elastic stack
- elastic search 日志持久化
- filebeats 日志收集
- kibana 日志展示
- elaticalert 日志告警 elastalert官网
- Elastic Observability APM 指标监控 java-agent
- 基于logback根据level进行日志的切分聚合
- 宿主机上安装filebeats
- 配置inputs插件
- 配置采集路径
- 配置多行匹配规则
- 配置tags
- 配置Output插件
- 选择output到Logstash或者直接到es
- 配置es索引模板规则
- 配置索引分片 副本规则
- 可选配置processor 时间戳timestamp格式化
- kibana配置Index Pattern 进行索引匹配 可视化展示
- 配置elastalert
- 安装python 3.11以上版本 或者使用anaconda
- 修改config.yml 指定es host username/password
- 修改config 中run_every 采集时间 buffer_time 缓冲时间 rules告警规则目录等
- 编写rule.yaml告警规则
- 选择一个合适的alert type
- 配置filter 参考es DSL
- error可以通过filebeat中配置tags进行匹配
- 配置采集恢复时间
- 选择一个合适的告警通道 原生支持webhook dingtalk jira等如需拓展参考官方文档实现python代码
- 启动elast alert
- APM监控 可选
- es stack 自带的APM监控通过java agent的形式 在中央仓库下载指定的jar包 启动参考官方文档
- 自定义指标监控 早期基于spring acturator
参考配置
filebeats.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- C:\Users\JimWu\Desktop\test_log\info/*.log
multiline.pattern: '^20' #多行匹配规则
multiline.negate: true #将不匹配的规则的行合并在一起
multiline.match: after #合并到匹配规则的上一行末尾
tags: ["demo","info"]
- type: log
enabled: true
paths:
- C:\Users\JimWu\Desktop\test_log\*-error-*.log
multiline.pattern: '^20' #多行匹配规则
multiline.negate: true #将不匹配的规则的行合并在一起
multiline.match: after #合并到匹配规则的上一行末尾
tags: ["demo","error"]
output.elasticsearch:
hosts: ["localhost:9200"]
username: "elastic"
password: "elastic"
indices:
- index: "demo-%{+yyyy.MM.dd}"
when.contains:
tags: "demo"
setup.ilm.enable: false
setup.template.name: "demo-log"
setup.template.pattern: "demo-dev-*"
setup.template.overwrite: false
setup.template.settings:
index.number_of_shards: 1
index.number_of_replicas: 1
processors:
- script:
lang: javascript
id: my_filter
tag: enable
source: >
function process(event) {
var str= event.Get("message");
var reg = /\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{3}/;
var time = str.match(reg)[0];
event.Put("log_time",time);
}
- timestamp:
field: log_time
timezone: Asia/Shanghai
layouts:
- '2006-01-02 15:04:05'
- '2006-01-02 15:04:05.999'
test:
- '2019-06-22 16:33:51'
APM
java -javaagent:/path/to/elastic-apm-agent-<version>.jar \
-Delastic.apm.service_name=my-application \
-Delastic.apm.server_urls=http://localhost:8200 \
-Delastic.apm.secret_token= \
-Delastic.apm.environment=production \
-Delastic.apm.application_packages=org.example \
-jar my-application.jar
elastalert rule参考
# Alert when the rate of events exceeds a threshold
# (Optional)
# Elasticsearch host
# es_host: elasticsearch.example.com
# (Optional)
# Elasticsearch port
# es_port: 14900
# (OptionaL) Connect with SSL to Elasticsearch
#use_ssl: True
# (Optional) basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword
# (Required)
# Rule name, must be unique
name: Demo frequency rule
# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
type: frequency
# (Required)
# Index to search, wildcard supported
index: demo-*
# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 1
# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
timeframe:
minutes: 10
# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- term:
tags: "error"
# (Required)
# The alert is use when a match is found
alert:
- "post"
http_post_url: "http://localhost:3000/alert"
