ===================================== # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. # This requires a Kibana endpoint configuration. setup.kibana: # Kibana Host # Scheme and port can be left out and will be set to the default (http and 5601) # In case you specify and additional path, the scheme is required: http://localhost:5601/path # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 #host: "localhost:5601" # Kibana Space ID # ID of the Kibana Space into which the dashboards should be loaded. By default, # the Default Space will be used. #space.id: #============================= Elastic Cloud ================================== # These settings simplify using filebeat with the Elastic Cloud (https://cloud.elastic.co/). # The cloud.id setting overwrites the `output.elasticsearch.hosts` and # `setup.kibana.host` options. # You can find the `cloud.id` in the Elastic Cloud web UI. #cloud.id: # The cloud.auth setting overwrites the `output.elasticsearch.username` and # `output.elasticsearch.password` settings. The format is `<user>:<pass>`. #cloud.auth: #================================ Outputs ===================================== # Configure what output to use when sending the data collected by the beat. #-------------------------- Elasticsearch output ------------------------------ #output.elasticsearch: # Array of hosts to connect to. # hosts: ["192.168.28.130:9200"] # index: "filebeat-log" # Optional protocol and basic auth credentials. #protocol: "https" #username: "elastic" #password: "changeme" #----------------------------- Logstash output -------------------------------- output.logstash: # The Logstash hosts hosts: ["127.0.0.1:5044"] bulk_max_size: 2048 # Optional SSL. By default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" # Client Certificate Key #ssl.key: "/etc/pki/client/cert.key" #================================ Procesors ===================================== # Configure processors to enhance or manipulate events generated by the beat. processors: - add_host_metadata: ~ - add_cloud_metadata: ~ #================================ Logging ===================================== # Sets log level. The default log level is info. # Available log levels are: error, warning, info, debug #logging.level: debug # At debug level, you can selectively enable logging only for some components. # To enable all selectors use ["*"]. Examples of other selectors are "beat", # "publish", "service". #logging.selectors: ["*"] #============================== Xpack Monitoring =============================== # filebeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The # reporting is disabled by default. # Set to true to enable the monitoring reporter. #xpack.monitoring.enabled: false # Uncomment to send the metrics to Elasticsearch. Most settings from the # Elasticsearch output are accepted here as well. Any setting that is not set is # automatically inherited from the Elasticsearch output configuration, so if you # have the Elasticsearch output configured, you can simply uncomment the # following line. #xpack.monitoring.elasticsearch: ``` 啟動 nohup ./filebeat -e -c filebeat.yml >&/dev/null & 結構化日志數據為以下格式存在ES中 ``` { "timestamp": "時間", "message": "具體日志信息", "threadName": "線程名", "serverPort": "服務端口", "serverIp": "服務ip", "logLevel": "日志級別", "appName": "工程名稱", "classname": "類名" } ``` linux統計調用次數 ``` awk '{print $7} ' user-center-info.log | sort | uniq -c | sort -fr ``` ![](https://img.kancloud.cn/d8/de/d8deb79578608efde3f99670578b2644_700x110.png)