自定义Tomcat日志格式与EFK集成完整指南

一、Tomcat日志格式深度定制

1. 优化AccessLogValve配置

server.xml中配置更完善的JSON日志格式:

<Valve className="org.apache.catalina.valves.AccessLogValve" 
       directory="logs"
       prefix="tomcat.oldboyedu.com_access_log" 
       suffix=".json"
       fileDateFormat="yyyy-MM-dd"
       pattern='{ 
         "timestamp":"%{yyyy-MM-dd HH:mm:ss Z}t",
         "clientip":"%h",
         "method":"%m",
         "uri":"%U",
         "query":"%q",
         "protocol":"%H",
         "status":%s,
         "bytes":%b,
         "response_time":%D,
         "referer":"%{Referer}i",
         "useragent":"%{User-Agent}i",
         "sessionid":"%S",
         "host":"%{Host}i",
         "x_forwarded_for":"%{X-Forwarded-For}i"
       }'/>

关键改进点

  • 添加了精确到毫秒的时间戳格式
  • 将数值类型字段去掉引号(status, bytes, response_time)
  • 增加重要HTTP头信息采集
  • 添加响应时间字段(微秒级)

2. 日志轮转策略优化

conf/logging.properties中添加:

# 控制台输出配置
handlers = 1catalina.org.apache.juli.AsyncFileHandler

# 日志文件保留策略
1catalina.org.apache.juli.AsyncFileHandler.level = FINE
1catalina.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
1catalina.org.apache.juli.AsyncFileHandler.prefix = catalina.
1catalina.org.apache.juli.AsyncFileHandler.rotatable = true
1catalina.org.apache.juli.AsyncFileHandler.maxDays = 7

二、Filebeat高级配置方案

1. 增强版Filebeat配置

08-tomcat-to-es.yaml

filebeat.inputs:
- type: log
  paths:
    - /oldboyedu/softwares/apache-tomcat-10.1.25/logs/tomcat.oldboyedu.com_access_log*.json
  json.keys_under_root: true
  json.overwrite_keys: true
  json.add_error_key: true
  fields:
    log_source: "tomcat_access"
    environment: "production"
    service: "webapp"
  processors:
    - decode_json_fields:
        fields: ["message"]
        target: ""
    - drop_fields:
        fields: ["message"]
    - timestamp:
        field: "timestamp"
        layouts:
          - "2006-01-02 15:04:05 -0700"
        test:
          - "2023-07-15 14:30:45 +0800"

output.elasticsearch:
  hosts: 
    - "http://10.0.0.91:9200"
    - "http://10.0.0.92:9200"
    - "http://10.0.0.93:9200"
  index: "oldboyedu-tomcat-access-%{+yyyy.MM.dd}"
  pipeline: "tomcat_logs_pipeline"

setup.ilm.enabled: false
setup.template:
  name: "oldboyedu-tomcat"
  pattern: "oldboyedu-tomcat-*"
  overwrite: false
  settings:
    index.number_of_shards: 3
    index.number_of_replicas: 1
    index.refresh_interval: "30s"

2. Elasticsearch预处理管道

创建tomcat_logs_pipeline

PUT _ingest/pipeline/tomcat_logs_pipeline
{
  "description": "Process Tomcat JSON logs",
  "processors": [
    {
      "date": {
        "field": "timestamp",
        "formats": ["yyyy-MM-dd HH:mm:ss XX"],
        "timezone": "Asia/Shanghai"
      }
    },
    {
      "user_agent": {
        "field": "useragent"
      }
    },
    {
      "geoip": {
        "field": "clientip",
        "target_field": "geo",
        "properties": ["city_name", "country_name", "location"]
      }
    },
    {
      "convert": {
        "field": "response_time",
        "type": "float",
        "target_field": "response_time_ms"
      }
    }
  ]
}

三、Kibana高级分析配置

1. 索引模式优化

  1. 创建oldboyedu-tomcat-access-*索引模式
  2. 设置@timestamp为时间字段
  3. 为关键字段设置适当格式:
    • clientip - IP类型
    • geo.location - GeoPoint类型
    • response_time_ms - 数值类型

2. 可视化仪表板建议

访问分析面板

  1. 流量概览:时间序列显示请求量/错误率
  2. 地理分布:地图展示客户端IP分布
  3. 性能分析:百分位统计响应时间
  4. 用户分析:用户终端设备统计

错误分析面板

  1. 状态码分布饼图
  2. 5xx错误请求列表
  3. 慢请求分析(>500ms)

3. 告警规则示例

  1. 错误率告警:5分钟窗口内5xx错误率>1%

    {
  "query": {
    "bool": {
      "filter": [
        { "range": { "@timestamp": { "gte": "now-5m" } } },
        { "terms": { "status": ["500", "502", "503", "504"] } }
      ]
    }
  }
}

  2. 性能告警:平均响应时间>300ms持续5分钟

四、生产环境最佳实践

1. 安全加固措施

output.elasticsearch:
  protocol: "https"
  ssl.certificate_authorities: ["/etc/filebeat/certs/ca.crt"]
  ssl.certificate: "/etc/filebeat/certs/client.crt"
  ssl.key: "/etc/filebeat/certs/client.key"
  headers:
    X-API-KEY: "your_api_key"

2. 性能优化方案

queue.mem:
  events: 4096
  flush.min_events: 1024
  flush.timeout: "5s"

output.elasticsearch:
  bulk_max_size: 500
  worker: 4

3. 多行日志处理(Catalina日志)

- type: log
  paths:
    - /oldboyedu/softwares/apache-tomcat-10.1.25/logs/catalina.out
  multiline.pattern: '^[[:space:]]+|^java\.|^at |^Caused by:'
  multiline.negate: true
  multiline.match: after

五、故障排查手册

1. 日志采集问题

症状:Filebeat未采集日志

# 检查文件权限
ls -la /oldboyedu/softwares/apache-tomcat-10.1.25/logs/

# 检查Filebeat注册表
cat /var/lib/filebeat/registry/filebeat/data.json

# 调试模式运行
filebeat -e -c config/08-tomcat-to-es.yaml -d "*"

2. 数据解析问题

症状:Elasticsearch中出现解析错误

# 验证JSON格式
tail -n 1 /oldboyedu/softwares/apache-tomcat-10.1.25/logs/*.json | jq

# 测试管道处理
POST _ingest/pipeline/tomcat_logs_pipeline/_simulate
{
  "docs": [
    {
      "_source": {
        "timestamp": "2023-07-15 14:30:45 +0800",
        "clientip": "192.168.1.1",
        "status": "200"
      }
    }
  ]
}

六、扩展方案

1. 多Tomcat实例日志收集

filebeat.inputs:
- type: log
  paths:
    - /app/tomcat-*/logs/*_access_log*.json
  tags: ["tomcat-access"]
  
- type: log
  paths:
    - /app/tomcat-*/logs/catalina.out
  tags: ["tomcat-catalina"]

2. 与Prometheus集成

metricbeat.modules:
- module: tomcat
  metricsets: ["jvm", "status"]
  period: 10s
  hosts: ["http://localhost:8080"]
  metrics_path: /manager/status
  username: "monitor"
  password: "password"

总结

通过本方案,您已实现:

  1. 高度定制的Tomcat JSON日志格式
  2. 完整的EFK日志收集管道
  3. 丰富的Kibana可视化分析能力
  4. 生产级的监控告警体系

建议后续:

  • 定期审查索引生命周期策略
  • 建立日志归档机制
  • 实现配置的版本控制
  • 开发自定义分析插件满足业务需求
posted on 2025-03-27 14:50  Leo_Yide  阅读(103)  评论(0)    收藏  举报

博客园  ©  2004-2025
浙公网安备 33010602011771号 浙ICP备2021040463号-3