web服务器安装jdk，安装Tomcat还有logstash

安装jdk

[root@es-web1 ~]# apt install openjdk-8-jdk -y

dpkg安装logstash（需要改启动文件的以root启动）

[root@es-web1 src]# dpkg -i logstash-7.12.1-amd64.deb

创建目录

[root@es-web1 ~]# mkdir /apps

解压

[root@es-web1 apps]# tar xf apache-tomcat-8.5.54.tar.gz

制作软链接

[root@es-web1 apps]# ln -sv /apps/apache-tomcat-8.5.54 /apps/tomcat

'/apps/tomcat' -> '/apps/apache-tomcat-8.5.54'

创建目录

[root@es-web1 webapps]# pwd
/apps/tomcat/webapps

[root@es-web1 webapps]# mkdir myapp

添加数据

[root@es-web1 webapps]# vim myapp/index.jsp

myapp for 172.31.2.107

启动

[root@es-web1 tomcat]# ./bin/catalina.sh start

测试：
http://172.31.2.107:8080/myapp/

改Tomcat 配置

[root@es-web1 tomcat]# vim conf/server.xml

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="tomcat_access_log" suffix=".log"               
               pattern="{&quot;clientip&quot;:&quot;%h&quot;,&quot;ClientUser&quot;:&quot;%l&quot;,&quot;authenticated&quot;:&quot;%u&quot;,&quot;AccessTime&quot;:&quot;%t&quot;,&quot;metod&quot;:&quot;%r&quot;,&quot;status&quot;:&quot;%s&quot;,&quot;SendBytes&quot;:&quot;%b&quot;,&quot;Query?string&quot;:&quot;%q&quot;,&quot;partner&quot;:&quot;%{Referer}i&quot;,&quot;AgentVersion&quot;:&quot;%{User-Agent}i&quot;}"/>

停止

[root@es-web1 tomcat]# ./bin/catalina.sh stop

启动

[root@es-web1 tomcat]# ./bin/catalina.sh start

查看日志

[root@es-web1 tomcat]# tail -f logs/tomcat_access_log.2021-08-25.log

在原来的基础上写logstash配置

root@long:/usr/local/src# vim /etc/logstash/conf.d/system-log-es.conf

input {                                                     
   file {
     path => "/var/log/bootstrap.log"
     start_position => "beginning"
     stat_interval => 3 
     type => "bootstrap"
   } 
   
   file {
     path => "/apps/tomcat/logs/tomcat_access_log.*.log"
     start_position => "beginning"
     stat_interval => 3 
     type => "tomcat-accesslog"
   }
}

output {
   
   if [type] == "bootstrap"{
     elasticsearch { 
        hosts => ["172.31.2.101:9200"]
        index => "long-bootstrap-log-%{+YYYY.MM.dd}"
   }}

   if [type] == "tomcat-accesslog"{
     elasticsearch { 
        hosts => ["172.31.2.101:9200"]
        index => "long-tomcat-accesslog-%{+YYYY.MM.dd}"
        codec => "json"

   }}
}

改权限

[root@es-web1 conf.d]# chmod 644 /apps/tomcat/logs/tomcat_access_log.*.log

重启

root@long:/usr/local/src# systemctl restart logstash

添加到kibana
略

收集java日志并合并日志

[root@linux-host1 ~]# vim /etc/logstash/conf.d/java.conf

input {
    file {
      path => "/apps/tomcat/logs/catalina.out"
      type => "javalog"
      start_position => "beginning"
      stat_interval => 3
      codec => multiline {
        pattern => "^\["
        negate => true
        what => "previous"
    }}
}
output {
    if [type] == "javalog" {
      stdout {
      codec => "rubydebug"
    }
    file {
      path => "/tmp/m.txt"
    }}
}

检查语法：

[root@linux-host1 ~]# /usr/share/logstash/bin/logstash -f
/etc/logstash/conf.d/java.conf -t

将输出改为elasticsearch：

更改后的内容如下：（注意：后面正则不能使用模糊匹配，不然会一直匹配下去）

[root@es-web1 ~]# cat /etc/logstash/conf.d/java-to-es.conf
input {
  file {
    path => "/apps/tomcat/logs/catalina.out"
    start_position => "beginning"
    stat_interval => 3
    type => "javalog"
    codec => multiline {
      pattern => "^\d+\-\w+\-[0-9]{4}"
      negate => true
      what => "previous"
  }}
}

output {
   if [type] == "javalog" {
     elasticsearch {
        hosts => ["172.31.2.101:9200"]
        index => "long-javalog-%{+YYYY.MM.dd}"
   }}
}

重启

root@linux-host1 ~]# systemctl restart logstash

添加到kibana
略