模板来自网络,模板请不要直接复制,先放到notepad++内调整好格式,注意缩进

部署架构

控制节点作为日志服务器,存储所有 OpenStack 及其相关日志。Logstash 部署于所有节点,收集本节点下所需收集的日志,然后以网络(node/http)方式输送给控制节点的 Elasticsearch,Kibana 作为 web portal 提供展示日志信息:

日志格式

为了提供快速直观的检索功能,对于每一条 OpenStack 日志,我们希望它能包含以下属性,用于检索和过滤:

  • Host: 如 controller01,compute01 等
  • Service Name: 如 nova-api, neutron-server 等
  • Module: 如 nova.filters
  • Log Level: 如 DEBUG, INFO, ERROR 等
  • Log date
  • Request ID: 某次请求的 Request ID

以上属性可以通过 Logstash 实现,通过提取日志的关键字段,从而获上述几种属性,并在 Elasticsearch 建立索引。

控制节点的logstash配置

input {

  file {

    path => ['/var/log/nova/nova-api.log']

    tags => ['nova', 'oslofmt']

    type => "nova-api"

  }

  file {

    path => ['/var/log/nova/nova-conductor.log']

    tags => ['nova-conductor', 'oslofmt']

    type => "nova"

  }

  file {

    path => ['/var/log/nova/nova-manage.log']

    tags => ['nova-manage', 'oslofmt']

    type => "nova"

  }

  file {

    path => ['/var/log/nova/nova-scheduler.log']

    tags => ['nova-scheduler', 'oslofmt']

    type => "nova"

  }

  file {

    path => ['/var/log/nova/nova-spicehtml5proxy.log']

    tags => ['nova-spice', 'oslofmt']

    type => "nova"

  }

  file {

    path => ['/var/log/keystone/keystone-all.log']

    tags => ['keystone', 'keystonefmt']

    type => "keystone"

  }

  file {

    path => ['/var/log/keystone/keystone-manage.log']

    tags => ['keystone', 'keystonefmt']

    type => "keystone"

  }

  file {

    path => ['/var/log/glance/api.log']

    tags => ['glance', 'oslofmt']

    type => "glance-api"

  }

  file {

    path => ['/var/log/glance/registry.log']

    tags => ['glance', 'oslofmt']

    type => "glance-registry"

  }

  file {

    path => ['/var/log/glance/scrubber.log']

    tags => ['glance', 'oslofmt']

    type => "glance-scrubber"

  }

  file {

    path => ['/var/log/heat/heat.log']

    tags => ['heat', 'oslofmt']

    type => "heat"

  }

  file {

    path => ['/var/log/neutron/neutron-server.log']

    tags => ['neutron', 'oslofmt']

    type => "neutron-server"

  }

  file {

 	path => ['/var/log/rabbitmq/rabbit@<%= @hostname %>.log']

 	tags => ['rabbitmq', 'oslofmt']

 	type => "rabbitmq"

   }

  file {

    path => ['/var/log/httpd/access_log']

    tags => ['horizon']

    type => "horizon"

  }

  file {

    path => ['/var/log/httpd/error_log']

    tags => ['horizon']

    type => "horizon"

  }

  file {

    path => ['/var/log/httpd/horizon_access_log']

    tags => ['horizon']

    type => "horizon"

  }

  file {

    path => ['/var/log/httpd/horizon_error_log']

    tags => ['horizon']

    type => "horizon"

  }

}

filter {

  if "oslofmt" in [tags] {

    multiline {

      negate => true

      pattern => "^%{TIMESTAMP_ISO8601} "

      what => "previous"

    }

    multiline {

      negate => false

      pattern => "^%{TIMESTAMP_ISO8601}%{SPACE}%{NUMBER}?%{SPACE}?TRACE"

      what => "previous"

    }

    grok {

      #  Do multiline matching as the above mutliline filter may add newlines

      #  to the log messages.

      #  TODO move the LOGLEVELs into a proper grok pattern.

      match => { "message" => "(?m)^%{TIMESTAMP_ISO8601:logdate}%{SPACE}%{NUMBER:pid}?%{SPACE}?(?<loglevel>AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) \[?\b%{NOTSPACE:module}\b\]?%{SPACE}?%{GREEDYDATA:logmessage}?" }

      add_field => { "received_at" => "%{@timestamp}" }

    }

  } else if "keystonefmt" in [tags] {

    grok {

      #  Do multiline matching as the above mutliline filter may add newlines

      #  to the log messages.

      #  TODO move the LOGLEVELs into a proper grok pattern.

      match => { "message" => "(?m)^%{TIMESTAMP_ISO8601:logdate}%{SPACE}%{NUMBER:pid}?%{SPACE}?(?<loglevel>AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) \[?\b%{NOTSPACE:module}\b\]?%{SPACE}?%{GREEDYDATA:logmessage}?" }

      add_field => { "received_at" => "%{@timestamp}" }

    }

    if [module] == "iso8601.iso8601" {

  # log message for each part of the date?  Really?

  drop {}

    }

  } else if "libvirt" in [tags] {

    grok {

       match => { "message" => "(?m)^%{TIMESTAMP_ISO8601:logdate}:%{SPACE}%{NUMBER:code}:?%{SPACE}\[?\b%{NOTSPACE:loglevel}\b\]?%{SPACE}?:?%{SPACE}\[?\b%{NOTSPACE:module}\b\]?%{SPACE}?%{GREEDYDATA:logmessage}?" }

       add_field => { "received_at" => "%{@timestamp}"}

    }

    mutate {

       uppercase => [ "loglevel" ]

    }

  } else if [type] == "syslog" {

     grok {

        match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:logmessage}" }

        add_field => [ "received_at", "%{@timestamp}" ]

     }

     syslog_pri {

        severity_labels => ["ERROR", "ERROR", "ERROR", "ERROR", "WARNING", "INFO", "INFO", "DEBUG" ]

     }

     date {

        match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]

     }

     if !("_grokparsefailure" in [tags]) {

        mutate {

           replace => [ "@source_host", "%{syslog_hostname}" ]

        }

     }

     mutate {

        remove_field => [ "syslog_hostname", "syslog_timestamp" ]

        add_field => [ "loglevel", "%{syslog_severity}" ]

        add_field => [ "module", "%{syslog_program}" ]

     }

  }

}

output {

    elasticsearch { 
        hosts => ["172.26.13.3:9200","172.26.13.4:9200","172.26.13.5:9200"]

        index => "log-conrtoller-%{+YYYY-MM-dd}"

 }

}

计算节点的logstash配置

input {

  file {

    path => ['/var/log/messages']

    tags => ['system_messages']

    type => "system_messages"

  }

  file {

    path => ['/var/log/secure']

    tags => ['system_secure']

    type => "system_secure"

  }

}

output {

  elasticsearch {

    hosts => ["172.26.13.3:9200","172.26.13.4:9200","172.26.13.5:9200"]

    index => "log-cpmpute-%{+YYYY-MM-dd}" }

}

neutron-server节点的logstash配置

input {

  file{

     type => "neutron"

     path=>"/var/log/neutron/server.log"

  }

}

output {

  elasticsearch{
    hosts => ["172.26.13.3:9200","172.26.13.4:9200","172.26.13.5:9200"]

    index => "log-neutron-server-%{+YYYY-MM-dd}" 
  } 
}

网络节点的logstash配置

input {

  file{

     type => "neutron"

     path=>"/var/log/neutron/openvswitch-agent.log"

  }

  file{

     type => "neutron"

     path=>"/var/log/neutron/metadata-agent.log"

  }

  file{

     type => "neutron"

     path=>"/var/log/neutron/metering-agent.log"

  }

  file{

     type => "neutron"

     path=>"/var/log/neutron/dhcp-agent.log"

  }

  file{

     type => "neutron"

     path=>"/var/log/neutron/vpn-agent.log"

  }

  file{

     type => "neutron"

     path=>"/var/log/neutron/lbaas-agent.log"

  }

  file{

     type => "neutron"

     path=>"/var/log/neutron/ha-agent.log"

  }

}

output {

  elasticsearch{

    hosts => ["172.26.13.3:9200","172.26.13.4:9200","172.26.13.5:9200"] 
    index => "log-neutron-%{+YYYY-MM-dd}"
  } 
}

nova-api节点的logstash配置

input {

  file{

     type => "nova"

     path=>"/var/log/nova/nova-scheduler.log"

     path=>"/var/log/nova/nova-novncproxy.log"

     path=>"/var/log/nova/nova-consoleauth.log"

     path=>"/var/log/nova/nova-conductor.log"

     path=>"/var/log/nova/nova-cert.log"

     path=>"/var/log/nova/nova-api.log"

  }

}

output {

  elasticsearch{

    hosts => ["172.26.13.3:9200","172.26.13.4:9200","172.26.13.5:9200"] 
    index => "log-nova-api-%{+YYYY-MM-dd}"
  } 
}

ELK学习笔记之ELK搜集OpenStack节点日志的更多相关文章

  1. ELK学习笔记之ELK架构与介绍

    0x00 为什么用到ELK 一般我们需要进行日志分析场景:直接在日志文件中 grep.awk 就可以获得自己想要的信息.但在规模较大的场景中,此方法效率低下,面临问题包括日志量太大如何归档.文本搜索太 ...

  2. ELK学习笔记之ELK分析nginx日志

    0x00 配置FIlebeat搜集syslog #安装 rpm -ivh filebeat-6.2.3-x86_64.rpm mv /etc/filebeat/filebeat.yml /etc/fi ...

  3. ELK学习笔记之ELK分析syslog日志

    0x00 配置FIlebeat搜集syslog并发送至 #配置 mv /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.bak vim /et ...

  4. ELK学习笔记之filebeat合并多行日志示例

    0x00 概述 本节中的示例包括以下内容: 将Java堆栈跟踪日志组合成一个事件 将C风格的日志组合成一个事件 结合时间戳处理多行事件 同理,你可以把如下的正则应用在容器的yaml文件内. 0x01  ...

  5. ELK学习笔记之CentOS 7下ELK(6.2.4)++LogStash+Filebeat+Log4j日志集成环境搭建

    0x00 简介 现在的公司由于绝大部分项目都采用分布式架构,很早就采用ELK了,只不过最近因为额外的工作需要,仔细的研究了分布式系统中,怎么样的日志规范和架构才是合理和能够有效提高问题排查效率的. 经 ...

  6. ELK学习笔记之Logstash详解

    0x00 Logstash概述 官方介绍:Logstash is an open source data collection engine with real-time pipelining cap ...

  7. ELK学习笔记

    一.elk框架和java1.8环境搭建 1.1: 环境说明 约定: centos6 iptables关闭 如果不关闭的话,需要开放对应的端口访问 selinux关闭 1.2: ELK简介 els:El ...

  8. ELK学习笔记(三)单台服务器多节点部署

    一般情况下单台服务器只会部署一个ElasticSearch node,但是在学习过程中,很多情况下会需要实现ElasticSearch的分布式效果,所以需要启动多个节点,但是学习开发环境(不想开多个虚 ...

  9. ELK学习笔记之ElasticSearch的集群(Cluster),节点(Node),分片(Shard),Indices(索引),replicas(备份)之间关系

    [Cluster]集群,一个ES集群由一个或多个节点(Node)组成,每个集群都有一个cluster name作为标识----------------------------------------- ...

随机推荐

  1. ERP项目实施记录11-产品工艺流程图及单据关联图

    借助百度的Echarts做了2个图表,一个展示产品的生产工艺流程,一个展示产品与订单.工程单的关系 上图为产品工艺流程图,鼠标放上去可以显示部件信息 黄色SO图标代表销售订单,单击打开销售订单 红色M ...

  2. ms17_010_psexec

    一.ms17_010_psexec简介 MS17-010 的psexec是针对Microsoft Windows的两款最受欢迎的漏洞进行攻击. CVE-2017-0146(EternalChampio ...

  3. 如何从日期对象python获取以毫秒(秒后3位小数)为单位的时间值?

    要在python中,要获取具有毫秒(秒后3位小数)的日期字符串,请使用以下命令: %f 显示毫秒 import datetime # 获得当前时间 now=datetime.datetime.now( ...

  4. Gym 101908C - Pizza Cutter - [树状数组]

    题目链接:https://codeforces.com/gym/101908/problem/C 题意: 一块正方形披萨,有 $H$ 刀是横切的,$V$ 刀是竖切的,不存在大于等于三条直线交于一点.求 ...

  5. vs代码模板制作

    VS2008代码模板制作 一,类模板制作: 路径:C:\Program Files (x86)\Microsoft Visual Studio 9.0\Common7\IDE\ItemTemplate ...

  6. NodeJS笔记(六)-Express HTTP服务器启动后如何关闭

    npm start启动网站,提示“3000”端口已经被使用的问题 nodejs WEB服务器并不随着cmd的关闭而终止 查看任务管理器可以看到nodejs的启动进程 可以手动关闭 如果是一直处于cmd ...

  7. 当离开浏览器窗口,提示语title更改

    head里面插入一下代码 <script> document.addEventListener('visibilitychange',function(){if(document.visi ...

  8. ARM-linux与Ubuntu开发工具NFS及流程

    Linux虚拟机的型号是:Ubuntu 12.04 VMware:workstation 14 pro   author: Xianghai Ding Date:2019.01.04  板端:Hi35 ...

  9. H3C交换机引发的奇葩故障

    设备:H3C S5120-28P-SI 故障:某个交换机的接口速率只有100Mbps. 描述:这个故障还是很特别的,因为按普通的测试办法很难第一时间判断是交换机的固件问题,我也是做了几乎所有外围设备和 ...

  10. Ipython使用指南

    一.简介 2001年,Fernando Perez为了得到一个更为高效的交互式Python解释器而启动的一个项目,IPython不仅仅是一个加强版的shell,他可以直接进行绘图操作的GUI控制台,一 ...