现在为了拉入我拥有的 ELK 服务器。我的主要网络应用剧本是这样的
---
- hosts: elk
gather_facts: true
tags: ['apps']
- hosts: apps
become: true
roles:
- common
- app
tags:
- apps
这很好,但如果我做类似的事情
ansible-playbook ./runs/app.yml --limit app-01.domain.com
它跳过了麋鹿服务器。
所以filebeat被设置为通用角色。无论如何,common/roles/filebeat.yml如果我想将 ansible 运行限制在单个应用程序服务器上,我可以清理它而不跳过它们吗?
我对ansible很陌生,所以我可能设置错误。我的想法是我有某些类别的服务器。(例如监视器、网络、数据库)
我想在它们上运行本地 ansible 运行,所以我的显示器播放看起来像
---
# plays/monitor.yaml
- hosts: mongo
connection: local
hosts: localhost
become: yes
become_user: root
roles:
- ../roles/users
- ../roles/monitor
vars:
sensu_install_client: true
sensu_install_server: true
我的roles/monitor/tasks/main.yml样子
---
# roles/monitor/tasks/main.yaml
- include: common.yml
- include: server.yml
when: sensu_install_server
- include: client.yml
when: sensu_install_client
我希望能够传入 vars,以便角色中发生包含。所以当我设置我的 api 实例时,我可以做类似的事情
vars:
sensu_install_client: true
在剧中,它将只包含来自监视器角色的 client.yml。
我将 nginx 日志放入 logstash,不幸的是,api 信息是通过 get 发送的。
因此,logstash 中有 2 个部分用于存储 API creditianals。以下是示例
message: 10.120.40.105 - - [29/Jul/2015:16:41:09 +0000] "PUT /v1/resources/scenes/455IrIBcRsa0kkIs6mv9lQ?api_key=11111111111111111&api_secret=2222222222222222222222222 HTTP/1.1" 200 689 "-" "python-requests/2.6.0 CPython/2.7.9 Linux/2.6.32-504.30.3.el6.x86_64" "10.120.40.105" 0.180 0.180
request: /v1/resources/scenes/455IrIBcRsa0kkIs6mv9lQ?api_key=11111111111111111&api_secret=2222222222222222222222222
我正在通过
NGUSERNAME [a-zA-Z\.\@\-\+_%]+
NGUSER %{NGUSERNAME}
NGINXACCESS %{IPORHOST:clientip} %{NGUSER:ident} %{NGUSER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:"(?:%{URI:referrer}|-)"|%{QS:referrer}) %{QS:agent} %{QS:xforwardedfor} %{NUMBER:request_time} %{NUMBER:upstream_time}
NGINXACCESS %{IPORHOST:clientip} %{NGUSER:ident} %{NGUSER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:"(?:%{URI:referrer}|-)"|%{QS:referrer}) %{QS:agent} %{QS:xforwardedfor} %{NUMBER:request_time}
我的输入看起来像
grok {
match => { "message" => "%{NGINXACCESS}" }
patterns_dir => ["/etc/logstash/patterns"]
}
date {
match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
}
geoip {
source => "clientip"
target => "geoip"
database => "/usr/share/GeoIP/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
convert => [ "request_time", "float"]
convert => [ "upstream_time", "float"]
}
是否有任何变异方法可以将 api_secret= 之后的任何内容替换为“xxxxxxxxxxxx”
谢谢!
我对 ansible 还是很陌生,从阅读内容来看,我正在做的事情应该可以工作。我有以下文件称为aws.yml
---
- hosts: localhost
connection: local
gather_facts: no
vars:
aws_region: us-east-1
tasks:
- name: Main VPC
ec2_vpc:
state: present
cidr_block: 10.5.0.0/16
resource_tags: {"environment": "prod"}
region: "{{ aws_region }}"
dns_hostnames: no
dns_support: yes
instance_tenancy: default
internet_gateway: yes
subnets:
- cidr: 10.5.151.96/27
az: "{{ aws_region }}a"
resource_tags: {"Name": "private"}
- cidr: 10.5.151.128/27
az: "{{ aws_region }}b"
resource_tags: {"Name": "private"}
- cidr: 10.5.151.160/27
az: "{{ aws_region }}c"
resource_tags: {"Name": "private"}
当我在它上面运行 ansible-playbook 时,我得到以下信息
$ ansible-playbook aws.yml
ERROR: Unable to find an inventory file, specify one with -i ?
据我了解是主机: localhost 应该代替使用 -i 并且由于我试图在这里创建一个 VPC,所以我不想通过 ssh 进入机器来构建它。
谢谢
我希望将 mysql-proxy lua 脚本中的日志推送到 lostash 中。一个示例日志可能是
[2015-03-09 11:13:47] USER:username IP:10.102.51.134:41420 DB:dbName Query: -- One Pager Trends
-- params:
SELECT
date,
SUM(t.rev) revenue,
SUM(t.rev - t.cost) profit
FROM
am.s_d t
INNER JOIN am.event e
ON t.`event_id` = e.`event_id`
WHERE 1=1 AND DATE BETWEEN '2014-12-08' AND '2015-03-08'
AND t.source_id = 25
GROUP BY date
[2015-03-09 11:17:28] USER:mzupan IP:10.102.22.216:49843 DB: Query: show databases
新的日志条目将始终以[
所以我正在使用 logstash-forwarder 发送日志并进行如下处理
filter {
if [type] == "mysql-proxy" {
grok {
match => { "message" => "\[%{TIMESTAMP_ISO8601}\] USER:%{WORD:user} IP:%{IP:ip}:%{INT} DB:%{DATA:db} Query: (?<query>(.|\r|\n)*)" }
}
multiline {
pattern => "^\["
what => "previous"
negate=> true
}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss" ]
}
}
}
我的问题是在 kibana 我看到类似以下 json 的查询
{
"_index": "logstash-2015.03.09",
"_type": "mysql-proxy",
"_id": "AUv_vj3u0BuDzneUoKKc",
"_score": null,
"_source": {
"message": "[2015-03-09 11:13:47] USER:username IP:10.102.51.134:41420 DB:dbName Query: -- One Pager Trends \n-- params:\n\nSELECT \n date,\n SUM(t.rev) revenue,\n SUM(t.rev - t.cost) profit \nFROM\n am.s_d t\n INNER JOIN am.event e \n ON t.`event_id` = e.`event_id`\nWHERE 1=1 AND DATE BETWEEN '2014-12-08' AND '2015-03-08'\n AND t.source_id = 25\nGROUP BY date",
"@version": "1",
"@timestamp": "2015-03-09T18:13:52.287Z",
"type": "mysql-proxy",
"file": "/var/log/mysql-queries.log",
"host": "an01.domain.com",
"offset": [
"11855847",
"11855943",
"11855954",
"11855955",
"11855963",
"11855971",
"11855993",
"11856023",
"11856028",
"11856039",
"11856064",
"11856099",
"11856156",
"11856179",
"11856193",
"11856194"
],
"user": "username",
"ip": "10.102.51.134",
"db": "dbname",
"query": "-- One Pager Trends ",
"tags": [
"_grokparsefailure",
"multiline"
]
},
"fields": {
"@timestamp": [
1425924832287
]
},
"sort": [
1425924832287
]
}
即使logstash 似乎正确设置了消息,我也只看到了第一部分。
我在 java 进程和 nrpe 检查方面遇到了一些问题。我们有一些进程有时在 32 核系统上使用 1000% cpu。系统反应灵敏,直到您执行
ps aux
或尝试在 /proc/pid# 中执行任何操作,例如
[[email protected] /proc/18679]# ls
hangs..
一点ps aux
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0
stat("/dev/pts1", 0x7fffb8526f00) = -1 ENOENT (No such file or directory)
stat("/dev/pts", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
readlink("/proc/15693/fd/2", "/dev/pts/1", 127) = 10
stat("/dev/pts/1", {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0
write(1, "root 15693 15692 0 06:25 pt"..., 55root 15693 15692 0 06:25 pts/1 00:00:00 ps -Af
) = 55
stat("/proc/18679", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
open("/proc/18679/stat", O_RDONLY) = 5
read(5, "18679 (java) S 1 18662 3738 3481"..., 1023) = 264
close(5) = 0
open("/proc/18679/status", O_RDONLY) = 5
read(5, "Name:\tjava\nState:\tS (sleeping)\nT"..., 1023) = 889
close(5) = 0
open("/proc/18679/cmdline", O_RDONLY) = 5
read(5,
java 进程正在工作并且会很好地完成,但问题是它使我们的监控发疯,认为进程已关闭,因为它超时等待 ps aux 完成。
我试过做类似的事情
nice -19 ionice -c1 /usr/lib64/nagios/plugins/check_procs -w 1:1 -c 1:1 -a 'diamond' -u root -t 30
没有运气
编辑
系统规格
发生这种情况时的负载约为 90-160ish 1 分钟。
奇怪的是我可以进入任何其他 /proc/pid# 并且它工作得很好。当我 ssh 进入时,系统会响应。就像当我们收到高负载警报时,我可以很好地 ssh。
另一个编辑
我一直在为调度程序使用截止日期
[[email protected] ~]# for i in {a..m}; do cat /sys/block/sd${i}/queue/scheduler; done
noop anticipatory [deadline] cfq
noop anticipatory [deadline] cfq
noop anticipatory [deadline] cfq
noop anticipatory [deadline] cfq
noop anticipatory [deadline] cfq
noop anticipatory [deadline] cfq
noop anticipatory [deadline] cfq
noop anticipatory [deadline] cfq
noop anticipatory [deadline] cfq
noop anticipatory [deadline] cfq
noop anticipatory [deadline] cfq
noop anticipatory [deadline] cfq
noop anticipatory [deadline] cfq
坐骑看起来像
[[email protected] ~]# mount
/dev/sda3 on / type ext4 (rw,noatime,barrier=0)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
/dev/sda1 on /boot type ext2 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
/dev/sdb1 on /disk1 type xfs (rw,nobarrier)
/dev/sdc1 on /disk2 type xfs (rw,nobarrier)
/dev/sdd1 on /disk3 type xfs (rw,nobarrier)
/dev/sde1 on /disk4 type xfs (rw,nobarrier)
/dev/sdf1 on /disk5 type xfs (rw,nobarrier)
/dev/sdg1 on /disk6 type xfs (rw,nobarrier)
/dev/sdh1 on /disk7 type xfs (rw,nobarrier)
/dev/sdi1 on /disk8 type xfs (rw,nobarrier)
/dev/sdj1 on /disk9 type xfs (rw,nobarrier)
/dev/sdk1 on /disk10 type xfs (rw,nobarrier)
/dev/sdl1 on /disk11 type xfs (rw,nobarrier)
/dev/sdm1 on /disk12 type xfs (rw,nobarrier)
好的,我尝试安装调整并将其设置为吞吐量性能。
[[email protected] ~]# tuned-adm profile throughput-performance
Switching to profile 'throughput-performance'
Applying deadline elevator: sda sdb sdc sdd sde sdf sdg sdh[ OK ] sdk sdl sdm
Applying ktune sysctl settings:
/etc/ktune.d/tunedadm.conf: [ OK ]
Calling '/etc/ktune.d/tunedadm.sh start': [ OK ]
Applying sysctl settings from /etc/sysctl.d/99-chef-attributes.conf
Applying sysctl settings from /etc/sysctl.conf
Starting tuned: [ OK ]
我创建了一个测试检查,现在我想删除它。它似乎并没有远离客户。我使用 uchima 作为前端,支票不再列在
/检查
但是,如果我查看客户,它仍然有支票。
我发现删除检查的唯一方法是删除节点并让它重新添加自己。我有 300 个客户,我不想那样做。
我在网络方面遇到了一个问题,我无法解决这个问题,因为我不是一个强大的网络人来解决这个问题。从我们的供应商那里,我们通过 HSRP 有 2 个分线进入我们堆叠的 cisco 2960 交换机。所以每个开关都有一个下降。从那里我们在交换机后面有两个 Astaro 设备,用于处理所有防火墙和 VLAN 路由。然后这些反馈到 Cisco 2960 上,所有 VM 主机都在同一个 2960 上所以它看起来像
-------------- --------------
|------ | Cisco 1 2960 | <--------> |Astaro 1 / VMS|
| ______________ --------------
----------- --------
| Uplink |
|---------- --------
| -------------- --------------
|-------| Cisco 2 2960 | <--------> |Astaro 2 / VMS|
-------------- --------------
所以在任何时候,思科都是堆栈的主人,而阿斯塔罗也是主人。
说我有以下场景
Master Astaro 排名第一 Master Switch in the stack 排名第二
如果我重新加载 switch #2,当 switch 1 接管并且事情重新协商时,我会得到大约 2 分钟的停机时间。
我的一些思科配置看起来像
spanning-tree mode rapid-pvst
spanning-tree extend system-id
no spanning-tree vlan 1,100
interface GigabitEthernet1/0/1
switchport access vlan 100
switchport mode access
switchport nonegotiate
duplex full
!
interface GigabitEthernet1/0/2
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/0/3
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet1/0/4
switchport access vlan 100
switchport mode access
switchport nonegotiate
!
端口 1 是我的提供商,2-4 是到 astaro 的交换机,用于管理端口/vlan 端口和 wan 端口。
如果我重新启动交换机,我不知道为什么我不能比 2 分钟的故障转移更好。
编辑
下面是我们“堆栈”的配置
sw1a>show switch
Switch/Stack Mac Address : 64d8.1431.6a80
H/W Current
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
1 Member 0cd9.960b.5b00 15 1 Ready
*2 Master 64d8.1431.6a80 10 1 Ready
astaro 几乎是一个 linux 设备,它为所有 iptables 和 linux 为网络提供的此类工具提供了一个 gui。
我们正在寻找将从开发箱发出的电子邮件发送到基于发件人地址的电子邮件地址。
如果他们有以下来自
[email protected]
[email protected]
[email protected]
我们想将地址切换为类似
[email protected]