本文主要参考:https://www.cnblogs.com/hukey/p/11518966.html
简介
ELK 是 elasticsearch + logstash + kibana 三款开源软件的简称。
elasticsearch: 是个开源的分布式搜索引擎,特点是:分布式、配置简单、自动发现、索引自动分片、索引副本机制、restful风格接口,多数据源,自动搜索负载等
logstash: 可以对日志进行收集、滤过、并将其存储在 elasticsearch中
kibana: 可以为 elasticsearch提供友好的用户交互界面,用户可以通过 kibana来分析、搜索甚至绘图来分析数据。
拓扑图
elk有很多的应用场景,es的数据源,不只是来源于服务器产生的日志,可以是数据库、消息队列。在elk中最重要的是logstash,用于清洗数据,让数据变成我们想要的格式。es用来存储我们的数据并提供检索,还可以建立索引。其实es的数据可以直接到grafana展示,kibana的其实可以提供多种多样、丰富多彩的图例。elk这套组件值得我们花时间研究。
注意: 在安装 ELK 的时候,这三个软件的版本必须保持支持,否则出现各种bug(本例 elk + filebeat 都采用的是6.8.2版本)
实验环境主机服务介绍:
| 主机名 | 主机服务 |
|---|---|
| elk01 | ES、kibana |
| elk | logstash、nginx、filebeat |
我资源有限就这样做了,如果有三台服务器,可以把logstash单独放置到一台服务器
初始化工作
- selinux、firewall 关闭
- 主机名修改 (非集群es不用太过在意)
- 修改打开文件最大数
- 配置java环境
初始化工作需要在每台服务器上面做
修改打开文件最大数
https://www.xp.cn/jishu-php-3045.html
[root@elk01 ~] cat /etc/security/limits.conf
* soft nproc 655350
* hard nproc 655350
* soft nofile 655350
* hard nofile 655350
[root@elk01 ~] ulimit -SHn 655350
配置 java 环境
[root@elk01 ~] tar zxf jdk-8u77-linux-x64.tar.gz -C /usr/local/
#在 /etc/profile 文件中追加
[root@elk01 ~] cat /etc/profile
JAVA_HOME=/usr/local/jdk1.8.0_77
JAVA_BIN=$JAVA_HOME/bin
PATH=$PATH:$JAVA_BIN
CLASSPATH=$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
export JAVA_HOME JAVA_BIN PATH CLASSPATH
[root@elk01 ~] source /etc/profile
[root@elk01 ~] ln -vs /usr/local/jdk1.8.0_77/bin/java /usr/bin/
[root@elk01 ~] java -version
java version "1.8.0_77"
Java(TM) SE Runtime Environment (build 1.8.0_77-b03)
Java HotSpot(TM) 64-Bit Server VM (build 25.77-b03, mixed mode)
Elasticsearch 的安装过程
所有组件都采用rpm的方式安装,发现了一个国内源有很多资源,速度很快华为开源镜像站。
官网地址:https://www.elastic.co/cn/downloads/past-releases#elasticsearch
安装:
[root@elk01 ~] wget https://mirrors.huaweicloud.com/elasticsearch/6.8.2/elasticsearch-6.8.2.rpm
[root@elk01 ~] yum localinstall elasticsearch-6.8.2.rpm
修改配置:
[root@elk01 ~] egrep ^[a-z] /etc/elasticsearch/elasticsearch.yml
cluster.name: super-cluster #集群名,如果要做集群,只需要在启一个节点相同的集群名
node.name: node1 #集群中节点的名,最好和主机名一致
path.data: /var/lib/elasticsearch #数据存储的位置,采用默认位置
path.logs: /var/log/elasticsearch #日志路径
bootstrap.memory_lock: true #开启内存锁,不使用swap
network.host: 0.0.0.0 #监听地址
http.port: 9200 #监听端口
discovery.zen.ping.unicast.hosts: ["192.168.118.14"] #集群发现
启动
systemctl enable elasticsearch
systemctl start elasticsearch
首次启动可能会启动失败,查看日志:
[root@elk01 ~] tail /var/log/elasticsearch/super-cluster.log
…
[1]: memory locking requested for elasticsearch process but memory is not locked
…
如上报错,需要修改启动脚本:
[root@elk01 ~] vim /lib/systemd/system/elasticsearch.service
#在 [Service] 配置段添加:
LimitMEMLOCK=infinity
#重启es
systemctl daemon-reload
systemctl start elasticsearch
查看端口,如果 9200 和 9300 监听,则说明 elasticsearch启动成功。
还需要注意一个问题,如果服务器的内存过小,es将无法启动成功,需要修改下面的参数。
[root@elk01 elasticsearch] cat /etc/elasticsearch/jvm.options
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
#-Xms1g
#-Xmx1g
-Xms512m
-Xmx512m
验证:
[root@elk01 ~] curl http://127.0.0.1:9200
{
"name" : "elk01",
"cluster_name" : "my-application",
"cluster_uuid" : "iOsPRptOQ8mlf-XeFa9pzw",
"version" : {
"number" : "6.8.2",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "b506955",
"build_date" : "2019-07-24T15:24:41.545295Z",
"build_snapshot" : false,
"lucene_version" : "7.7.0",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
到此,elasticsearch安装成功。
kibana 的安装过程
[root@elk01 ~] wget https://mirrors.huaweicloud.com/kibana/6.8.2/kibana-6.8.2-x86_64.rpm
[root@elk01 ~] yum localinstall kibana-6.8.2-x86_64.rpm -y
[root@elk01 ~] egrep ^[a-z] /etc/kibana/kibana.yml
server.port: 8000 #监听端口,默认 5601
server.host: "0.0.0.0" #监听地址
elasticsearch.hosts: ["http://localhost:9200"] #es地址
i18n.locale: "zh-CN" #语言改为中文
这里注意,如果将 kibana 端口修改为 80 ,这里是需要修改kibana启动用户为 root 因为普通用户是不能启动 1024 以下端口的。
修改启动配置文件:
[root@elk01 ~] cat /etc/systemd/system/kibana.service
User=root
Group=root
# 再次启动服务
[root@elk01 ~] systemctl daemon-reload
[[root@elk01 ~] systemctl restart kibana
logstash 的安装过程
logstash 插件安装,未使用到如果有兴趣可以看一下。
[root@elk ~] wget https://mirrors.huaweicloud.com/logstash/6.8.2/logstash-6.8.2.rpm
[root@elk ~] yum localinstall logstash-6.8.2.rpm -y
# 将 logstash 命令添加到 PATH 环境变量中
[root@elk ~] cat /etc/profile.d/logstash.sh
export PATH=/usr/share/logstash/bin:$PATH
[root@elk ~] source /etc/profile
验证:
#logstash -e 'input { stdin {} } output { stdout{} }'
#只要出现 Successfully started Logstash API endpoint {:port=>9600} 就表示启动成功。
{
"@version" => "1",
"@timestamp" => 2020-09-08T12:26:46.867Z,
"host" => "elk",
"message" => ""
}
测试通过,logstash验证成功。
nginx 安装
#配置yum源
[root@elk conf.d] cat /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
[root@elk conf.d] yum clean all
[root@elk conf.d] yum install nginx -y
[root@elk conf.d] nginx #启动nginx
filebeat 安装
[root@elk ~] wget https://mirrors.huaweicloud.com/filebeat/6.8.2/filebeat-6.8.2-x86_64.rpm
[root@elk ~] yum localinstall filebeat-6.8.2-x86_64.rpm -y
#开启nginx模块
[root@elk ~] cd /etc/filebeat/
[root@elk ~] filebeat modules enable nginx
Enabled nginx
修改 filebeat主配置文件:
[root@elk ~] vim /etc/filebeat/filebeat.yml
#注释掉输出到 elasticsearch
#output.elasticsearch:
# Array of hosts to connect to.
#hosts: ["localhost:9200"]
#开启输出到 logstash
output.logstash:
# The Logstash hosts
hosts: ["localhost:5044"]
注意这里的 hosts 要写 logstash 主机的 IP,我的logstash和filebeat在一台服务器,默认就可以了。
修改 nginx 模块配置文件:
[root@elk ~] cat /etc/filebeat/modules.d/nginx.yml
- module: nginx
# Access logs
access:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
var.paths: ["/var/log/nginx/access.log"]
# Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
#var.convert_timezone: true
# Error logs
error:
enabled: true
var.paths: ["/var/log/nginx/error.log"]
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
#var.convert_timezone: true
启动 filebeat 服务
[root@elk ~] systemctl start filebeat
#Filebeat 服务是没有监听端口的,只要状态是 running 就表示启动成功,可以查看 filebeat 日志
[root@elk ~] tail -f /var/log/filebeat/filebeat
到此,ELK + filebeat 已经部署完毕,接下来就可以安装需求来进行调整和收集数据,而这一块的工作都集中在 logstash,因此 ELK 编写 logstash 才是难点。Logstash 配置语法,强力建议查看官方文档,非常全面了。
编写一个将数据输出到屏幕的配置文件:
[root@elk conf.d] pwd
/etc/logstash/conf.d
[root@elk conf.d] cat test.conf
input {
beats {
port => "5044"
}
}
output {
stdout {
codec => "rubydebug"
}
}
Logstash 可以根据配置文件来启动,启动方式如下:
[root@elk conf.d] logstash -f test.conf
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[WARN ] 2020-09-09 14:40:53.395 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2020-09-09 14:40:53.429 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"6.8.2"}
[INFO ] 2020-09-09 14:41:09.121 [Converge PipelineAction::Create<main>] pipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>1, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[INFO ] 2020-09-09 14:41:10.236 [[main]-pipeline-manager] beats - Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}
[INFO ] 2020-09-09 14:41:10.333 [Converge PipelineAction::Create<main>] pipeline - Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0xe9521f6 run>"}
[INFO ] 2020-09-09 14:41:10.447 [Ruby-0-Thread-1: /usr/share/logstash/lib/bootstrap/environment.rb:6] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[INFO ] 2020-09-09 14:41:10.736 [[main]<beats] Server - Starting server on port: 5044
[INFO ] 2020-09-09 14:41:11.148 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
"message" => "183.136.225.46 - - [08/Sep/2020:20:31:40 +0800] \"\\x00\\x00\\x00TZ\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x04\\x010I\\x00\\x00\\x00\\x00\\x80\\x0B\\xA8\\xC0\\x00\\x0C)t F\\x07\\x00tsXrcsXYs9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00bbXcsXctst\\x00\\x00\\x00\\x00\\x00\\x00\" 400 157 \"-\" \"-\" \"-\"",
"prospector" => {
"type" => "log"
},
"beat" => {
"hostname" => "elk",
"name" => "elk",
"version" => "6.8.2"
},
"log" => {
"file" => {
"path" => "/var/log/nginx/access.log"
}
},
"source" => "/var/log/nginx/access.log",
"host" => {
"id" => "84b74849e10a371795facb58dd032244",
"containerized" => false,
"name" => "elk",
"os" => {
"family" => "redhat",
"platform" => "centos",
"name" => "CentOS Linux",
"codename" => "Core",
"version" => "7 (Core)"
},
"architecture" => "x86_64"
},
"input" => {
"type" => "log"
},
"event" => {
"dataset" => "nginx.access"
},
"@timestamp" => 2020-09-08T12:31:48.380Z,
"fileset" => {
"module" => "nginx",
"name" => "access"
},
"tags" => [
[0] "beats_input_codec_plain_applied"
],
"offset" => 8602,
"@version" => "1"
}
日志文件已经传输过来了,接下来就是把这些数据写入到 elasticsearch 中。
继续修改配置文件:
[root@elk conf.d] cat test.conf
input {
beats {
port => "5044"
}
}
#output {
# stdout {
# codec => "rubydebug"
# }
#}
output {
elasticsearch {
hosts => ["10.190.17.26"]
index => "nginx-%{+YYYY.MM.dd}"
}
}
通过配置文件启动 logstash
[root@elk conf.d] logstash -f test.conf
目前已经将日志数据写入到 elasticsearch中了, 然后通过 kibana 展示出来,浏览器访问上面装好的 kibana
设置完成,直接点击 Discover,多访问几次nginx,查看日志是否展示出来。
ok,到此, ELK + filebeat 获取 nginx 日志就完成了。虽然将日志展示出来了, 但是这样杂乱无章的日志数据看着还是很难受的,这就需要进一步的规整。
扫一扫
2007
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
