关于ELK5.0.1的安装部署,请参考博文(
ELK 5.0.1+Filebeat5.0.1 for LINUX RHEL6.6 监控MongoDB日志),
本文重点说明如何适用filebeat实时监控mongodb数据库日志及在logstash正则解析mongodb日志。
部署完ELK5.0.1后,在需要监控mongodb日志的数据库服务器上部署filebeat来抓取日志,
首先需要修改filebeat配置文件:
[root@se122 filebeat-5.0.1]# pwd
/opt/filebeat-5.0.1
[root@se122 filebeat-5.0.1]#
[root@se122 filebeat-5.0.1]# ls
data filebeat filebeat.full.yml filebeat.template-es2x.json filebeat.template.json filebeat.yml scripts
[root@se122 filebeat-5.0.1]# cat filebeat.yml
filebeat :
prospectors :
-
paths :
- /root/rs0-0.log #filebeat负责实时监控的mongodb日志
document_type : mongodblog #指定filebeat发送到logstash的mongodb日志的文档类型为document_type,一定要指定(logstash接收解析匹配要使用)
input_type : log
registry_file :
/opt/filebeat-5.0.1/data/registry
output.logstash:
hosts: [" 10.117.194.228:5044"] #logstash服务部署的机器IP地址及运行的服务端口号
[root@se122 filebeat-5.0.1]#
其次修改logstash配置文件:
[root@rhel6 config]# pwd
/opt/logstash-5.0.1/config
[root@rhel6 config]# cat logstash_mongodb.conf
#input {
# stdin {}
#}
input{
beats {
host => "0.0.0.0"
port => 5044
type => mongodblog #指定filebeat输入的日志类型是mongodblog
}
}
filter {
if [type] == "mongodblog" { #过滤器,只处理filebeat发送过来的mogodblog日志数据
grok { #解析发送过来的mognodblog日志
match => ["message","%{TIMESTAMP_ISO8601:timestamp}\s+%{MONGO3_SEVERITY:severity}\s+%{MONGO3_COMPONENT:component}\s+(?:
}
if [component] =~ "WRITE" {
grok { #第二层解析body部分,提取mongodblog中的command_type、db_name、command、spend_time字段
match => ["body","%{WORD:command_type}\s+%{DATA:db_name}\s+\w+\:\s+%{GREEDYDATA:command}%{INT:spend_time}ms"]
}
} else {
grok {
match => ["body","\s+%{DATA:db_name}\s+\w+\:\s+%{WORD:command_type}\s+%{GREEDYDATA:command}protocol.*%{INT:spend_time}ms$"]
}
}
date {
match => [ "timestamp", "UNIX", "YYYY-MM-dd HH:mm:ss", "ISO8601"]
remove_field => [ "timestamp" ]
}
}
}
output{
elasticsearch {
hosts => ["192.168.144.230:9200"]
index => "mongod_log-%{+YYYY.MM}"
}
stdout {
codec => rubydebug
}
}
[root@rhel6 config]#
然后,确保ELK服务端的服务进程都已经开启,启动命令:
[elasticsearch@rhel6 ]"]
}
} else {
grok {
match => ["body","\s+%{DATA:db_name}\s+\w+\:\s+%{WORD:command_type}\s+%{GREEDYDATA:command}protocol.*%{INT:spend_time}ms$"]
}
}
date {
match => [ "timestamp", "UNIX", "YYYY-MM-dd HH:mm:ss", "ISO8601"]
remove_field => [ "timestamp" ]
}
}
}
output{
elasticsearch {
hosts => ["192.168.144.230:9200"]
index => "mongod_log-%{+YYYY.MM}"
}
stdout {
codec => rubydebug
}
}
[root@rhel6 config]#
然后,确保ELK服务端的服务进程都已经开启,启动命令:
[elasticsearch@rhel6 ] /home/elasticsearch/elasticsearch-5.0.1/bin/elasticsearch
[root@rhel6 ~]# /opt/logstash-5.0.1/bin/logstash -f /opt/logstash-5.0.1/config/logstash_mongodb.conf
[root@rhel6 ~]# /opt/kibana-5.0.1/bin/kibana
在远程端启动filebeat,开始监控mongodb日志:
[root@se122 filebeat-5.0.1]# /opt/filebeat-5.0.1/filebeat -e -c /opt/filebeat-5.0.1/filebeat.yml -d "Publish"
2017/02/16 05:50:40.931969 beat.go:264: INFO Home path: [/opt/filebeat-5.0.1] Config path: [/opt/filebeat-5.0.1] Data path: [/opt/filebeat-5.0.1/data] Logs path: [/opt/filebeat-5.0.1/logs]
2017/02/16 05:50:40.932036 beat.go:174: INFO Setup Beat: filebeat; Version: 5.0.1
2017/02/16 05:50:40.932167 logp.go:219: INFO Metrics logging every 30s
2017/02/16 05:50:40.932227 logstash.go:90: INFO Max Retries set to: 3
2017/02/16 05:50:40.932444 outputs.go:106: INFO Activated logstash as output plugin.
2017/02/16 05:50:40.932594 publish.go:291: INFO Publisher name: se122
2017/02/16 05:50:40.935437 async.go:63: INFO Flush Interval set to: 1s
2017/02/16 05:50:40.935473 async.go:64: INFO Max Bulk Size set to: 2048
2017/02/16 05:50:40.935745 beat.go:204: INFO filebeat start running.
2017/02/16 05:50:40.935836 registrar.go:66: INFO Registry file set to: /opt/filebeat-5.0.1/data/registry
2017/02/16 05:50:40.935905 registrar.go:99: INFO Loading registrar data from /opt/filebeat-5.0.1/data/registry
2017/02/16 05:50:40.936717 registrar.go:122: INFO States Loaded from registrar: 1
2017/02/16 05:50:40.936771 crawler.go:34: INFO Loading Prospectors: 1
2017/02/16 05:50:40.936860 prospector_log.go:40: INFO Load previous states from registry into memory
2017/02/16 05:50:40.936923 registrar.go:211: INFO Starting Registrar
2017/02/16 05:50:40.936939 sync.go:41: INFO Start sending events to output
2017/02/16 05:50:40.937148 spooler.go:64: INFO Starting spooler: spool_size: 2048; idle_timeout: 5s
2017/02/16 05:50:40.937286 prospector_log.go:67: INFO Previous states loaded: 1
2017/02/16 05:50:40.937404 crawler.go:46: INFO Loading Prospectors completed. Number of prospectors: 1
2017/02/16 05:50:40.937440 crawler.go:61: INFO All prospectors are initialised and running with 1 states to persist
2017/02/16 05:50:40.937478 prospector.go:106: INFO Starting prospector of type: log
2017/02/16 05:50:40.937745 log.go:84: INFO Harvester started for file: /root/rs0-0.log
我们看到,这里已经开始实时监控mongodb日志是/root/rs0-0.log;然后,我们去logstash开启的前台窗口,可以看到有如下信息:
{
"severity" => "I",
"offset" => 243843239,
"spend_time" => "0",
"input_type" => "log",
"source" => "/root/rs0-0.log",
"message" => "2017-02-04T14:03:30.025+0800 I COMMAND [conn272] command admin.cmdcommand:replSetGetStatusreplSetGetStatus:1keyUpdates:0writeConflicts:0numYields:0reslen:364locks:protocol:opquery0ms","type"=>"mongodblog","body"=>"commandadmin.cmd command: replSetGetStatus { replSetGetStatus: 1 } keyUpdates:0 writeConflicts:0 numYields:0 reslen:364 locks:{} protocol:op_query 0ms",
"command" => "{ replSetGetStatus: 1 } keyUpdates:0 writeConflicts:0 numYields:0 reslen:364 locks:{} ",
"tags" => [
[0] "beats_input_codec_plain_applied"
],
"component" => "COMMAND",
"@timestamp" => 2017-02-04T06:03:30.025Z,
"db_name" => "admin.$cmd",
"command_type" => "replSetGetStatus",
"@version" => "1",
"beat" => {
"hostname" => "se122",
"name" => "se122",
"version" => "5.0.1"
},
"host" => "se122",
"context" => "conn272"
}
这说明logstash按照配置文件正常过滤并按照指定的正则解析了mongodblog日志,再到kibana创建索引:
然后,就能在kibana自定义视图查看到监控到的Mongodb日志了:
本文重点说明如何适用filebeat实时监控mongodb数据库日志及在logstash正则解析mongodb日志。
部署完ELK5.0.1后,在需要监控mongodb日志的数据库服务器上部署filebeat来抓取日志,
首先需要修改filebeat配置文件:
[root@se122 filebeat-5.0.1]# pwd
/opt/filebeat-5.0.1
[root@se122 filebeat-5.0.1]#
[root@se122 filebeat-5.0.1]# ls
data filebeat filebeat.full.yml filebeat.template-es2x.json filebeat.template.json filebeat.yml scripts
[root@se122 filebeat-5.0.1]# cat filebeat.yml
filebeat :
prospectors :
-
paths :
- /root/rs0-0.log #filebeat负责实时监控的mongodb日志
document_type : mongodblog #指定filebeat发送到logstash的mongodb日志的文档类型为document_type,一定要指定(logstash接收解析匹配要使用)
input_type : log
registry_file :
/opt/filebeat-5.0.1/data/registry
output.logstash:
hosts: [" 10.117.194.228:5044"] #logstash服务部署的机器IP地址及运行的服务端口号
[root@se122 filebeat-5.0.1]#
其次修改logstash配置文件:
[root@rhel6 config]# pwd
/opt/logstash-5.0.1/config
[root@rhel6 config]# cat logstash_mongodb.conf
#input {
# stdin {}
#}
input{
beats {
host => "0.0.0.0"
port => 5044
type => mongodblog #指定filebeat输入的日志类型是mongodblog
}
}
filter {
if [type] == "mongodblog" { #过滤器,只处理filebeat发送过来的mogodblog日志数据
grok { #解析发送过来的mognodblog日志
match => ["message","%{TIMESTAMP_ISO8601:timestamp}\s+%{MONGO3_SEVERITY:severity}\s+%{MONGO3_COMPONENT:component}\s+(?:
}
if [component] =~ "WRITE" {
grok { #第二层解析body部分,提取mongodblog中的command_type、db_name、command、spend_time字段
match => ["body","%{WORD:command_type}\s+%{DATA:db_name}\s+\w+\:\s+%{GREEDYDATA:command}%{INT:spend_time}ms"]
}
} else {
grok {
match => ["body","\s+%{DATA:db_name}\s+\w+\:\s+%{WORD:command_type}\s+%{GREEDYDATA:command}protocol.*%{INT:spend_time}ms$"]
}
}
date {
match => [ "timestamp", "UNIX", "YYYY-MM-dd HH:mm:ss", "ISO8601"]
remove_field => [ "timestamp" ]
}
}
}
output{
elasticsearch {
hosts => ["192.168.144.230:9200"]
index => "mongod_log-%{+YYYY.MM}"
}
stdout {
codec => rubydebug
}
}
[root@rhel6 config]#
然后,确保ELK服务端的服务进程都已经开启,启动命令:
[elasticsearch@rhel6 ]"]
}
} else {
grok {
match => ["body","\s+%{DATA:db_name}\s+\w+\:\s+%{WORD:command_type}\s+%{GREEDYDATA:command}protocol.*%{INT:spend_time}ms$"]
}
}
date {
match => [ "timestamp", "UNIX", "YYYY-MM-dd HH:mm:ss", "ISO8601"]
remove_field => [ "timestamp" ]
}
}
}
output{
elasticsearch {
hosts => ["192.168.144.230:9200"]
index => "mongod_log-%{+YYYY.MM}"
}
stdout {
codec => rubydebug
}
}
[root@rhel6 config]#
然后,确保ELK服务端的服务进程都已经开启,启动命令:
[elasticsearch@rhel6 ] /home/elasticsearch/elasticsearch-5.0.1/bin/elasticsearch
[root@rhel6 ~]# /opt/logstash-5.0.1/bin/logstash -f /opt/logstash-5.0.1/config/logstash_mongodb.conf
[root@rhel6 ~]# /opt/kibana-5.0.1/bin/kibana
在远程端启动filebeat,开始监控mongodb日志:
[root@se122 filebeat-5.0.1]# /opt/filebeat-5.0.1/filebeat -e -c /opt/filebeat-5.0.1/filebeat.yml -d "Publish"
2017/02/16 05:50:40.931969 beat.go:264: INFO Home path: [/opt/filebeat-5.0.1] Config path: [/opt/filebeat-5.0.1] Data path: [/opt/filebeat-5.0.1/data] Logs path: [/opt/filebeat-5.0.1/logs]
2017/02/16 05:50:40.932036 beat.go:174: INFO Setup Beat: filebeat; Version: 5.0.1
2017/02/16 05:50:40.932167 logp.go:219: INFO Metrics logging every 30s
2017/02/16 05:50:40.932227 logstash.go:90: INFO Max Retries set to: 3
2017/02/16 05:50:40.932444 outputs.go:106: INFO Activated logstash as output plugin.
2017/02/16 05:50:40.932594 publish.go:291: INFO Publisher name: se122
2017/02/16 05:50:40.935437 async.go:63: INFO Flush Interval set to: 1s
2017/02/16 05:50:40.935473 async.go:64: INFO Max Bulk Size set to: 2048
2017/02/16 05:50:40.935745 beat.go:204: INFO filebeat start running.
2017/02/16 05:50:40.935836 registrar.go:66: INFO Registry file set to: /opt/filebeat-5.0.1/data/registry
2017/02/16 05:50:40.935905 registrar.go:99: INFO Loading registrar data from /opt/filebeat-5.0.1/data/registry
2017/02/16 05:50:40.936717 registrar.go:122: INFO States Loaded from registrar: 1
2017/02/16 05:50:40.936771 crawler.go:34: INFO Loading Prospectors: 1
2017/02/16 05:50:40.936860 prospector_log.go:40: INFO Load previous states from registry into memory
2017/02/16 05:50:40.936923 registrar.go:211: INFO Starting Registrar
2017/02/16 05:50:40.936939 sync.go:41: INFO Start sending events to output
2017/02/16 05:50:40.937148 spooler.go:64: INFO Starting spooler: spool_size: 2048; idle_timeout: 5s
2017/02/16 05:50:40.937286 prospector_log.go:67: INFO Previous states loaded: 1
2017/02/16 05:50:40.937404 crawler.go:46: INFO Loading Prospectors completed. Number of prospectors: 1
2017/02/16 05:50:40.937440 crawler.go:61: INFO All prospectors are initialised and running with 1 states to persist
2017/02/16 05:50:40.937478 prospector.go:106: INFO Starting prospector of type: log
2017/02/16 05:50:40.937745 log.go:84: INFO Harvester started for file: /root/rs0-0.log
我们看到,这里已经开始实时监控mongodb日志是/root/rs0-0.log;然后,我们去logstash开启的前台窗口,可以看到有如下信息:
{
"severity" => "I",
"offset" => 243843239,
"spend_time" => "0",
"input_type" => "log",
"source" => "/root/rs0-0.log",
"message" => "2017-02-04T14:03:30.025+0800 I COMMAND [conn272] command admin.cmdcommand:replSetGetStatusreplSetGetStatus:1keyUpdates:0writeConflicts:0numYields:0reslen:364locks:protocol:opquery0ms","type"=>"mongodblog","body"=>"commandadmin.cmd command: replSetGetStatus { replSetGetStatus: 1 } keyUpdates:0 writeConflicts:0 numYields:0 reslen:364 locks:{} protocol:op_query 0ms",
"command" => "{ replSetGetStatus: 1 } keyUpdates:0 writeConflicts:0 numYields:0 reslen:364 locks:{} ",
"tags" => [
[0] "beats_input_codec_plain_applied"
],
"component" => "COMMAND",
"@timestamp" => 2017-02-04T06:03:30.025Z,
"db_name" => "admin.$cmd",
"command_type" => "replSetGetStatus",
"@version" => "1",
"beat" => {
"hostname" => "se122",
"name" => "se122",
"version" => "5.0.1"
},
"host" => "se122",
"context" => "conn272"
}
这说明logstash按照配置文件正常过滤并按照指定的正则解析了mongodblog日志,再到kibana创建索引:
然后,就能在kibana自定义视图查看到监控到的Mongodb日志了:
