logstash 1.4.0 集成 kibana
集成kibana需要安装elasticsearch。
安装elasticsearch
键入以下命令下载,解压
curl -O https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.0.1.tar.gz
tar -zxvf elasticsearch-1.0.1.tar.gz
然后安装kibana,键入以下命令安装
cd elasticsearch-1.0.1/
bin/plugin -install elasticsearch/kibana
运行elasticsearch
./bin/elasticsearch
然后访问http://192.168.137.101:9200/_plugin/kibana/src/index.html
注 http://192.168.137.101:9200/_plugin/kibana/直接访问的页面会显示kibana版本过旧,其实不是的。可以更新该页面让其不显示。
logstash配置
下载logstash解压
curl -O https://download.elasticsearch.org/logstash/logstash/logstash-1.4.0.tar.gz
tar -zxvf logstash-1.4.0.tar.gz
给出一个常用的nginx-access配置
input {
file {
type => "nginx-access"
path => ["/usr/local/nginx/logs/nginx-access.log"]
codec => plain {
charset => "UTF-8"
}
}
}
filter {
if [type] == "nginx-access" {
grok {
patterns_dir => ["/usr/local/loganalysis/patterns"]
match => [
"message",
"%{NGINXACCESSLOG}"
]
}
useragent {
source => "agent"
target => "useragent_"
}
}
}
output {
elasticsearch {
host => localhost
}
}
自定义的patterns如下
# NGINX log fields.
NGINX_DATE %{YEAR}[/-]%{MONTHNUM}[/-]%{MONTHDAY} %{TIME}
NGINX_MESSAGE [^,]*
NGINXACCESSLOG %{IPORHOST:client_ip} - (%{USER:ident}) \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} (?<request>([\w\W]+)|-) (?:HTTP/%{NUMBER:http_version})?|-)\" (%{NUMBER:response_status}|-) (?:%{NUMBER:bytes}|-) \"(%{NOTSPACE:referrer}|-)\" \"(?<agent>([\w\W]+?)|-)\"
NGINXERRORLOG %{NGINX_DATE:timestamp} \[%{LOGLEVEL:severity}\] %{POSINT:pid}#%{NUMBER}: %{NGINX_MESSAGE:message}(?:, client: %{IPORHOST:client})?(?:, server: %{IPORHOST:server})?(?:, request: %{QS:request})?(?:, host: %{QS:host})?
运行logstash
bin/logstash -f logstash.conf
