目录

  • ELK收集nginx日志
  • 1. 先搭建ELK
  • 2. 安装nginx服务
  • 3. 安装ab压测工具,生成测试数据
  • 4. 编辑nginx.conf文件
  • 5, 验证index是否创建成功!
  • 6. 编辑"%{NGX} 匹配模式
  • 7. 可视化操作
  • 告警配置
  • 1. 安装python3 环境
  • 2. 设置软链接
  • 3. 安装alert告警插件
  • 4. 安装alert 插件
  • 5. 安装依赖包
  • 6. 设置软连接
  • 7. 编辑主配置文件
  • 8. 设置告警规则


ELK收集nginx日志

1. 先搭建ELK


2. 安装nginx服务

192.168.179.131

yum -y install epel-release ------安装依赖

yum -y install nginx -----安装nginx

systemctl start nginx -----启动nginx

kill不掉nginx_linux

3. 安装ab压测工具,生成测试数据

yum -y install httpd-tools -----安装工具

ab -n 1000 -c 1000 http://192.168.179.130/index.html
-n:请求数
-c:并发数
注意:并发数不能大于请求数!

4. 编辑nginx.conf文件

vim /etc/logstash/conf.d/nginx.conf ------编辑文件
input{
	file{
		path => "/var/log/nginx/access.log"
		type => "nginx-log"
		start_position => "beginning"
	}	
}
filter{
	grok{
		match => {"message" => "%{NGX}"}	
	}
}
output{
	elasticsearch{
		hosts => "192.168.179.130:9200"
		index => "nginx_log-%{+YYYY.MM.dd}"
	}
}
[root@localhost]# vim /etc/logstash/pipelines.yml -----编辑文件
- : nginx
  path.config: "/etc/logstash/conf.d/nginx.conf"
[root@localhost]# cd /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-patterns-core-4.1.2/patterns/ -----进入目录
[root@localhost patterns]# vim nginx 
NGX %{IPORHOST:client_ip} (%{USER:ident}|- ) (%{USER:auth}|-) \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)" %{NUMBER:status} (?:%{NUMBER:bytes}|-) "(?:%{URI:referrer}|-)" "%{GREEDYDATA:agent}"

[root@localhost]# chmod 777 /var/log -R -----授权

[root@localhost]# systemctl start logstash -----启动服务

5, 验证index是否创建成功!

192.168.179.130

[root@localhost]# ab -n100 -c 100 http://192.168.179.131/index.html -----做压测,生成测试数据

kill不掉nginx_centos_02

6. 编辑"%{NGX} 匹配模式

cd /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-patterns-core-4.1.2/patterns/ -----进入目录

vim nginx -----编辑文件
NGX %{IPORHOST:client_ip} (%{USER:ident}|- ) (%{USER:auth}|-) \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)" %{NUMBER:status} (?:%{NUMBER:bytes}|-) "(?:%{URI:referrer}|-)" "%{GREEDYDATA:agent}"

7. 可视化操作

先删除原来的收集的nginx日志

kill不掉nginx_nginx_03


kill不掉nginx_linux_04


kill不掉nginx_centos_05

kill不掉nginx_kill不掉nginx_06

压测生成nginx日志

kill不掉nginx_centos_07


kill不掉nginx_centos_08


kill不掉nginx_kill不掉nginx_09


kill不掉nginx_kill不掉nginx_10


kill不掉nginx_linux_11


kill不掉nginx_linux_12


kill不掉nginx_nginx_13


kill不掉nginx_python_14

进行可视化操作

kill不掉nginx_kill不掉nginx_15


kill不掉nginx_kill不掉nginx_16


kill不掉nginx_linux_17


kill不掉nginx_python_18


kill不掉nginx_centos_19

vim /etc/nginx/nginx.conf.default -----编辑配置文件

kill不掉nginx_linux_20

nginx -s reload -----重载nginx

ab -n10 -c http://192.168.179.131/haha -----压测生成

kill不掉nginx_linux_21

kill不掉nginx_centos_22


kill不掉nginx_centos_23


kill不掉nginx_kill不掉nginx_24


kill不掉nginx_python_25


kill不掉nginx_nginx_26


kill不掉nginx_python_27


kill不掉nginx_linux_28


kill不掉nginx_linux_29


kill不掉nginx_python_30


kill不掉nginx_kill不掉nginx_31


kill不掉nginx_centos_32


kill不掉nginx_kill不掉nginx_33


kill不掉nginx_nginx_34


kill不掉nginx_linux_35


kill不掉nginx_linux_36


kill不掉nginx_kill不掉nginx_37


kill不掉nginx_kill不掉nginx_38


kill不掉nginx_linux_39


kill不掉nginx_nginx_40


kill不掉nginx_linux_41

告警配置

1. 安装python3 环境

yum -y install openssl openssl-devel gcc  gcc-c++ -----安装依赖

cd /usr/local/src/

上传包
Python-3.6.2.tgz  v0.2.1_elasticalert.tar.gz

tar xzf Python-3.6.2.tgz -----解压包

cd Python-3.6.2

./configure --prefix=/usr/local/python3 --with-openssl

make && make install

2. 设置软链接

rm -rf /usr/bin/python

ln -s /usr/local/python3/bin/python3.6 /usr/bin/python

ln -s /usr/local/python3/bin/pip3.6 /usr/bin/pip

3. 安装alert告警插件

vim /usr/bin/yum -----将python 修改为python2

kill不掉nginx_python_42

vim /usr/libexec/urlgrabber-ext-down -----将python 修改为python2

kill不掉nginx_nginx_43

4. 安装alert 插件

cd /usr/local/src

tar zxvf v0.2.1_elasticalert.tar.gz -----解压包

 mv elastalert-0.2.1/ /usr/local/elastalert -----改名

5. 安装依赖包

pip install "elasticsearch<7,>6"
pip install -r requirements.txt
python setup.py install生成4个命令:
ll /usr/local/python3/bin
-rwxr-xr-x. 1 root root      422 9月  16 15:32 elastalert-create-index
-rwxr-xr-x. 1 root root      396 9月  16 15:32 elastalert
-rwxr-xr-x. 1 root root      430 9月  16 15:32 elastalert-rule-from-

kibana
-rwxr-xr-x. 1 root root      416 9月  16 15:32 elastalert-test-rule

6. 设置软连接

ln -s /usr/local/python3/bin/elastalert* /usr/bin/
elastalert-create-index
192.168.179.130
9200
f

7. 编辑主配置文件

[root@localhost elastalert]# pwd
/usr/local/elastalert
改名字:
mv config.yaml.example config.yaml
vim config.yaml
es_host: 192.168.179.130

8. 设置告警规则

[root@localhost example_rules]# pwd
/usr/local/elastalert/example_rules

mv example_frequency.yaml nginx_frequency.yaml
vim nginx_frequency.yaml
es_host: 192.168.179.130
es_port: 9200
name: nginx frequency rule
index: nginx_log-*
num_events: 5


#- term:
#    sime_field: "some_value" 在它上面添加
filter:
  - regexp:
	message: *.*"

email:
- "1329826156@"
smtp_host: smtp.
smtp_port: 25
smtp_auth_file: /usr/local/elastalert/example_rules/email_auth.yaml
from_addr: 1329826156@

yum -y install mailx
vim /etc/mail.rc
set from=1329826156@ 
set smtp=smtp.
set smtp-auth-user=1329826156@
set smtp-auth-password=jphbuvhsukqphhfa
set smtp-auth=login

echo "hehe"|mail -s "主题" 1329826156@ 测试邮件

vim eamil_auth.yaml
user: "1329826156@"
password: "jphbuvhsukqphhfa"

elastalert --config 
/usr/local/elastalert/config.yaml --rule 

/usr/local/elastalert/example_rules/nginx_frequency.yaml --verbose