配置ELK + log4j
[英]Configuration ELK + log4j
问题描述
I installed ELK on a ubuntu server 14.04. 
我在Ubuntu 14.04服务器上安装了ELK。 And now I wanted to send to this all my jboss sever logs (using log4j). 现在,我想将所有的jboss服务器日志发送到此日志(使用log4j)。
logstash configuration : input conf file : logstash配置:输入conf文件:
input {
log4j {
type => "log4j"
port => 5000
}
}
filter conf file : 过滤conf文件:
filter {
if [type] == "log4j" {
grok {
match => {"message" => MY_GROK_PARSE}
}
}
}
and the output file : 和输出文件:
output {
elasticsearch {
embedded => true
}
}
And to finish the log4j appender: 并完成log4j附加程序:
<appender name="LOGSTASH" class="org.apache.log4j.net.SocketAppender">
<param name="Port" value="5000"/>
<param name="RemoteHost" value="XXX.XXX.XXX.XXX"/> <!-- There is a real adress here ;-) -->
<param name="ReconnectionDelay" value="50000"/>
<param name="LocationInfo" value="true"/>
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p [%c{1}] %m%n" />
</layout>
</appender>
But nothing happens with this configuration. 但是此配置没有任何反应。 So I don't know what I misunderstand. 所以我不知道我误会了。 My other appenders (console and local file) work fine. 我的其他附加程序(控制台和本地文件)工作正常。 The elasticsearch log show any information/activity. elasticsearch日志显示任何信息/活动。
Edit : More about my jboss-log4j.xml: 编辑:有关我的jboss-log4j.xml的更多信息:
<appender name="Async" class="org.apache.log4j.AsyncAppender">
<appender-ref ref="FILE" />
<appender-ref ref="CONSOLE" />
<appender-ref ref="LOGSTASH" />
</appender>
<root>
<priority value="INFO" />
<appender-ref ref="Async" />
</root>
2 个解决方案
解决方案1
3 2015-09-09 08:19:45
I know it's an old post, but someone may find it useful - log4j SocketAppender can't use layout, see docs for SocketAppender 我知道这是一篇过时的文章,但有人可能会发现它有用-log4j SocketAppender无法使用布局,请参阅SocketAppender的文档
SocketAppenders do not use a layout.
You also don't need additional filter in logstash configuration. 在logstash配置中,您也不需要其他过滤器。 Logstash log4j plugin minimal configuration is sufficient Logstash log4j插件的最低配置已足够
input {
log4j {
data_timeout => 5
host => "0.0.0.0"
mode => "server"
port => 4560
debug => true
type => "log4j"
}
...
}
解决方案2
1 2017-10-20 10:43:37
You can send it directly to Elastic in this case. 在这种情况下,您可以将其直接发送到Elastic。 No reasons to go through LogStash first. 没有理由先通过LogStash。 You can easily use a filter to filter out messages you're not interested in. 您可以轻松使用过滤器过滤掉您不感兴趣的邮件。
I've written this appender here Log4J2 Elastic REST Appender if you want to use it. 如果您要使用Log4J2 Elastic REST Appender,我已经在这里编写了此附加程序。 It has the ability to buffer log events based on time and/or number of events before sending it to Elastic (using the _bulk API so that it sends it all in one go). 它具有根据时间和/或事件数来缓冲日志事件的功能,然后再将其发送到Elastic(使用_bulk API,以便一次发送所有消息)。 It has been published to Maven Central so it's pretty straight forward. 它已发布到Maven Central,因此非常简单。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.