A Quick Guide to Analyzing Apache Logs on Alibaba Cloud Log Service

本文涉及的产品
检索分析服务 Elasticsearch 版,2核4GB开发者规格 1个月
日志服务 SLS,月写入数据量 50GB 1个月
简介: This article describes how you can deploy Logstash and Kibana on Alibaba Cloud Log Service to monitor, analyze, and visualize Apache logs.

With Alibaba Cloud Log Service, there are several methods available for you to collect upstream data. You can use the built-in LogSearch and LogAnalytics functions, or you can deploy the more familiar ElasticSearch, Logstash, and Kibana (ELK) stack. In this article, we will discuss how you can build your own ELK stack on Alibaba Cloud Log Service to analyze and monitor Apache logs.

Installing Logstash within the ECS

First, we need to install and deploy Logstash within the ECS. When you subscribe to the ECS service, be sure to prepare JDK version 1.8 or higher.

wget https://artifacts.elastic.co/downloads/logstash/logstash-5.5.3.tar.gz

Decompress and install

tar -xzvf logstash-5.5.3.tar.gz

Establishing the Logstash Pipeline

In order to write data to ElasticSearch with Logstash, first we need to establish a Logstash pipeline, which has three parts:

input {   
}
# a note in this section indicates that this filter can be selected
filter {  
}
output {   
}

  • Set input to the data source
  • Set output to the target
  • A filter is optional, you can normally use it to set data filtering logic

Settings for this section are quite simple. Create a .conf file in the Logstash directory, then set input and output according to the following format:

input {
    file {
        path => "/usr/local/demoData/*.log"
        start_position => beginning
    }
}
output {
    ElasticSearch {
        hosts => ["http://*******************:9200"]
        user => "*******"
        password => "***********"
    }
}

Note: Because ElasticSearch is preset with the X-Pack plugin, you must verify all access. This will require you to set a username and password in the output.

Let us take a case where we need to send the Apache log indexing frequently generated by Alibaba Cloud ECS to ElasticSearch. We can deploy Logstash to the ECS on which the web server is running. If there are concerns about this affecting the application running on the web server, you can deploy Logstash to any accessible ECS over the network.

Note: Logstash input can handle different forms of input. If you have deployed a Logstash to a network-accessible ECS, you will need to configure an http template as an input as follows:

input {
 http {
      host => "**********"
   port => "**********"
 }
}

Because ElasticSearch is deployed in a VPC environment, if the ECS on which Logstash is deployed is on a classic network, then the VPC needs to be connected to via the Classiclink method.

Analyzing Apache Logs Using Logstash Filter

Let us now see how one can quickly analyze Apache logs using a Logstash filter. An Apache log typically contains the following information:

1

To retrieve user distribution information from the log and make it more intuitive for non-technical users, we can use the Gork filter to analyze the Apache network logs.

filter {
    grok {
        match => { "message" => "%{COMBINEDAPACHELOG}"}
    }
}

We can take the original log information:

66.249.73.135 - - [04/Jan/2015:05:30:06 +0000] "GET /blog/web/firefox-scrolling-fix.html HTTP/1.1" 200 8956 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Then filter it into standard JSON structure:

{
"clientip" : "66.249.73.135",
"ident" : ,
"auth" : ,
"timestamp" : "04/Jan/2015:05:30:06 +0000",
"verb" : "GET",
"request" : "/blog/web/firefox-scrolling-fix.html",
"httpversion" : "HTTP/1.1",
"response" : "200",
"bytes" : "8956",
"referrer" : "http://www.google.com/bot.html",
"agent" : "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25"
}

We can then extract the IP to discern the user location using geoip.

filter {
    geoip {
        source => "clientip"
    }
}

Once we have the address information from the IP, we can enter a geoip field into the log information. We can receive the following information by checking an IP with geoip:

"geoip":{
        "timezone":"America/Los_Angeles",
        "ip":"66.249.73.135",
        "latitude":37.419200000000004,
        "continent_code":"NA",
        "city_name":"Mountain View",
        "country_name":"United States",
        "country_code2":"US",
        "dma_code":807,
        "country_code3":"US",
        "region_name":"California",
        "location":{
               "lon":-122.0574,
               "lat":37.419200000000004
        },
        "postal_code":"94043",
        "region_code":"CA",
        "longitude":-122.0574
},

Using Kibana, we can use the coordinate information stored in the location key from geoip. Subsequently, we can then create a visualization of the geographic distribution of users’ access locations.

With the above method, we can analyze ECS logs in batch and complete the configuration in Kibana.

You can get more information on Configuring Logstash here.

Conclusion

You can analyze and monitor logs with the LogSearch and LogAnalytics on Alibaba Cloud Log Service, or deploy your own ElasticSearch, Logstash, and Kibana (ELK) stack. Each option comes with its own set of benefits, and the effectiveness is highly dependent on your application.

I hope this blog helped you understand how you can install Logstash on Alibaba Cloud ECS and use it for analysis of Apache logs. To know more about Alibaba Cloud Log Service, visit the official product page or the official product documentation.

相关实践学习
日志服务之使用Nginx模式采集日志
本文介绍如何通过日志服务控制台创建Nginx模式的Logtail配置快速采集Nginx日志并进行多维度分析。
目录
相关文章
|
4月前
|
SQL Java Serverless
实时计算 Flink版操作报错合集之在写入SLS(Serverless Log Service)时出现报错,该如何排查
在使用实时计算Flink版过程中,可能会遇到各种错误,了解这些错误的原因及解决方法对于高效排错至关重要。针对具体问题,查看Flink的日志是关键,它们通常会提供更详细的错误信息和堆栈跟踪,有助于定位问题。此外,Flink社区文档和官方论坛也是寻求帮助的好去处。以下是一些常见的操作报错及其可能的原因与解决策略。
|
2月前
|
消息中间件 存储 监控
Kafka的logs目录下的文件都是什么日志?
Kafka的logs目录下的文件都是什么日志?
136 11
|
3月前
|
开发框架 .NET Docker
【Azure 应用服务】App Service .NET Core项目在Program.cs中自定义添加的logger.LogInformation,部署到App Service上后日志不显示Log Stream中的问题
【Azure 应用服务】App Service .NET Core项目在Program.cs中自定义添加的logger.LogInformation,部署到App Service上后日志不显示Log Stream中的问题
|
3月前
|
Go 开发者
【应用服务 App Service】App Service发生错误请求时,如何查看IIS Freb日志,从中得知错误所发生的模块,请求中所携带的Header信息
【应用服务 App Service】App Service发生错误请求时,如何查看IIS Freb日志,从中得知错误所发生的模块,请求中所携带的Header信息
|
3月前
|
网络协议 Go Windows
【应用服务 App Service】App Service中抓取网络日志
【应用服务 App Service】App Service中抓取网络日志
|
3月前
|
Ubuntu Linux 测试技术
在Linux中,已知 apache 服务的访问日志按天记录在服务器本地目录/app/logs 下,由于磁盘空间紧张现在要求只能保留最近7天的访问日志,请问如何解决?
在Linux中,已知 apache 服务的访问日志按天记录在服务器本地目录/app/logs 下,由于磁盘空间紧张现在要求只能保留最近7天的访问日志,请问如何解决?
|
3月前
|
网络安全
【Azure Service Bus】启用诊断日志来获取客户端访问Azure Service Bus的IP地址 [2024-03-26 实验结果失败]
【Azure Service Bus】启用诊断日志来获取客户端访问Azure Service Bus的IP地址 [2024-03-26 实验结果失败]
|
3月前
|
API
【Azure 应用服务】当在Azure App Service的门户上 Log Stream 日志无输出,需要如何操作让其输出Application Logs呢?
【Azure 应用服务】当在Azure App Service的门户上 Log Stream 日志无输出,需要如何操作让其输出Application Logs呢?
|
3月前
|
API
【Azure 服务总线】查看Service Bus中消息多次发送的日志信息,消息是否被重复消费
【Azure 服务总线】查看Service Bus中消息多次发送的日志信息,消息是否被重复消费
|
3月前
|
XML 数据格式 Windows
【Azure 云服务】Azure Cloud Service (Extended Support) 云服务开启诊断日志插件 WAD Extension (Windows Azure Diagnostic) 无法正常工作的原因
【Azure 云服务】Azure Cloud Service (Extended Support) 云服务开启诊断日志插件 WAD Extension (Windows Azure Diagnostic) 无法正常工作的原因

推荐镜像

更多