自定义Tomcat日志格式与EFK集成完整指南
一、Tomcat日志格式深度定制
1. 优化AccessLogValve配置
在server.xml中配置更完善的JSON日志格式:
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="tomcat.oldboyedu.com_access_log"
suffix=".json"
fileDateFormat="yyyy-MM-dd"
pattern='{
"timestamp":"%{yyyy-MM-dd HH:mm:ss Z}t",
"clientip":"%h",
"method":"%m",
"uri":"%U",
"query":"%q",
"protocol":"%H",
"status":%s,
"bytes":%b,
"response_time":%D,
"referer":"%{Referer}i",
"useragent":"%{User-Agent}i",
"sessionid":"%S",
"host":"%{Host}i",
"x_forwarded_for":"%{X-Forwarded-For}i"
}'/>
关键改进点:
- 添加了精确到毫秒的时间戳格式
- 将数值类型字段去掉引号(status, bytes, response_time)
- 增加重要HTTP头信息采集
- 添加响应时间字段(微秒级)
2. 日志轮转策略优化
在conf/logging.properties中添加:
# 控制台输出配置
handlers = 1catalina.org.apache.juli.AsyncFileHandler
# 日志文件保留策略
1catalina.org.apache.juli.AsyncFileHandler.level = FINE
1catalina.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
1catalina.org.apache.juli.AsyncFileHandler.prefix = catalina.
1catalina.org.apache.juli.AsyncFileHandler.rotatable = true
1catalina.org.apache.juli.AsyncFileHandler.maxDays = 7
二、Filebeat高级配置方案
1. 增强版Filebeat配置
08-tomcat-to-es.yaml:
filebeat.inputs:
- type: log
paths:
- /oldboyedu/softwares/apache-tomcat-10.1.25/logs/tomcat.oldboyedu.com_access_log*.json
json.keys_under_root: true
json.overwrite_keys: true
json.add_error_key: true
fields:
log_source: "tomcat_access"
environment: "production"
service: "webapp"
processors:
- decode_json_fields:
fields: ["message"]
target: ""
- drop_fields:
fields: ["message"]
- timestamp:
field: "timestamp"
layouts:
- "2006-01-02 15:04:05 -0700"
test:
- "2023-07-15 14:30:45 +0800"
output.elasticsearch:
hosts:
- "http://10.0.0.91:9200"
- "http://10.0.0.92:9200"
- "http://10.0.0.93:9200"
index: "oldboyedu-tomcat-access-%{+yyyy.MM.dd}"
pipeline: "tomcat_logs_pipeline"
setup.ilm.enabled: false
setup.template:
name: "oldboyedu-tomcat"
pattern: "oldboyedu-tomcat-*"
overwrite: false
settings:
index.number_of_shards: 3
index.number_of_replicas: 1
index.refresh_interval: "30s"
2. Elasticsearch预处理管道
创建tomcat_logs_pipeline:
PUT _ingest/pipeline/tomcat_logs_pipeline
{
"description": "Process Tomcat JSON logs",
"processors": [
{
"date": {
"field": "timestamp",
"formats": ["yyyy-MM-dd HH:mm:ss XX"],
"timezone": "Asia/Shanghai"
}
},
{
"user_agent": {
"field": "useragent"
}
},
{
"geoip": {
"field": "clientip",
"target_field": "geo",
"properties": ["city_name", "country_name", "location"]
}
},
{
"convert": {
"field": "response_time",
"type": "float",
"target_field": "response_time_ms"
}
}
]
}
三、Kibana高级分析配置
1. 索引模式优化
- 创建
oldboyedu-tomcat-access-*索引模式 - 设置
@timestamp为时间字段 - 为关键字段设置适当格式:
clientip- IP类型geo.location- GeoPoint类型response_time_ms- 数值类型
2. 可视化仪表板建议
访问分析面板:
- 流量概览:时间序列显示请求量/错误率
- 地理分布:地图展示客户端IP分布
- 性能分析:百分位统计响应时间
- 用户分析:用户终端设备统计
错误分析面板:
- 状态码分布饼图
- 5xx错误请求列表
- 慢请求分析(>500ms)
3. 告警规则示例
-
错误率告警:5分钟窗口内5xx错误率>1%
{ "query": { "bool": { "filter": [ { "range": { "@timestamp": { "gte": "now-5m" } } }, { "terms": { "status": ["500", "502", "503", "504"] } } ] } } } -
性能告警:平均响应时间>300ms持续5分钟
四、生产环境最佳实践
1. 安全加固措施
output.elasticsearch:
protocol: "https"
ssl.certificate_authorities: ["/etc/filebeat/certs/ca.crt"]
ssl.certificate: "/etc/filebeat/certs/client.crt"
ssl.key: "/etc/filebeat/certs/client.key"
headers:
X-API-KEY: "your_api_key"
2. 性能优化方案
queue.mem:
events: 4096
flush.min_events: 1024
flush.timeout: "5s"
output.elasticsearch:
bulk_max_size: 500
worker: 4
3. 多行日志处理(Catalina日志)
- type: log
paths:
- /oldboyedu/softwares/apache-tomcat-10.1.25/logs/catalina.out
multiline.pattern: '^[[:space:]]+|^java\.|^at |^Caused by:'
multiline.negate: true
multiline.match: after
五、故障排查手册
1. 日志采集问题
症状:Filebeat未采集日志
# 检查文件权限
ls -la /oldboyedu/softwares/apache-tomcat-10.1.25/logs/
# 检查Filebeat注册表
cat /var/lib/filebeat/registry/filebeat/data.json
# 调试模式运行
filebeat -e -c config/08-tomcat-to-es.yaml -d "*"
2. 数据解析问题
症状:Elasticsearch中出现解析错误
# 验证JSON格式
tail -n 1 /oldboyedu/softwares/apache-tomcat-10.1.25/logs/*.json | jq
# 测试管道处理
POST _ingest/pipeline/tomcat_logs_pipeline/_simulate
{
"docs": [
{
"_source": {
"timestamp": "2023-07-15 14:30:45 +0800",
"clientip": "192.168.1.1",
"status": "200"
}
}
]
}
六、扩展方案
1. 多Tomcat实例日志收集
filebeat.inputs:
- type: log
paths:
- /app/tomcat-*/logs/*_access_log*.json
tags: ["tomcat-access"]
- type: log
paths:
- /app/tomcat-*/logs/catalina.out
tags: ["tomcat-catalina"]
2. 与Prometheus集成
metricbeat.modules:
- module: tomcat
metricsets: ["jvm", "status"]
period: 10s
hosts: ["http://localhost:8080"]
metrics_path: /manager/status
username: "monitor"
password: "password"
总结
通过本方案,您已实现:
- 高度定制的Tomcat JSON日志格式
- 完整的EFK日志收集管道
- 丰富的Kibana可视化分析能力
- 生产级的监控告警体系
建议后续:
- 定期审查索引生命周期策略
- 建立日志归档机制
- 实现配置的版本控制
- 开发自定义分析插件满足业务需求
浙公网安备 33010602011771号