使用Logstash收集MongoDB日志并通过Zabbix报警
一 应用场景描述
在有些情况下,仅仅通过Zabbix去监控MongoDB的端口和各种状态还不够,MongoDB的日志监控也是很重要的。例如Mongos连接后端的Shard报SocketException错误等。
二 使用Logstash分析MongoDB日志
要记录慢查询首先需要开启慢查询记录功能
use jd05;db.setProfilingLevel(1,50){ "was" : 1, "slowms" : 50, "ok" : 1 }1表示只记录慢查询,慢于50毫秒的操作会被记录
如果写成2就会记录所有的操作,不建议在生产环境中使用,可以在开发环境中使用
db.setProfilingLevel(2)
在MongoDB的日志文件中会记录如下操作信息:
Mon Apr 27 16:45:01.853 [conn282854698] command jd01.$cmd command: { count: "player", query: { request_time: { $gte: 1430123701 } } } ntoreturn:1 keyUpdates:0 numYields: 7 locks(micros) r:640822 reslen:48 340mslogstash配置文件shipper_mongodb.conf如下
input { file { path => "/data/app_data/mongodb/log/*.log" type => "mongodb" sincedb_path => "/dev/null" } }filter { if [type] == "mongodb" { grok { match => ["message","(?m)%{GREEDYDATA} \[conn%{NUMBER:mongoConnection}\] %{WORD:mongoCommand} %{WORD:mongoDatabase}.%{NOTSPACE:mongoCollection} %{WORD}: \{ %{GREEDYDATA:mongoStatement} \} %{GREEDYDATA} %{NUMBER:mongoElapsedTime:int}ms"] add_tag => "mongodb" } grok { match => ["message"," cursorid:%{NUMBER:mongoCursorId}"] add_tag => "mongo_profiling_data" } grok { match => ["message"," ntoreturn:%{NUMBER:mongoNumberToReturn:int}"] add_tag => "mongo_profiling_data" } grok { match => ["message"," ntoskip:%{NUMBER:mongoNumberToSkip:int}"] add_tag => "mongo_profiling_data" } grok { match => ["message"," nscanned:%{NUMBER:mongoNumberScanned:int}"] add_tag => "mongo_profiling_data" } grok { match => ["message"," scanAndOrder:%{NUMBER:mongoScanAndOrder:int}"] add_tag => "mongo_profiling_data" } grok { match => ["message"," idhack:%{NUMBER:mongoIdHack:int}"] add_tag => "mongo_profiling_data" } grok { match => ["message"," nmoved:%{NUMBER:mongoNumberMoved:int}"] add_tag => "mongo_profiling_data" } grok { match => ["message"," nupdated:%{NUMBER:mongoNumberUpdated:int}"] add_tag => "mongo_profiling_data" } grok { match => ["message"," keyUpdates:%{NUMBER:mongoKeyUpdates:int}"] add_tag => "mongo_profiling_data" } grok { match => ["message"," numYields: %{NUMBER:mongoNumYields:int}"] add_tag => "mongo_profiling_data" } grok { match => ["message"," locks\(micros\) r:%{NUMBER:mongoReadLocks:int}"] add_tag => "mongo_profiling_data" } grok { match => ["message"," locks\(micros\) w:%{NUMBER:mongoWriteLocks:int}"] add_tag => "mongo_profiling_data" } grok { match => ["message"," nreturned:%{NUMBER:mongoNumberReturned:int}"] add_tag => "mongo_profiling_data" } grok { match => ["message"," reslen:%{NUMBER:mongoResultLength:int}"] add_tag => "mongo_profiling_data" } if "mongo_profiling_data" in [tags] { mutate { remove_tag => "_grokparsefailure" } } if "_grokparsefailure" in [tags] { grep { match => ["message","(Failed|error|SOCKET)"] add_tag => ["zabbix-sender"] add_field => [ "zabbix_host","%{host}", "zabbix_item","mongo.error"# "send_field","%{message}" ] } mutate { remove_tag => "_grokparsefailure" } } }}output { stdout { codec => "rubydebug" } zabbix { tags => "zabbix-sender" host => "zabbixserver" port => "10051" zabbix_sender => "/usr/local/zabbix/bin/zabbix_sender" } redis { host => "10.4.29.162" data_type => "list" key => "logstash" } }配置文件分为几步:
使用logstash的file插件从/data/app_data/mongodb/log/目录中读取mongodb的日志文件然后对日志内容进行解析
如果日志文件中有类似cursorid,nreturned等关键字的就截取添加标签mongo_profiling_data用于以后进行数据统计
对于其他日志就过滤关键字看是否含有错误信息,如果有就通过zabbix发送报警。
注意使用zabbix插件发送报警的时候需要先进行过滤关键字,然后要有zabbix_host,zabbix_item,zabbix_field三个字段,zabbix_item的值需要和zabbix监控页面配置的item相对应。zabbix_field如果没有指定,默认就是发送这个message字段
添加zabbix的模板
同理可以通过zabbix对PHP-FPM,Nginx,Redis,MySQL等发送报警
然后要做的就是根据不同的字段定义不同的图表
参考文档:
http://techblog.holidaycheck.com/profiling-mongodb-with-logstash-and-kibana/
http://tech.rhealitycheck.com/visualizing-mongodb-profiling-data-using-logstash-and-kibana/
http://www.logstash.net/docs/1.4.2/outputs/zabbix
