ELK日志收集系统进阶使用,本文主要讲解如何打造一个线上环境真实可用的日志收集系统。有了它,你就可以和去服务器上捞日志说再见了!
ELK环境安装
docker-compose脚本
version: '3'
services:
elasticsearch:
image: elasticsearch:6.4.0
container_name: elasticsearch
environment:
- "cluster.name=elasticsearch" #设置集群名称为elasticsearch
- "discovery.type=single-node" #以单一节点模式启动
- "ES_JAVA_OPTS=-Xms512m -Xmx512m" #设置使用jvm内存大小
- TZ=Asia/Shanghai
volumes:
- /mydata/elasticsearch/plugins:/usr/share/elasticsearch/plugins #插件文件挂载
- /mydata/elasticsearch/data:/usr/share/elasticsearch/data #数据文件挂载
ports:
- 9200:9200
- 9300:9300
kibana:
image: kibana:6.4.0
container_name: kibana
links:
- elasticsearch:es #可以用es这个域名访问elasticsearch服务
depends_on:
- elasticsearch #kibana在elasticsearch启动之后再启动
environment:
- "elasticsearch.hosts=http://es:9200" #设置访问elasticsearch的地址
- TZ=Asia/Shanghai
ports:
- 5601:5601
logstash:
image: logstash:6.4.0
container_name: logstash
environment:
- TZ=Asia/Shanghai
volumes:
- /mydata/logstash/logstash.conf:/usr/share/logstash/pipeline/logstash.conf #挂载logstash的配置文件
depends_on:
- elasticsearch #kibana在elasticsearch启动之后再启动
links:
- elasticsearch:es #可以用es这个域名访问elasticsearch服务
ports:
- 4560:4560
- 4561:4561
- 4562:4562
- 4563:4563
安装要点
使用docker-compose命令运行所有服务:
docker-compose up -d
第一次启动可能会发现Elasticsearch无法启动,那是因为/usr/share/elasticsearch/data目录没有访问权限,只需要修改/mydata/elasticsearch/data目录的权限,再重新启动;
chmod 777 /mydata/elasticsearch/data/
Logstash需要安装json_lines插件。
logstash-plugin install logstash-codec-json_lines
分场景收集日志
调试日志:最全日志,包含了应用中所有DEBUG级别以上的日志,仅在开发、测试环境中开启收集;
错误日志:只包含应用中所有ERROR级别的日志,所有环境只都开启收集;
业务日志:在我们应用对应包下打印的日志,可用于查看我们自己在应用中打印的业务日志;
记录日志:每个接口的访问记录,可以用来查看接口执行效率,获取接口访问参数。
Logback配置详解
完全配置
configuration>
class="ch.qos.logback.core.rolling.RollingFileAppender">
DEBUGlevel>
filter>
${FILE_LOG_PATTERN}pattern>
UTF-8charset>
encoder>
${LOG_FILE_PATH}/debug/${APP_NAME}-%d{yyyy-MM-dd}-%i.logfileNamePattern>
${LOG_FILE_MAX_SIZE:-10MB}maxFileSize>
${LOG_FILE_MAX_HISTORY:-30}maxHistory>
rollingPolicy>
appender>
class="ch.qos.logback.core.rolling.RollingFileAppender">
ERRORlevel>
ACCEPTonMatch>
DENYonMismatch>
filter>
${FILE_LOG_PATTERN}pattern>
UTF-8charset>
encoder>
${LOG_FILE_PATH}/error/${APP_NAME}-%d{yyyy-MM-dd}-%i.logfileNamePattern>
${LOG_FILE_MAX_SIZE:-10MB}maxFileSize>
${LOG_FILE_MAX_HISTORY:-30}maxHistory>
rollingPolicy>
appender>
DEBUGlevel>
filter>
${LOG_STASH_HOST}:4560destination>
Asia/ShanghaitimeZone>
timestamp>
{
"project": "mall-tiny",
"level": "%level",
"service": "${APP_NAME:-}",
"pid": "${PID:-}",
"thread": "%thread",
"class": "%logger",
"message": "%message",
"stack_trace": "%exception{20}"
}
pattern>
pattern>
providers>
encoder>
5 minutesconnectionTTL>
roundRobin>
connectionStrategy>
appender>
ERRORlevel>
ACCEPTonMatch>
DENYonMismatch>
filter>
${LOG_STASH_HOST}:4561destination>
Asia/ShanghaitimeZone>
timestamp>
{
"project": "mall-tiny",
"level": "%level",
"service": "${APP_NAME:-}",
"pid": "${PID:-}",
"thread": "%thread",
"class": "%logger",
"message": "%message",
"stack_trace": "%exception{20}"
}
pattern>
pattern>
providers>
encoder>
5 minutesconnectionTTL>
roundRobin>
connectionStrategy>
appender>
${LOG_STASH_HOST}:4562destination>
Asia/ShanghaitimeZone>
timestamp>
{
"project": "mall-tiny",
"level": "%level",
"service": "${APP_NAME:-}",
"pid": "${PID:-}",
"thread": "%thread",
"class": "%logger",
"message": "%message",
"stack_trace": "%exception{20}"
}
pattern>
pattern>
providers>
encoder>
5 minutesconnectionTTL>
roundRobin>
connectionStrategy>
appender>
${LOG_STASH_HOST}:4563destination>
Asia/ShanghaitimeZone>
timestamp>
{
"project": "mall-tiny",
"level": "%level",
"service": "${APP_NAME:-}",
"class": "%logger",
"message": "%message"
}
pattern>
pattern>
providers>
encoder>
5 minutesconnectionTTL>
roundRobin>
connectionStrategy>
appender>
root>
logger>
logger>
configuration>
配置要点解析
使用默认的日志配置
springProperty
例如在application-dev.yml中定义了这些属性:
logstash:
host: localhost
在logback-spring.xml中就可以直接这样使用:
filter
ThresholdFilter:临界值过滤器,过滤掉低于指定临界值的日志,比如下面的配置将过滤掉所有低于INFO级别的日志。
class="ch.qos.logback.classic.filter.ThresholdFilter">
INFOlevel>
filter>
LevelFilter:级别过滤器,根据日志级别进行过滤,比如下面的配置将过滤掉所有非ERROR级别的日志。
class="ch.qos.logback.classic.filter.LevelFilter">
ERRORlevel>
ACCEPTonMatch>
DENYonMismatch>
filter>
appender
ConsoleAppender:控制日志输出到控制台的形式,比如在console-appender.xml中定义的默认控制台输出。
"CONSOLE">
${CONSOLE_LOG_PATTERN}pattern>
encoder>
appender>
RollingFileAppender:控制日志输出到文件的形式,可以控制日志文件生成策略,比如文件名称格式、超过多大重新生成文件以及删除超过多少天的文件。
class="ch.qos.logback.core.rolling.RollingFileAppender">
${LOG_FILE_PATH}/error/${APP_NAME}-%d{yyyy-MM-dd}-%i.logfileNamePattern>
${LOG_FILE_MAX_SIZE:-10MB}maxFileSize>
${LOG_FILE_MAX_HISTORY:-30}maxHistory>
rollingPolicy>
appender>
LogstashTcpSocketAppender:控制日志输出到Logstash的形式,可以用来配置Logstash的地址、访问策略以及日志的格式。
${LOG_STASH_HOST}:4561destination>
Asia/ShanghaitimeZone>
timestamp>
{
"project": "mall-tiny",
"level": "%level",
"service": "${APP_NAME:-}",
"pid": "${PID:-}",
"thread": "%thread",
"class": "%logger",
"message": "%message",
"stack_trace": "%exception{20}"
}
pattern>
pattern>
providers>
encoder>
5 minutesconnectionTTL>
roundRobin>
connectionStrategy>
appender>
logger
调试日志:所有的DEBUG级别以上日志;
错误日志:所有的ERROR级别日志;
业务日志:com.macro.mall包下的所有DEBUG级别以上日志;
记录日志:com.macro.mall.tiny.component.WebLogAspect类下所有DEBUG级别以上日志,该类是统计接口访问信息的AOP切面类。
控制框架输出日志
Logstash配置详解
完全配置
input {
tcp {
mode => "server"
host => "0.0.0.0"
port => 4560
codec => json_lines
type => "debug"
}
tcp {
mode => "server"
host => "0.0.0.0"
port => 4561
codec => json_lines
type => "error"
}
tcp {
mode => "server"
host => "0.0.0.0"
port => 4562
codec => json_lines
type => "business"
}
tcp {
mode => "server"
host => "0.0.0.0"
port => 4563
codec => json_lines
type => "record"
}
}
filter{
if [type] == "record" {
mutate {
remove_field => "port"
remove_field => "host"
remove_field => "@version"
}
json {
source => "message"
remove_field => ["message"]
}
}
}
output {
elasticsearch {
hosts => ["es:9200"]
action => "index"
codec => json
index => "mall-tiny-%{type}-%{ YYYY.MM.dd}"
template_name => "mall-tiny"
}
}
配置要点
input:使用不同端口收集不同类型的日志,从4560~4563开启四个端口;
filter:对于记录类型的日志,直接将JSON格式的message转化到source中去,便于搜索查看;
output:按类型、时间自定义索引格式。
SpringBoot配置
开发环境配置:application-dev.yml
测试环境配置:application-test.yml
logstash:
host: 192.168.3.101
logging:
level:
root: debug
生产环境配置:application-prod.yml
logstash:
host: logstash-prod
logging:
level:
root: info
Kibana进阶使用
首先启动我们的测试Demo,然后通用调用接口(可以使用Swagger),产生一些日志信息;
调用完成后在Management->Kibana->Index Patterns中可以创建Index Patterns,Kibana服务访问地址:http://192.168.3.101:5601
创建完成后可以在Discover中查看所有日志,调试日志只需直接查看mall-tiny-debug*模式的日志即可;
对于日志搜索,kibana有非常强大的提示功能,可以通过搜索栏右侧的Options按钮打开;