Suzf Blog

前言

本文的主要目的是将 Apache 的访问日志转换成 JSON 格式，然后存储到 ES, 供 ELK Stack Platform 进行数据分析与统计。 尽管现在许多发行版本都已经默认安装上了 rsyslog, 但是还是推荐从 rsyslog repositories 获取最新的稳定版本。这样你将从中获益。你将需要下面的软件包：

• rsyslog-mmnormalize. This gives you mmnormalize, a module that will do the parsing of common Apache logs to JSON
• rsyslog-elasticsearch, for the Elasticsearch output

让我现在就开始配置吧。需要执行以下操作：

1. 加载所需模块
2. 将 Apache log 传送到中心日志服务器
3. 配置主队列缓冲您的消息。 这也是定义工作线程数和批量大小的地方（也可以是 Elasticsearch 块的大小）
4. 将 Apache log 转换成 JSON
5. 定义一个模板，您可以在其中指定 JSON 信息的格式。 您可以使用此模板通过Elasticsearch输出将日志发送到 Elasticsearch / Logstash

前言 本文主要简述的如何使用 Rsyslog 实现日志的中心化，并利用 ELK Stack 实现图形搜索与数据统计。

Originally posted on the server as code: Rsyslog to Elasticsearch

长时间以来，系统管理部门已经知道，集中日志很重要，无论是故障排除还是出于安全考虑。 在我看来，我不仅要集中日志，还要让它们可以搜索。 （在集中式日志文件上的 grep 不是很强大，但这不是我正在寻找的解决方案。）

Elasticsearch

... is a distributed, RESTful search and analytics engine capable of solving a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data so you can discover the expected and uncover the unexpected.

它提供的几个基础的功能有：存储/索引/搜索 数据。它是典型 ELK Stack（Elasticsearch, Logstash, and Kibana ）的一部分。 作为系统管理员，我认为还需要注意的是，当用作集群时，Elasticsearch是分布式系统。 不应该轻率地添加另一个分布式系统。 作为一个例子，我现在有了生产分布式系统的MySQL Galera，RabbitMQ，Nomad和Elasticsearch。

Article: Structured Logging with Rsyslog and Elasticsearch Author: Radu Gheorghe

As more and more organizations are starting to use our Performance Monitoring and Search Analytics services, we have more and more logs from various components that make up these applications.  So what do we do?  Do we just keep logging everything to files, rotating them, and grepping them when we need to troubleshoot something?  There must be something better we can do!  And indeed, there is – so much so, that we’ll soon be launching Logsene – a Log Analytics service to complement SPM.  When your applications generate a lot of logs, you’d probably want to make some sense of them by searching and/or statistics. Here’s when structured logging comes in handy, and I would like to share some thoughts and configuration examples of how you could use a popular syslog daemon like rsyslog to handle both structured and unstructured logs. Then I’m going to look at how you can take those logs, format them in JSON, and index them with Elasticsearch – for some fast and easy searching and statistics.  If you are going to Berlin Buzzwords this year and you are into logging, Logstash, ElasticSearch, or Kibana, I’ll be talking about them in my JSON logging with ElasticSearch presentation.

前言

本文主要讲述的是 ELK Stack 5 的简易安装和配置。 Elasticsearch - 分布式的文档(document)存储引擎。它可以实时存储并检索复杂数据结构。 Kibana - 在 Elasticsearch 中分析和搜索数据信息的 bashboard Filebeat - 为 Elasticsearch 传送日志数据的轻量级的组件（基于  Logstash-Forwarder）。 关于 Elasticsearch 5 的安装 --> How-to Install elasticsearch with RPM on CentOS7

ELK(Elasticsearch + Logstash + Kibana) 是一套开源的日志管理方案
Elasticsearch：负责日志检索和分析
Logstash：负责日志的收集，处理和储存
Kibana：负责日志的可视化

Logstash: The server component of Logstash that processes incoming logs
Elasticsearch: Stores all of the logs
Kibana 4: Web interface for searching and visualizing logs, which will be proxied through Nginx
Logstash Forwarder: Installed on servers that will send their logs to Logstash, Logstash Forwarder serves as a log forwarding agent that utilizes the lumberjack networking protocol to communicate with Logstash

Reference：
JDK - http://www.oracle.com/technetwork/java/javase/downloads/index.html
Elasticsearch - https://www.elastic.co/downloads/elasticsearch
Logstash - https://www.elastic.co/downloads/logstash
Kibana - https://www.elastic.co/downloads/kibana
redis - http://redis.io/download

数据流流向如下
Logstash-forwarder--->Logstash--->Elasticsearch--->kibana--->nginx--->客户浏览器