ELK学习笔记之ELK搜集OpenStack节点日志

ELK学习笔记之ELK搜集OpenStack节点日志

模板来自网络，模板请不要直接复制，先放到notepad++内调整好格式，注意缩进

部署架构

控制节点作为日志服务器，存储所有 OpenStack 及其相关日志。Logstash 部署于所有节点，收集本节点下所需收集的日志，然后以网络(node/Elasticsearch，Kibana 作为 web portal 提供展示日志信息：

日志格式

为了提供快速直观的检索功能，对于每一条 OpenStack 日志，我们希望它能包含以下属性，用于检索和过滤：

Host: 如 controller01，compute01 等Service Name: 如 nova-api, neutron-server 等Module: 如 nova.filtersLog Level: 如 DEBUG, INFO, ERROR 等Log dateRequest ID: 某次请求的 Request ID

以上属性可以通过 Logstash 实现，通过提取日志的关键字段，从而获上述几种属性，并在 Elasticsearch 建立索引。

控制节点的logstash配置

input { file { path => ['/var/log/nova/nova-api.log'] tags => ['nova', 'oslofmt'] type => "nova-api" } file { path => ['/var/log/nova/nova-conductor.log'] tags => ['nova-conductor', 'oslofmt'] type => "nova" } file { path => ['/var/log/nova/nova-manage.log'] tags => ['nova-manage', 'oslofmt'] type => "nova" } file { path => ['/var/log/nova/nova-scheduler.log'] tags => ['nova-scheduler', 'oslofmt'] type => "nova" } file { path => ['/var/log/nova/nova-spicehtml5proxy.log'] tags => ['nova-spice', 'oslofmt'] type => "nova" } file { path => ['/var/log/keystone/keystone-all.log'] tags => ['keystone', 'keystonefmt'] type => "keystone" } file { path => ['/var/log/keystone/keystone-manage.log'] tags => ['keystone', 'keystonefmt'] type => "keystone" } file { path => ['/var/log/glance/api.log'] tags => ['glance', 'oslofmt'] type => "glance-api" } file { path => ['/var/log/glance/registry.log'] tags => ['glance', 'oslofmt'] type => "glance-registry" } file { path => ['/var/log/glance/scrubber.log'] tags => ['glance', 'oslofmt'] type => "glance-scrubber" } file { path => ['/var/log/heat/heat.log'] tags => ['heat', 'oslofmt'] type => "heat" } file { path => ['/var/log/neutron/neutron-server.log'] tags => ['neutron', 'oslofmt'] type => "neutron-server" } file { path => ['/var/log/rabbitmq/rabbit@<%= @hostname %>.log'] tags => ['rabbitmq', 'oslofmt'] type => "rabbitmq" } file { path => ['/var/log/ tags => ['horizon'] type => "horizon" } file { path => ['/var/log/ tags => ['horizon'] type => "horizon" } file { path => ['/var/log/ tags => ['horizon'] type => "horizon" } file { path => ['/var/log/ tags => ['horizon'] type => "horizon" }}filter { if "oslofmt" in [tags] { multiline { negate => true pattern => "^%{TIMESTAMP_ISO8601} " what => "previous" } multiline { negate => false pattern => "^%{TIMESTAMP_ISO8601}%{SPACE}%{NUMBER}?%{SPACE}?TRACE" what => "previous" } grok { # Do multiline matching as the above mutliline filter may add newlines # to the log messages. # TODO move the LOGLEVELs into a proper grok pattern. match => { "message" => "(?m)^%{TIMESTAMP_ISO8601:logdate}%{SPACE}%{NUMBER:pid}?%{SPACE}?(?AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) \[?\b%{NOTSPACE:module}\b\]?%{SPACE}?%{GREEDYDATA:logmessage}?" } add_field => { "received_at" => "%{@timestamp}" } } } else if "keystonefmt" in [tags] { grok { # Do multiline matching as the above mutliline filter may add newlines # to the log messages. # TODO move the LOGLEVELs into a proper grok pattern. match => { "message" => "(?m)^%{TIMESTAMP_ISO8601:logdate}%{SPACE}%{NUMBER:pid}?%{SPACE}?(?AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) \[?\b%{NOTSPACE:module}\b\]?%{SPACE}?%{GREEDYDATA:logmessage}?" } add_field => { "received_at" => "%{@timestamp}" } } if [module] == "iso8601.iso8601" { # log message for each part of the date? Really? drop {} } } else if "libvirt" in [tags] { grok { match => { "message" => "(?m)^%{TIMESTAMP_ISO8601:logdate}:%{SPACE}%{NUMBER:code}:?%{SPACE}\[?\b%{NOTSPACE:loglevel}\b\]?%{SPACE}?:?%{SPACE}\[?\b%{NOTSPACE:module}\b\]?%{SPACE}?%{GREEDYDATA:logmessage}?" } add_field => { "received_at" => "%{@timestamp}"} } mutate { uppercase => [ "loglevel" ] } } else if [type] == "syslog" { grok { match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:logmessage}" } add_field => [ "received_at", "%{@timestamp}" ] } syslog_pri { severity_labels => ["ERROR", "ERROR", "ERROR", "ERROR", "WARNING", "INFO", "INFO", "DEBUG" ] } date { match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] } if !("_grokparsefailure" in [tags]) { mutate { replace => [ "@source_host", "%{syslog_hostname}" ] } } mutate { remove_field => [ "syslog_hostname", "syslog_timestamp" ] add_field => [ "loglevel", "%{syslog_severity}" ] add_field => [ "module", "%{syslog_program}" ] } }}output { elasticsearch { hosts => ["172.26.13.3:9200","172.26.13.4:9200","172.26.13.5:9200"] index => "log-conrtoller-%{+YYYY-MM-dd}" }}

计算节点的logstash配置

input { file { path => ['/var/log/messages'] tags => ['system_messages'] type => "system_messages" } file { path => ['/var/log/secure'] tags => ['system_secure'] type => "system_secure" }}output { elasticsearch { hosts => ["172.26.13.3:9200","172.26.13.4:9200","172.26.13.5:9200"] index => "log-cpmpute-%{+YYYY-MM-dd}" } }

neutron-server节点的logstash配置

input { file{ type => "neutron" path=>"/var/log/neutron/server.log" }}output { elasticsearch{

hosts => ["172.26.13.3:9200","172.26.13.4:9200","172.26.13.5:9200"] index => "log-neutron-server-%{+YYYY-MM-dd}"

} }

网络节点的logstash配置

input { file{ type => "neutron" path=>"/var/log/neutron/openvswitch-agent.log" } file{ type => "neutron" path=>"/var/log/neutron/metadata-agent.log" } file{ type => "neutron" path=>"/var/log/neutron/metering-agent.log" } file{ type => "neutron" path=>"/var/log/neutron/dhcp-agent.log" } file{ type => "neutron" path=>"/var/log/neutron/vpn-agent.log" } file{ type => "neutron" path=>"/var/log/neutron/lbaas-agent.log" } file{ type => "neutron" path=>"/var/log/neutron/ha-agent.log" }}output { elasticsearch{ hosts => ["172.26.13.3:9200","172.26.13.4:9200","172.26.13.5:9200"]

index => "log-neutron-%{+YYYY-MM-dd}"

} }

nova-api节点的logstash配置

input { file{ type => "nova" path=>"/var/log/nova/nova-scheduler.log" path=>"/var/log/nova/nova-novncproxy.log" path=>"/var/log/nova/nova-consoleauth.log" path=>"/var/log/nova/nova-conductor.log" path=>"/var/log/nova/nova-cert.log" path=>"/var/log/nova/nova-api.log" }}output { elasticsearch{ hosts => ["172.26.13.3:9200","172.26.13.4:9200","172.26.13.5:9200"]

index => "log-nova-api-%{+YYYY-MM-dd}"

} }

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。