1,首先mysql開啓慢查詢日誌
vim /etc/mysql/mysql.conf.d/mysqld.cnf
#添加配置,這塊目錄可以自定義
slow_query_log = ON
slow_query_log_file = /var/lib/mysql/slow_query.log
long_query_time = 2
#然後重啓mysql服務
service mysqld restart
2,然後配置filebeat
vim /etc/filebeat/filebeat.yml
#在filebeat.prospectors:下添加如下配置
- input_type: log
paths:
#我mysql是docker部署,容器內的/var/lib/mysql/slow_query.log路徑對應宿主機的/data/vip/mysql/mysqldb/slow_query.log目錄
- /data/vip/mysql/mysqldb/slow_query.log
document_type: slowQuery
#多行合併配置
multiline.pattern: ^(# Time)
multiline.negate: true
multiline.match: after
#合併超時時間
multiline.timeout: 5s
fields:
log_type: slow_query_log
fields_under_root: true
elk配置可以參考我之前博文https://blog.csdn.net/u011870280/article/details/84579164
這裏只重點介紹mysql慢查詢配置
3.logstash配置
vim /etc/logstash/conf.d/11-nginx.conf
#添加
if [log_type] == "slow_query_log" {
grok {
match => [ "message", "(?m)^#\s+User@Host:\s+%{USER:user}\[[^\]]+\]\s+@\s+%{WORD}?\s+\[%{IP:ip}\]\s+Id:\s+%{NUMBER:id}\n#\s+Query_time:\s+%{NUMBER:query_time:float}\s+Lock_time:\s+%{NUMBER:lock_time:float}\s+Rows_sent:\s+%{NUMBER:rows_sent:int}\s+Rows_examined:\s+%{NUMBER:rows_examined:int}\nSET\s+timestamp=%{NUMBER:timestamp};\n%{GREEDYDATA:sql}" ]
}
date {
match => [ "unixtime", "UNIX" ]
target => "@timestamp"
remove_field => "unixtime"
}
}
4,完成