部署ELK多ElasticSearch集群
ELK简介:ELK是三个开源软件的缩写,分别表示:Elasticsearch , Logstash, Kibana , 它们都是开源软件。新增了一个FileBeat,它是一个轻量级的日志收集处理工具(Agent),Filebeat占用资源少,适合于在各个服务器上搜集日志后传输给Logstash,官方也推荐此工具。
[*]Elasticsearch是个开源分布式搜索引擎,提供搜集、分析、存储数据三大功能。它的特点有:分布式,零配置,自动发现,索引自动分片,索引副本机制,restful风格接口,多数据源,自动搜索负载等。
[*]Logstash 主要是用来日志的搜集、分析、过滤日志的工具,支持大量的数据获取方式。一般工作方式为c/s架构,client端安装在需要收集日志的主机上,server端负责将收到的各节点日志进行过滤、修改等操作在一并发往elasticsearch上去。
[*]Kibana 也是一个开源和免费的工具,Kibana可以为 Logstash 和 ElasticSearch 提供的日志分析友好的 Web 界面,可以帮助汇总、分析和搜索重要数据日志。
Filebeat隶属于Beats。
[*]目前Beats包含四种工具:
[*]Packetbeat(搜集网络流量数据)
[*]Topbeat(搜集系统、进程和文件系统级别的 CPU 和内存使用情况等数据)
[*]Filebeat(搜集文件数据)
[*]Winlogbeat(搜集 Windows 事件日志数据)
实验环境
192.168.10.157 linux-node1
192.168.10.161 linux-node2
操作步骤
1、linux-node1安装elasticsearch、jdk
rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch //导入密钥
vim elasticsearch.repo //配置yum源
name=Elasticsearch repository for 2.x packages
baseurl=http://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enable=1
yum install elasticsearch -y
yum install java -y(1.8版本)
java -version //查看java版本
2、配置elasticsearch
cd /etc/elasticsearch/
vim elasticsearch.yml
cluster.name: xxy //17行 集群名称
node.name: linux-node1 //23行 节点名称
path.data: /data/es-data //33行 工作目录
path.logs: /var/log/elasticsearch/
bootstrap.memory_lock: true //43行 防止交换swap分区
network.host: 0.0.0.0 //54行 监听网络
http.port: 9200 //58行 端口
3、创建相关文件夹,开启elasticsearch服务
mkdir -p /data/es-data
chown -R elasticsearch:elasticsearch /data/es-data/ //属主属组设为elasticsearch
systemctl start elasticsearch.service
netstat -ntap | grep 9200
http://i2.运维网.com/images/blog/201808/29/1b7f2345ec2fd9d2e337b600c9fa6f63.png
测试
http://192.168.10.157:9200
http://i2.运维网.com/images/blog/201808/29/f7b9a2dda6ce8896f74f0a3cf72ed112.png
4、RESTful API (通过json格式交互)
curl -i -XGET 'http://192.168.175.132:9200/_count?pretty' -d '{"query": {"match_all": {}}}'
#显示
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 95
{
"count" : 0,
"_shards" : {
"total" : 0,
"successful" : 0,
"failed" : 0
}
}
http://i2.运维网.com/images/blog/201808/29/44f50bedfceec757a236f1e55064716a.png
5、安装elasticsearch-head插件
/usr/share/elasticsearch/bin/plugin install mobz/elasticsearch-head //安装位置/usr/share/elasticsearch/plugins/head
测试
http://192.168.10.157:9200/_plugin/head/
http://i2.运维网.com/images/blog/201808/29/e53662d068008ebfce76f6a46668db16.png
复合查询
/index-demo/test POST
{
"user":"xxy",
"mesg":"hello world"
}
提交请求
http://i2.运维网.com/images/blog/201808/29/34d9e09cfdfb01873e9019a605385c5d.png
/index-demo/test/AWVDUuVUPJxKK7V6Dj8E GET
{}
http://i2.运维网.com/images/blog/201808/29/109e87209c6845dd92fc9bb908ec5d6c.png
/index-demo/test/AWVDUuVUPJxKK7V6Dj8E DELETE
{}
http://i2.运维网.com/images/blog/201808/29/ef53ee1b921e2f0b42db35f280f59093.png
ES集群部署
1、linux-node2上安装ES服务同上
修改配置文件
cd /etc/elasticsearch/
vim elasticsearch.yml
cluster.name: xxy //17行 集群名称
node.name: linux-node2 //23行 节点名称
discovery.zen.ping.unicast.hosts: ["127.0.0.1", "192.168.10.157"] //69行 自动发现机制
启动elasticsearch
同样在linux-node1中配置
discovery.zen.ping.unicast.hosts: ["127.0.0.1", "192.168.10.161"] //69行 单播列表自动发现机制
http://i2.运维网.com/images/blog/201808/29/28fae9a3b6a2ca9ec11fc03ed5a3922c.png
2、测试
http://192.168.10.161:9200/_plugin/head/
会看到主分片和副本分片
http://i2.运维网.com/images/blog/201808/29/9a22303a76f4f7e2781b99017e9b0428.png
安装elasticsearch-kopf插件
/usr/share/elasticsearch/bin/plugin install lmenezes/elasticsearch-kopf
浏览器输入:http://192.168.175.132:9200/_plugin/kopf/#!/cluster
http://i2.运维网.com/images/blog/201808/29/7ce7c5af1eb64f8363faeae110b2b0c1.png
http://i2.运维网.com/images/blog/201808/29/9cab457fe53f239c1d566afc1300b6c1.png
http://i2.运维网.com/images/blog/201808/29/e23dae41c38a49369ce80dd779cff4a3.png
logstash部署
Logstash 是一个接收,处理,转发日志的工具。支持系统日志,webserver日志,错误日志,应用日志,总之包括所有可以抛出来的日志类型。在一个典型的使用场景下(ELK):用 Elasticsearch作为后台数据的存储,kibana用来前端的报表展示。Logstash在其过程中担任搬运工的角色,它为数据存储,报表查询和日志解析创建了一个功能强大的管道链。Logstash 提供了多种多样的 input,filters,codecs 和output 组件,让使用者轻松实现强大的功能。
1、安装logstash
rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
cd /etc/yum.repos.d/
vim logstash.repo
name=Logstash repository for 2.1.x packages
baseurl=http://packages.elastic.co/logstash/2.1/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enable=1
yum install logstash -y
2、定义输入和输出流,类似管道
cd /opt/logstash/
./bin/logstash -e 'input { stdin{} } output { stdout{} }'
http://i2.运维网.com/images/blog/201808/29/9344e523a24e7d4f72e568251e4eb7b4.png
http://i2.运维网.com/images/blog/201808/29/4a3bf34e585e652d8507893c0dffb4e6.png
3、详细格式显示
cd /opt/logstash/
./bin/logstash -e 'input { stdin{} } output { stdout{ codec => rubydebug } }'
http://i2.运维网.com/images/blog/201808/29/c4b86a42a75106490c56f5c193cf627c.png
4、写入到elasticsearch中
/opt/logstash/bin/logstash -e 'input { stdin{} } output { elasticsearch { hosts => ["192.168.10.157:9200"] } }'
输入事件
abc123
tom456
123jerry
在elasticsearch的web中点击连接查看,点击数据浏览选项卡可以查看到事件的信息
http://i2.运维网.com/images/blog/201808/29/0f756310346b2b8126272bf7ee1bc872.png
5、写入ES和同时生成文本
/opt/logstash/bin/logstash -e 'input { stdin{} } output { elasticsearch { hosts => ["192.168.10.157:9200"] } stdout { codec => rubydebug } }'
http://i2.运维网.com/images/blog/201808/29/ffc175d5d2399b42335f064268422fd9.png
6、创建logstash配置文件写入
vim /etc/logstash/conf.d/01-logstash.conf
input { stdin { } }
output {
elasticsearch { hosts => ["192.168.10.157:9200"] }
stdout { codec => rubydebug }
}
/opt/logstash/bin/logstash -f /etc/logstash/conf.d/01-logstash.conf
http://i2.运维网.com/images/blog/201808/29/f4b244d4a0418bc98e0db3be03b99d5f.png
7、logstash收集系统日志
ln -s /opt/logstash/bin/logstash /usr/bin/
# vim file.conf
input {
file {
path => "/var/log/messages"
type => "system"
start_position => "beginning"
}
}
output {
elasticsearch {
hosts => ["192.168.10.157:9200"]
index => "system-%{+YYYY.MM.dd}"
}
}
logstash -f /root/file.conf
http://i2.运维网.com/images/blog/201808/29/7b9ae785bed024605c12f6545ccede58.png
http://i2.运维网.com/images/blog/201808/29/7cb9774ef07b4d66c2728503c14812ed.png
http://i2.运维网.com/images/blog/201808/29/3d8a346bebe43373382a7ce3b422045c.png
8、收集java异常日志
vimfile.conf
input {
file {
path => "/var/log/messages"
type => "system"
start_position => "beginning"
}
file {
path => "/var/log/elasticsearch/xxy.log"
type => "es-error"
start_position => "beginning"
}
}
output {
if == "system" {
elasticsearch {
hosts => ["192.168.10.157:9200"]
index => "system-%{+YYYY.MM.dd}"
}
}
if == "es-error" {
elasticsearch {
hosts => ["192.168.10.157:9200"]
index => "es-error-%{+YYYY.MM.dd}"
}
}
}
logstash -f /root/file.conf
http://i2.运维网.com/images/blog/201808/29/069f3347387439acadb36be48332c173.png
http://i2.运维网.com/images/blog/201808/29/b56b5be420748ec839df7511ddea1c45.png
http://i2.运维网.com/images/blog/201808/29/77d74053eba0729066d37ca87184482e.png
9、事件优化处理
codec插件处理堆栈信息
//引用正则表达式
vim multiline.conf
input {
stdin {
codec => multiline {
pattern => "^\["
negate => true
what => "previous"
}
}
}
output {
stdout {
codec => "rubydebug"
}
}
logstash -f /root/multiline.conf
http://i2.运维网.com/images/blog/201808/29/d50d7d0f87ad4bf39a5b87c88d4aaf95.png
输入测试,识别事件
[abcd
efghi
jklmn]
http://i2.运维网.com/images/blog/201808/29/659f5e423ff11b6dec68d508edc72931.png
#重新定义file.conf
input {
file {
path => "/var/log/messages"
type => "system"
start_position => "beginning"
}
file {
path => "/var/log/elasticsearch/yun.log"
type => "es-error"
start_position => "beginning"
codec => multiline {
pattern => "^\["
negate => true
what => "previous"
}
}
}
output {
if == "system" {
elasticsearch {
hosts => ["192.168.10.157:9200"]
index => "system-%{+YYYY.MM.dd}"
}
}
if == "es-error" {
elasticsearch {
hosts => ["192.168.10.157:9200"]
index => "es-error-%{+YYYY.MM.dd}"
}
}
}
//添加多行日志内容进行验证
logstash -f /root/file.conf
http://i2.运维网.com/images/blog/201808/29/4234ed6308cee7159a4908e5b9933c81.png
概览
http://i2.运维网.com/images/blog/201808/29/9237949ca3e8ea7c0a23de5ae9664831.png
kibana部署
Kibana 也是一个开源和免费的工具,Kibana可以为 Logstash 和 ElasticSearch 提供的日志分析友好的 Web 界面,可以帮助汇总、分析和搜索重要数据日志。
wget https://download.elastic.co/kibana/kibana/kibana-4.3.1-linux-x64.tar.gz //下载软件包
tar zxvf kibana-4.3.1-linux-x64.tar.gz -C /opt/
mv kibana-4.3.1-linux-x64/ /usr/local/
mv kibana-4.3.1-linux-x64/ kibana //重命名
vim /usr/local/kibana/config/kibana.yml //修改配置文件
server.port: 5601 //2行
server.host: "0.0.0.0" //5行
elasticsearch.url: "http://192.168.10.157:9200" //12行 ES地址
kibana.index: ".kibana" //20行
http://i2.运维网.com/images/blog/201808/29/43fda82f20006f68d4e04c9f3a16d2bc.png
Screen是一款由GNU计划开发的用于命令行终端切换的自由软件。用户可以通过该软件同时连接多个本地或远程的命令行会话,并在其间自由切换。GNU Screen可以看作是窗口管理器的命令行界面版本。它提供了统一的管理多个会话的界面和相应的功能。
yum install screen -y
/usr/local/kibana/bin/kibana //启动监听
#ctrl+a+d进行丢入后台
浏览器访问
http://192.168.10.157:5601/
http://i2.运维网.com/images/blog/201808/29/3a9d77cb71efb206cba0b3b26bb0d32c.png
http://i2.运维网.com/images/blog/201808/29/5854a78b5447a1c7fd4bd2e0e7c30a46.png
http://i2.运维网.com/images/blog/201808/29/80e617e288972082d9ad23e977c8f5c6.png
http://i2.运维网.com/images/blog/201808/29/254c164d44212ecb788678440520b2b6.png
http://i2.运维网.com/images/blog/201808/29/da0367fce8532b851fc6e0051f4b8ae2.png
页:
[1]