Faatomuaga
A'o fa'aogaina se isi faiga, sa matou feagai ma le mana'oga e fa'agasolo le tele o fa'amaumauga eseese. ELK na filifilia e fai ma meafaigaluega. O lenei tusiga o le a talanoaina lo tatou poto masani i le setiina o lenei faaputuga.
Matou te le faʻatulagaina se sini e faʻamatala uma ona gafatia, ae matou te manaʻo e faʻapitoa i le foia o faʻafitauli faʻapitoa. E mafua ona o le mea moni e ui lava o loʻo i ai se aofaiga tele o faʻamaumauga ma ata ua saunia, e tele naua faʻalavelave, o le mea sili na matou mauaina.
Na matou faʻapipiʻiina le faaputuga e ala i le docker-compose. E le gata i lea, sa i ai sa matou tusi docker-compose.yml, lea na mafai ai ona matou siitia le faaputuga toetoe lava a aunoa ma ni faafitauli. Ma e foliga mai ia i matou ua lata mai le manumalo, o lea o le a matou fetuunai teisi e fetaui ma o matou manaʻoga ma o le mea lena.
O le mea e leaga ai, o le taumafaiga e faʻapipiʻi le faiga e maua ma faʻagasolo ai ogalaau mai la matou talosaga e leʻi manuia vave. O le mea lea, na matou filifili ai e aoga le suʻesuʻeina o vaega taʻitasi, ona toe foʻi atu lea i a latou fesoʻotaʻiga.
O lea, na matou amata i le logstash.
Siosiomaga, fa'apipi'iina, fa'agaoioi Logstash i totonu o se atigipusa
Mo le faʻapipiʻiina matou te faʻaogaina le docker-compose; o faʻataʻitaʻiga o loʻo faʻamatalaina iinei sa faia i luga o MacOS ma Ubuntu 18.0.4.
O le ata o le logstash na lesitala i la matou uluai docker-compose.yml o le docker.elastic.co/logstash/logstash:6.3.2
O le a matou faʻaaogaina mo suʻega.
Na matou tusia se isi docker-compose.yml e faʻatautaia logstash. Ioe, na mafai ona faʻalauiloa le ata mai le laina faʻatonu, ae o loʻo matou foia se faʻafitauli faʻapitoa, lea matou te taʻavale ai mea uma mai le docker-compose.
Fa'apuupuu e uiga i faila faila
E pei ona taua i lalo mai le faʻamatalaga, e mafai ona faʻatautaia le logstash mo le tasi alalaupapa, i le tulaga lea e manaʻomia ai le pasia o le * .conf faila, poʻo le tele o auala, i le tulaga e manaʻomia ai le pasi o le pipelines.yml faila, lea, i le isi itu , o le a feso'ota'i i faila .conf mo auala ta'itasi.
Sa matou uia le ala lona lua. Na foliga mai ia i matou e sili atu ona lautele ma faʻalauteleina. O le mea lea, na matou faia ai le pipelines.yml, ma faia se lisi o pipelines o le a matou tuʻuina ai faila .conf mo auala taʻitasi.
I totonu o le koneteina o loʻo i ai se isi faila faila - logstash.yml. Matou te le tago i ai, matou te faʻaaogaina e pei ona i ai.
O lea la, o la matou faʻasologa o faʻamaumauga:
Ina ia maua faʻamatalaga faʻamatalaga, mo le taimi nei matou te manatu o le tcp lea i luga o le taulaga 5046, ma mo le gaosiga o le a matou faʻaogaina le stdout.
O se fa'atulagaga faigofie lea mo le fa'alauiloa muamua. Aua o le galuega muamua o le tatalaina.
O lea la, o loʻo ia i matou le docker-compose.yml
version: '3'
networks:
elk:
volumes:
elasticsearch:
driver: local
services:
logstash:
container_name: logstash_one_channel
image: docker.elastic.co/logstash/logstash:6.3.2
networks:
- elk
ports:
- 5046:5046
volumes:
- ./config/pipelines.yml:/usr/share/logstash/config/pipelines.yml:ro
- ./config/pipelines:/usr/share/logstash/config/pipelines:ro
O le a le mea ua tatou vaaia iinei?
- O fesoʻotaʻiga ma voluma na ave mai le uluai docker-compose.yml (le mea e faʻalauiloa ai le faaputuga atoa) ma ou te manatu latou te le afaina tele le ata atoa iinei.
- Matou te fatuina se tasi o auaunaga logstash (s) mai le docker.elastic.co/logstash/logstash:6.3.2 ata ma faaigoa logstash_one_channel.
- Matou te tuʻuina atu le taulaga 5046 i totonu o le koneteina, i le pito i totonu e tasi.
- Matou te fa'afanua la matou faila fa'apipi'i paipa ./config/pipelines.yml i le faila /usr/share/logstash/config/pipelines.yml i totonu o le koneteina, lea o le a piki ai e le logstash ma fai na'o le faitau, i le tulaga.
- Matou te fa'afanua le ./config/pipelines directory, o lo'o iai a matou faila ma fa'atulaga auala, i totonu o le /usr/share/logstash/config/pipelines directory ma fai fo'i na'o le faitau.
Pipelines.yml faila
- pipeline.id: HABR
pipeline.workers: 1
pipeline.batch.size: 1
path.config: "./config/pipelines/habr_pipeline.conf"
E tasi le alalaupapa ma le HABR faʻamatalaga ma le ala i lona faila faila o loʻo faʻamatalaina iinei.
Ma mulimuli ane o le faila "./config/pipelines/habr_pipeline.conf"
input {
tcp {
port => "5046"
}
}
filter {
mutate {
add_field => [ "habra_field", "Hello Habr" ]
}
}
output {
stdout {
}
}
Sei o tatou alu i lona faʻamatalaga mo le taimi nei, seʻi o tatou taumafai e taʻavale:
docker-compose up
O le a le mea ua tatou vaaia?
Ua amata le koneteina. E mafai ona tatou siakiina lona faʻagaioiga:
echo '13123123123123123123123213123213' | nc localhost 5046
Ma matou vaʻai i le tali i le pusa faʻamafanafana:
Ae i le taimi lava e tasi, tatou te vaʻai foi:
logstash_one_channel | [2019-04-29T11:28:59,790][ERROR][logstash.licensechecker.licensereader] Ua le mafai ona toe aumai faamatalaga laisene mai le server laisene {:message=>“Elasticsearch Le mafai ona maua: [http://elasticsearch:9200/][Manticore ::ResolutionFailure] elasticsearch", ...
logstash_one_channel | [2019-04-29T11:28:59,894][INFO ][logstash.pipeline ] Na amata manuia le paipa {:pipeline_id=>".monitoring-logstash", :thread=>"# "}
logstash_one_channel | [2019-04-29T11:28:59,988][INFO ][logstash.agent ] Pipelines running {:count=>2, :running_pipelines=>[:HABR, :".monitoring-logstash"], :non_running_pipelines=>[ ]}
logstash_one_channel | [2019-04-29T11:29:00,015][ERROR][logstash.inputs.metrics] X-Pack o loʻo faʻapipiʻi ile Logstash ae le o luga ole Elasticsearch. Fa'amolemole fa'apipi'i le X-Pack i luga ole Elasticsearch e fa'aoga ai le mata'ituina. E mafai ona maua isi vaega.
logstash_one_channel | [2019-04-29T11:29:00,526][INFO ][logstash.agent ] Na amata manuia le Logstash API endpoint {:port=>9600}
logstash_one_channel | [2019-04-29T11:29:04,478][INFO ][logstash.outputs.elasticsearch] Fa'agasolo siaki soifua maloloina e va'ai pe o galue le feso'ota'iga Elasticsearch {:healthcheck_url=>http://elasticsearch:9200/, :path=> "/"}
logstash_one_channel | [2019-04-29T11:29:04,487][WARN][logstash.outputs.elasticsearch] Taumafai e toe faʻatūina le fesoʻotaʻiga i le oti ES faʻataʻitaʻiga, ae maua se mea sese. {:url=>“:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Le Maua: [http://elasticsearch:9200/][Manticore::ResolutionFailure] elasticsearch"}
logstash_one_channel | [2019-04-29T11:29:04,704][INFO ][logstash.licensechecker.licensereader] Fa'agasolo siaki soifua maloloina e va'ai pe o galue le feso'ota'iga Elasticsearch {:healthcheck_url=>http://elasticsearch:9200/, :path=> "/"}
logstash_one_channel | [2019-04-29T11:29:04,710][WARN][logstash.licensechecker.licensereader] Na taumafai e toe faʻatūina le fesoʻotaʻiga i faʻataʻitaʻiga ES mate, ae maua se mea sese. {:url=":9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Le Maua: [http://elasticsearch:9200/][Manticore::ResolutionFailure] elasticsearch"}
Ma o la tatou ogalaau e fetolofi i luga i taimi uma.
O lea ua ou faailogaina i le lanumeamata le feʻau ua faʻalauiloa manuia le paipa, i le mumu le feʻau sese ma le samasama le feʻau e uiga i se taumafaiga e faʻafesoʻotaʻi. : 9200.
E tupu lenei mea ona o le logstash.conf, o loʻo aofia i le ata, o loʻo i ai se siaki mo avanoa elasticsearch. A uma mea uma, e manatu le logstash e galue o se vaega o le Elk stack, ae na matou vavaeeseina.
E mafai ona galue, ae e le faigofie.
Ole fofo ole fa'agata lenei siaki e ala ile XPACK_MONITORING_ENABLED fesuiaiga ole siosiomaga.
Sei o tatou faia se suiga i le docker-compose.yml ma toe taʻavale:
version: '3'
networks:
elk:
volumes:
elasticsearch:
driver: local
services:
logstash:
container_name: logstash_one_channel
image: docker.elastic.co/logstash/logstash:6.3.2
networks:
- elk
environment:
XPACK_MONITORING_ENABLED: "false"
ports:
- 5046:5046
volumes:
- ./config/pipelines.yml:/usr/share/logstash/config/pipelines.yml:ro
- ./config/pipelines:/usr/share/logstash/config/pipelines:ro
O lenei, ua lelei mea uma. Ua sauni le koneteina mo su'ega.
E mafai ona matou toe lolomi i le isi faʻamafanafanaga:
echo '13123123123123123123123213123213' | nc localhost 5046
Ma vaai:
logstash_one_channel | {
logstash_one_channel | "message" => "13123123123123123123123213123213",
logstash_one_channel | "@timestamp" => 2019-04-29T11:43:44.582Z,
logstash_one_channel | "@version" => "1",
logstash_one_channel | "habra_field" => "Hello Habr",
logstash_one_channel | "host" => "gateway",
logstash_one_channel | "port" => 49418
logstash_one_channel | }
Galue i totonu o le auala e tasi
O lea na matou tatalaina ai. Ole taimi nei e mafai ona e faʻaaluina le taimi e faʻapipiʻi ai le logstash lava ia. Se'i o tatou pa'i i le faila pipelines.yml mo le taimi nei, se'i o tatou va'ai po'o le a se mea e mafai ona tatou maua e ala i le galulue i le ala e tasi.
E tatau ona ou fai atu o le mataupu faavae lautele o le galue ma le faila fetuutuunaiga o auala o loʻo faʻamatalaina lelei i le tusi lesona aloaia, iinei
Afai e te manaʻo e faitau i le gagana Rusia, matou te faʻaaogaina lenei (ae o le faʻasologa o fesili o loʻo i ai e tuai, e tatau ona tatou amanaia lenei mea).
Tatou alu faasolosolo mai le vaega Input. Ua uma ona matou vaʻai i galuega ile tcp. O le a se isi mea e mafai ona manaia iinei?
Su'e fe'au e fa'aaoga ai le tātā fatu
O loʻo i ai se avanoa manaia e faʻatupu ai faʻamatalaga faʻataʻitaʻi otometi.
Ina ia faia lenei mea, e te manaʻomia le faʻaogaina o le fatu fatu fatu i le vaega faʻaoga.
input {
heartbeat {
message => "HeartBeat!"
}
}
Ia ki, amata maua tasi i le minute
logstash_one_channel | {
logstash_one_channel | "@timestamp" => 2019-04-29T13:52:04.567Z,
logstash_one_channel | "habra_field" => "Hello Habr",
logstash_one_channel | "message" => "HeartBeat!",
logstash_one_channel | "@version" => "1",
logstash_one_channel | "host" => "a0667e5c57ec"
logstash_one_channel | }
Afai tatou te mananaʻo e maua atili, e manaʻomia le faʻaopoopoina o le vaeluaga.
O le auala lea e maua ai se fe'au i le 10 sekone.
input {
heartbeat {
message => "HeartBeat!"
interval => 10
}
}
Toe aumai fa'amaumauga mai se faila
Na matou filifili foi e tilotilo i le faila faila. Afai e aoga lelei i le faila, atonu e leai se sui e manaʻomia, lelei, a itiiti mai mo le faʻaoga i le lotoifale.
E tusa ai ma le faʻamatalaga, o le faiga faʻaogaina e tatau ona tutusa ma le siʻusiʻu -f, i.e. faitau laina fou pe, o se filifiliga, faitau le faila atoa.
O lea la, o le mea tatou te mananao e maua:
- Matou te mananaʻo e maua ni laina o loʻo faʻapipiʻi i le faila faila e tasi.
- Matou te mananaʻo e maua faʻamatalaga o loʻo tusia i le tele o faila ogalaau, aʻo mafai ona vavae ese mea e maua mai le mea.
- Matou te mananaʻo e faʻamautinoa pe a toe amataina le logstash, e le toe mauaina nei faʻamatalaga.
- Matou te mananaʻo e siaki pe afai e tape le logstash, ma faʻaauau pea ona tusia faʻamaumauga i faila, ona matou faʻatautaia lea, matou te mauaina nei faʻamatalaga.
Ina ia faia le faʻataʻitaʻiga, seʻi o tatou faʻaopoopoina se isi laina i le docker-compose.yml, tatala le lisi o loʻo matou tuʻuina ai faila.
version: '3'
networks:
elk:
volumes:
elasticsearch:
driver: local
services:
logstash:
container_name: logstash_one_channel
image: docker.elastic.co/logstash/logstash:6.3.2
networks:
- elk
environment:
XPACK_MONITORING_ENABLED: "false"
ports:
- 5046:5046
volumes:
- ./config/pipelines.yml:/usr/share/logstash/config/pipelines.yml:ro
- ./config/pipelines:/usr/share/logstash/config/pipelines:ro
- ./logs:/usr/share/logstash/input
Ma sui le vaega fa'aoga ile habr_pipeline.conf
input {
file {
path => "/usr/share/logstash/input/*.log"
}
}
Tatou amata:
docker-compose up
Ina ia fatuina ma tusi faila faila o le a matou faʻaogaina le poloaiga:
echo '1' >> logs/number1.log
{
logstash_one_channel | "host" => "ac2d4e3ef70f",
logstash_one_channel | "habra_field" => "Hello Habr",
logstash_one_channel | "@timestamp" => 2019-04-29T14:28:53.876Z,
logstash_one_channel | "@version" => "1",
logstash_one_channel | "message" => "1",
logstash_one_channel | "path" => "/usr/share/logstash/input/number1.log"
logstash_one_channel | }
Ioe, e aoga!
I le taimi lava e tasi, matou te vaʻai ua matou faʻaopoopoina otometi le ala ala. O lona uiga i le lumana'i, e mafai ona tatou fa'amama fa'amaumauga e ala i ai.
Tatou toe taumafai:
echo '2' >> logs/number1.log
{
logstash_one_channel | "host" => "ac2d4e3ef70f",
logstash_one_channel | "habra_field" => "Hello Habr",
logstash_one_channel | "@timestamp" => 2019-04-29T14:28:59.906Z,
logstash_one_channel | "@version" => "1",
logstash_one_channel | "message" => "2",
logstash_one_channel | "path" => "/usr/share/logstash/input/number1.log"
logstash_one_channel | }
Ma o lenei i se isi faila:
echo '1' >> logs/number2.log
{
logstash_one_channel | "host" => "ac2d4e3ef70f",
logstash_one_channel | "habra_field" => "Hello Habr",
logstash_one_channel | "@timestamp" => 2019-04-29T14:29:26.061Z,
logstash_one_channel | "@version" => "1",
logstash_one_channel | "message" => "1",
logstash_one_channel | "path" => "/usr/share/logstash/input/number2.log"
logstash_one_channel | }
Matagofie! Na piki le faila, saʻo le auala na faʻamaonia, o loʻo lelei mea uma.
Taofi logstash ma toe amata. Tatou faatali. Faalologo. O na. Matou te le toe mauaina nei faamaumauga.
Ma o le taimi nei o le suʻega sili ona mataʻutia.
Fa'apipi'i logstash ma fa'atino:
echo '3' >> logs/number2.log
echo '4' >> logs/number1.log
Toe tamoe logstash ma vaai:
logstash_one_channel | {
logstash_one_channel | "host" => "ac2d4e3ef70f",
logstash_one_channel | "habra_field" => "Hello Habr",
logstash_one_channel | "message" => "3",
logstash_one_channel | "@version" => "1",
logstash_one_channel | "path" => "/usr/share/logstash/input/number2.log",
logstash_one_channel | "@timestamp" => 2019-04-29T14:48:50.589Z
logstash_one_channel | }
logstash_one_channel | {
logstash_one_channel | "host" => "ac2d4e3ef70f",
logstash_one_channel | "habra_field" => "Hello Habr",
logstash_one_channel | "message" => "4",
logstash_one_channel | "@version" => "1",
logstash_one_channel | "path" => "/usr/share/logstash/input/number1.log",
logstash_one_channel | "@timestamp" => 2019-04-29T14:48:50.856Z
logstash_one_channel | }
Talofa! Na pikiina mea uma.
Ae e tatau ona matou lapataia oe e uiga i mea nei. Afai e tape le koneteina o lo'o i ai le logstash (docker stop logstash_one_channel && docker rm logstash_one_channel), ona leai lea o se mea e pikiina. O le tulaga o le faila lea na faitau i ai sa teuina i totonu o le koneteina. Afai e te taufetuli mai le sasa, o le a na'o laina fou e talia.
Faitau faila o iai
Se'i fa'apea o lo'o fa'alauiloa atu le logstash mo le taimi muamua, ae ua uma ona i ai a matou ogalaau ma matou te mana'o e fa'agaoioia.
Afai matou te faʻatautaia le logstash ma le vaega faʻaoga na matou faʻaaogaina i luga, matou te le maua se mea. Na'o laina fou o le a fa'agaioia e logstash.
Ina ia mafai ona toso i luga laina mai faila o loʻo i ai nei, e tatau ona e faʻaopoopoina se laina faaopoopo i le vaega faʻaoga:
input {
file {
start_position => "beginning"
path => "/usr/share/logstash/input/*.log"
}
}
E le gata i lea, o loʻo i ai se faʻaaliga: e naʻo le afaina o faila fou e leʻi vaʻaia e le logstash. Mo faila lava e tasi na i ai i le fanua o le vaʻaiga o le logstash, ua uma ona manatua lo latou tele ma o le a na o ni faʻamatalaga fou i totonu.
Se'i o tatou taofi i'i ma su'esu'e le vaega fa'aofi. E tele lava filifiliga, ae ua lava lena mo i matou mo nisi faʻataʻitaʻiga mo le taimi nei.
Auala ma Suiga Fa'amatalaga
Sei o tatou taumafai e foia le faafitauli o loʻo i lalo, seʻi tatou fai mai o loʻo i ai a tatou feʻau mai le tasi alalaupapa, o nisi oi latou o faʻamatalaga, ma o nisi o savali sese. E eseese i latou i le pine. O nisi o INFO, o isi o ERROR.
E tatau ona tatou vavaeeseina i latou i le ulufafo. O na. Matou te tusia faʻamatalaga faʻamatalaga i le tasi alalaupapa, ma faʻamatalaga sese i le isi.
Ina ia faia lenei mea, alu ese mai le vaega ulufale i le faamama ma le gaosiga.
I le faʻaaogaina o le vaega faamama, o le a matou faʻasalalau le savali o loʻo oʻo mai, mauaina o se hash (paiga taua-taua) mai ai, lea e mafai ona matou galulue faatasi, i.e. malepe e tusa ai ma tulaga. Ma i le vaega o galuega faatino, o le a tatou filifilia feʻau ma auina atu taʻitasi i lana lava auala.
Fa'amatala se fe'au ma le grok
Ina ia faʻapipiʻi laina o tusitusiga ma maua se seti o fanua mai ia i latou, o loʻo i ai se faʻapipiʻi faʻapitoa i le vaega faamama - grok.
A aunoa ma le faʻatulagaina o aʻu lava le sini o le tuʻuina atu o se faʻamatalaga auiliili o iinei (mo lenei ou te faasino i ), O le a ou tuuina atu la’u faataitaiga faigofie.
Ina ia faia lenei mea, e tatau ona e filifili i le faatulagaga o manoa ulufale. E iai aʻu e pei o lenei:
1 INFO fe'au1
2 ERROR fe'au2
O na. E sau muamua le fa'amatalaga, ona fa'asolo ai lea o INFO/ERROR, ona sosoo ai lea ma se upu e aunoa ma ni avanoa.
E le faigata, ae ua lava le malamalama i le mataupu faavae o le faagaoioiga.
O lea la, i le vaega faamama o le grok plugin, e tatau ona tatou faʻamalamalamaina se mamanu mo le faʻavasegaina o tatou manoa.
O le a pei o lenei:
filter {
grok {
match => { "message" => ["%{INT:message_id} %{LOGLEVEL:message_type} %{WORD:message_text}"] }
}
}
O le mea moni o se fa'aaliga masani. E fa'aogaina mamanu ua uma ona fai, e pei ole INT, LOGLEVEL, WORD. O latou faʻamatalaga, faʻapea foʻi ma isi mamanu, e mafai ona maua iinei
I le taimi nei, o le pasia o lenei faamama, o le a liua la tatou manoa i se hash o fanua e tolu: message_id, message_type, message_text.
O le a fa'aalia i le vaega o galuega.
Fa'asalalauina fe'au i le vaega o galuega e fa'aaoga ai le fa'atonuga if
I le vaega o galuega faatino, e pei ona tatou manatua, o le a tatou vaevaeina savali i ni vaitafe se lua. O nisi - o iNFO, o le a tuʻuina atu i le faʻamafanafanaga, ma faʻatasi ai ma mea sese, o le a matou faʻaalia i se faila.
E faapefea ona tatou tuueseeseina nei savali? O le tulaga o le faʻafitauli ua uma ona fautua mai se fofo - pe a uma, ua uma ona i ai se matou faʻailoga faʻapitoa message_type, lea e mafai ona naʻo le lua tau: INFO ma ERROR. O le faavae lea o le a tatou faia ai se filifiliga e faʻaaoga ai le faʻamatalaga if.
if [message_type] == "ERROR" {
# Здесь выводим в файл
} else
{
# Здесь выводим в stdout
}
E mafai ona maua se fa'amatalaga o le galulue ma fa'ato'aga ma fa'alapotopotoga i lenei vaega .
Ia, e uiga i le faaiuga moni lava ia.
Console output, o lo'o manino mea uma iinei - stdout {}
Ae o le gaioiga i se faila - manatua o loʻo matou faʻagasolo uma nei mea mai se atigipusa ma ina ia mafai ona maua le faila lea matou te tusia ai le taunuʻuga mai fafo, matou te manaʻomia le tatalaina o lenei lisi i le docker-compose.yml.
Aofai:
O le vaega fa'atino o la matou faila e pei o lenei:
output {
if [message_type] == "ERROR" {
file {
path => "/usr/share/logstash/output/test.log"
codec => line { format => "custom format: %{message}"}
}
} else
{stdout {
}
}
}
I le docker-compose.yml matou te faʻaopoopoina se isi voluma mo galuega faatino:
version: '3'
networks:
elk:
volumes:
elasticsearch:
driver: local
services:
logstash:
container_name: logstash_one_channel
image: docker.elastic.co/logstash/logstash:6.3.2
networks:
- elk
environment:
XPACK_MONITORING_ENABLED: "false"
ports:
- 5046:5046
volumes:
- ./config/pipelines.yml:/usr/share/logstash/config/pipelines.yml:ro
- ./config/pipelines:/usr/share/logstash/config/pipelines:ro
- ./logs:/usr/share/logstash/input
- ./output:/usr/share/logstash/output
Matou te faʻalauiloa, faʻataʻitaʻi, ma vaʻai i se vaevaega i ni vaitafe se lua.
puna: www.habr.com