EFK架构采集Tomcat日志完整指南
一、Tomcat部署与配置
1. 下载并安装Tomcat
# 下载Tomcat(选择官方镜像或内部源)
wget https://dlcdn.apache.org/tomcat/tomcat-10/v10.1.25/bin/apache-tomcat-10.1.25.tar.gz
# 或使用内部源(如SVIP)
wget http://192.168.16.253/Linux92/ElasticStack/day03-/softwares/apache-tomcat-10.1.25.tar.gz
# 创建安装目录
mkdir -p /oldboyedu/softwares
# 解压Tomcat
tar xf apache-tomcat-10.1.25.tar.gz -C /oldboyedu/softwares/
2. 配置环境变量
# 创建环境变量文件
cat > /etc/profile.d/tomcat.sh <<'EOF'
#!/bin/bash
export JAVA_HOME=/usr/share/elasticsearch/jdk
export CATALINA_HOME=/oldboyedu/softwares/apache-tomcat-10.1.25
export PATH=$PATH:$JAVA_HOME/bin:$CATALINA_HOME/bin
EOF
# 使环境变量生效
source /etc/profile.d/tomcat.sh
注意:确保JAVA_HOME路径正确指向JDK安装目录
3. 启动Tomcat服务
# 启动Tomcat
catalina.sh start
# 验证端口监听
ss -ntl | grep 8080
4. 访问测试
通过浏览器访问:http://<服务器IP>:8080/
二、Tomcat日志配置优化
1. 理解Tomcat日志类型
- catalina.out:主控制台输出
- localhost_access_log:访问日志
- localhost.log:应用日志
- manager/host-manager:管理界面日志
2. 配置JSON格式访问日志
编辑$CATALINA_HOME/conf/server.xml:
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="localhost_access_log"
suffix=".json"
fileDateFormat="yyyy-MM-dd"
pattern='{"@timestamp":"%{yyyy-MM-dd HH:mm:ss Z}t",
"clientip":"%a",
"method":"%m",
"uri":"%U",
"query":"%q",
"status":"%s",
"bytes":"%b",
"referer":"%{Referer}i",
"useragent":"%{User-Agent}i",
"responsetime":"%D"}'
rotatable="true"/>
3. 日志轮转配置
在$CATALINA_HOME/conf/logging.properties中添加:
# 限制catalina.out大小
1catalina.org.apache.juli.AsyncFileHandler.maxDays = 7
1catalina.org.apache.juli.AsyncFileHandler.limit = 104857600
# 配置访问日志轮转
org.apache.catalina.valves.AccessLogValve.rotatable = true
org.apache.catalina.valves.AccessLogValve.maxDays = 30
三、Filebeat配置采集Tomcat日志
1. 创建Filebeat配置文件
/etc/filebeat/config/08-tomcat-to-es.yaml:
filebeat.inputs:
- type: log
enabled: true
paths:
- /oldboyedu/softwares/apache-tomcat-10.1.25/logs/localhost_access_log.*.json
json.keys_under_root: true
json.add_error_key: true
fields:
log_type: "tomcat_access"
environment: "production"
- type: log
enabled: true
paths:
- /oldboyedu/softwares/apache-tomcat-10.1.25/logs/catalina.out
multiline.pattern: '^[[:space:]]+(at|\.{3})[[:space:]]+\b|^Caused by:'
multiline.negate: false
multiline.match: after
fields:
log_type: "tomcat_catalina"
environment: "production"
output.elasticsearch:
hosts: ["http://10.0.0.91:9200", "http://10.0.0.92:9200", "http://10.0.0.93:9200"]
indices:
- index: "tomcat-access-%{+yyyy.MM.dd}"
when.equals:
fields.log_type: "tomcat_access"
- index: "tomcat-catalina-%{+yyyy.MM.dd}"
when.equals:
fields.log_type: "tomcat_catalina"
setup.ilm.enabled: false
setup.template:
name: "tomcat"
pattern: "tomcat-*"
overwrite: false
settings:
index.number_of_shards: 3
index.number_of_replicas: 1
2. 启动Filebeat
filebeat -e -c config/08-tomcat-to-es.yaml
四、Elasticsearch索引模板配置
1. 创建索引生命周期策略(ILM)
PUT _ilm/policy/tomcat_logs_policy
{
"policy": {
"phases": {
"hot": {
"min_age": "0ms",
"actions": {
"rollover": {
"max_size": "50GB",
"max_age": "30d"
},
"set_priority": {
"priority": 100
}
}
},
"delete": {
"min_age": "90d",
"actions": {
"delete": {}
}
}
}
}
}
2. 创建索引模板
PUT _index_template/tomcat_logs_template
{
"index_patterns": ["tomcat-*"],
"template": {
"settings": {
"number_of_shards": 3,
"number_of_replicas": 1,
"index.lifecycle.name": "tomcat_logs_policy",
"index.codec": "best_compression"
},
"mappings": {
"properties": {
"@timestamp": {"type": "date"},
"clientip": {"type": "ip"},
"method": {"type": "keyword"},
"uri": {
"type": "text",
"fields": {"keyword": {"type": "keyword"}}
},
"status": {"type": "keyword"},
"responsetime": {"type": "long"}
}
}
}
}
五、Kibana可视化配置
1. 创建索引模式
- 进入 Stack Management > Index Patterns
- 创建模式:
tomcat-access-*和tomcat-catalina-*
2. 创建可视化仪表板
访问日志分析
- 请求量趋势:时间序列图
- 状态码分布:饼图
- 热门URI:数据表
- 客户端IP地图:坐标地图
Catalina日志分析
- 错误日志统计:柱状图
- 异常类型词云:标签云
- 堆栈跟踪分析:Markdown面板
3. 创建告警规则
- 5xx错误告警:当5xx状态码超过阈值时触发
- 响应时间告警:当平均响应时间超过500ms时触发
- 异常日志告警:当出现"OutOfMemoryError"时触发
六、生产环境优化建议
-
日志缓冲:在高负载环境中,考虑使用Redis/Kafka作为缓冲
output.redis: hosts: ["10.0.0.94:6379"] key: "tomcat_logs" db: 0 timeout: 5 -
性能调优:
queue.mem: events: 4096 flush.min_events: 512 flush.timeout: "5s" -
安全配置:
output.elasticsearch: protocol: "https" ssl.certificate_authorities: ["/etc/filebeat/certs/ca.crt"] ssl.certificate: "/etc/filebeat/certs/client.crt" ssl.key: "/etc/filebeat/certs/client.key" -
多行日志处理:优化Java堆栈跟踪的收集
multiline.pattern: '^[[:space:]]+|^Caused by:|^java\.|^javax\.|^org\.|^com\.' multiline.negate: true multiline.match: after
七、故障排查指南
1. 日志未采集
- 检查Filebeat进程状态:
ps aux | grep filebeat - 验证文件权限:
ls -l /oldboyedu/softwares/apache-tomcat-10.1.25/logs/ - 查看Filebeat日志:
journalctl -u filebeat -f
2. 数据未进入ES
- 测试ES连接:
curl -XGET "http://10.0.0.91:9200/_cluster/health?pretty" - 检查索引是否存在:
curl -XGET "http://10.0.0.91:9200/_cat/indices/tomcat*?v"
3. 日志格式错误
- 使用
jq验证JSON格式:jq . /oldboyedu/softwares/apache-tomcat-10.1.25/logs/localhost_access_log.2023-07-15.json - 调整Tomcat的AccessLogValve pattern配置
总结
通过本方案,您已经实现了:
- Tomcat服务的标准化部署
- 结构化JSON日志输出
- 多类型日志的集中采集
- 高效的日志存储与分析
- 可视化的监控告警系统
此架构可以轻松扩展以支持更多Tomcat实例,并通过EFK堆栈提供全面的应用性能监控能力。建议定期审查日志保留策略和索引配置,确保系统长期稳定运行。
浙公网安备 33010602011771号