elk日志收集
准备环境防火墙和selinux: 关闭
主机名 elk-node1 elk-node2
主机名解析
192.168.227.128 elk-node1
192.168.227.129 elk-node2
master-slave模式:
master收集到日志后,会把一部分数据碎片到slave上(随机的一部分数据);
同时,master和slave又都会各自做副本,并把副本放到对方机器上,这样就保证了数据不会丢失。
如果master宕机了,那么客户端在日志采集配置中将elasticsearch主机指向改为slave,就可以保证ELK日志的正常采集和web展示。
ELasticsearch安装
1、下载并安装GPG Key
# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
2、准备yum源
# cd /etc/yum.repos.d
# vim elasticsearch.repo
name=Elasticsearch repository for 2.x packages
baseurl=http://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
3、安装elasticsearch
# yum -y install elasticsearch
4、安装java环境
# yum -y install java
# java -version
openjdk version "1.8.0_102"
OpenJDK Runtime Environment (build 1.8.0_102-b14)
OpenJDK 64-Bit Server VM (build 25.102-b14, mixed mode)
elk-node1配置:
1、修改配置文件
#mkdir -p /data/es-data
#vim /etc/elasticsearch/elasticsearch.yml
cluster.name: wingcluster #组名 (同一个组,组名必须一致(自己定义))
node.name: elk-node1 #节点名称,建议和主机名一致
path.data:/data/es-data #数据存放位置
path.logs: /var/log/elasticsearch/#日志存放位置
bootstrap.mlockall:true #锁住内存,不被使用到交换分区去
network.host: 0.0.0.0 #网络设置(0.0.0.0表示监听所有网卡)
http.port: 9200 #端口
2、启动并查看
#chown elasticsearch.elasticsearch/data/
#systemctlstartelasticsearch
#systemctlstatus elasticsearch
CGroup: /system.slice/elasticsearch.service
└─3005 /bin/java -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSI...
注意:上面可以看出elasticsearch设置的内存最小256m,最大1g
#netstat-antlp|egrep“9200|9300”
tcp6 0 0 :::9200 :::* LISTEN 3005/java
tcp6 0 0 :::9300 :::* LISTEN 3005/java
通过web访问测试
http://172.16.113.155:9200/
通过命令方式测试
# curl -i -XGET 'http://172.16.113.155:9200/_count?pretty' -d '{"query":{"match_all":{}}}'
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 95
{
"count" : 0,
"_shards" : {
"total" : 0,
"successful" : 0,
"failed" : 0
}
}
elk-node2配置操作同elk-node1(配置文件稍微不同)
#vim /etc/elasticsearch/elasticsearch.yml
cluster.name: wingcluster
node.name: elk-node2
path.data: /data/es-data
path.logs: /var/log/elasticsearch/
bootstrap.mlockall: true
network.host: 0.0.0.0
http.port: 9200
discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: ["172.16.113.155", "172.16.113.156"]
安装插件
例如安装head插件
a)插件安装方法一
#/usr/share/elasticsearch/bin/plugin install mobz/elasticsearch-head
#chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/plugins
#systemctl restart elasticsearch
b)插件安装方法二在/usr/share/elasticsearch/plugins目录下创建head目录
下载head插件到/usr/local/src/目录下(下载地址https://github.com/mobz/elasticsearch-head),将下载的包解压缩,然后将上面下载的elasticsearch-head-master.zip解压后的文件都移到/usr/share/elasticsearch/plugins/head下,重启elasticsearch服务即可!(具体步骤略)
安装其他插件步骤相同
logstash安装
主要安装在客户机上
elk-node1和elk-node2都安装,这里是拿服务器当客户端用
客户端安装logstash,收集到的数据写入到elasticsearch里,就可以登陆logstash界面查看到了
1、下载并安装GPG Key
# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
2、配置yum源
# cd /etc/yum.repos.d/
# vim logstash.repo
name=Logstash repository for 2.1.x packages
baseurl=http://packages.elastic.co/logstash/2.1/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
3、安装并启动logstash
#yum -y install logstash
#systemctlrestart elasticsearch
测试
1)基本的输入输出
# /opt/logstash/bin/logstash -e 'input { stdin{} } output { stdout{} }'
Settings: Default filter workers: 1
Logstash startup completed
hello #输入这个
2016-11-11T06:41:07.690Z elk-node1 hello #输出这个
wangshibo #输入这个
2016-11-11T06:41:10.608Z elk-node1 wangshibo #输出这个
# /opt/logstash/bin/logstash -e 'input { stdin{} } output { stdout{} }'
Settings: Default filter workers: 2
Logstash startup completed
wing
2018-07-09T07:13:50.851Z elk-node1 wing
你的标准输入是什么,就打印它到标准输出
2018-07-09T07:14:16.819Z elk-node1 你的标准输入是什么,就打印它到标准输出
kibana安装
kibana安装配置
1)、kibana的安装:
1)kibana的安装:
# cd /usr/local/src
# wget https://download.elastic.co/kibana/kibana/kibana-4.3.1-linux-x64.tar.gz
# tar zxf kibana-4.3.1-linux-x64.tar.gz
# mv kibana-4.3.1-linux-x64 /usr/local/
# ln -s /usr/local/kibana-4.3.1-linux-x64/ /usr/local/kibana
2)修改配置文件:
# pwd
/usr/local/kibana/config
# cp kibana.yml kibana.yml.bak
# vim kibana.yml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.url: "http://192.168.1.160:9200"
kibana.index: ".kibana"
因为它一直运行在前台,所以我们要么选择重开一个窗口,要么选择使用screen
安装并使用screen
# yum -y install screen
# screen #这样就另开启了一个终端窗口
# /usr/local/kibana/bin/kibana
log Status changed from uninitialized to green - Ready
log Statuschanged from uninitialized to yellow - Waiting for Elasticsearch
log Status changed from uninitialized to green - Ready
log Status changed from uninitialized to green - Ready
log Status changed from uninitialized to green - Ready
log Status changed from uninitialized to green - Ready
log Status changed from uninitialized to green - Ready
log Status changed from uninitialized to green - Ready
然后按ctrl+a+d组合键,暂时断开screen会话
这样在上面另启的screen屏里启动的kibana服务就一直运行在前台了....
# screen -ls
There is a screen on:
15041.pts-0.elk-node1 (Detached)
1 Socket in /var/run/screen/S-root.
注:screen重新连接会话
下例显示当前有两个处于detached状态的screen会话,你可以使用screen -r 重新连接上:
# screen –ls
There are screens on:
8736.pts-1.tivf18 (Detached)
8462.pts-0.tivf18 (Detached)
2 Sockets in /root/.screen.
# screen -r 8736
3)、访问kibana测试 http://192.168.227.128:5601
页:
[1]