CentOS 7 使用ELK套件搭建日志分析和监控平台
1 概述ELK套件(ELK stack)是指ElasticSearch、Logstash和Kibana三件套。这三个软件可以组成一套日志分析和监控工具。
由于三个软件各自的版本号太多,建议采用ElasticSearch官网推荐的搭配组合:http://www.elasticsearch.org/overview/elkdownloads/
2 环境准备
2.1 软件要求
本文把ELK套件部署在一台CentOS单机上。
具体的版本要求如下:
[*] 操作系统版本:CentOS 6.4;
[*] JDK版本:1.7.0;
[*] Logstash版本:1.4.2;
[*] ElasticSearch版本:1.4.2;
[*] Kibana版本:3.1.2;
2.2 防火墙配置
为了正常使用HTTP服务等,需要关闭防火墙:
view plain copy
[*] # service iptables stop
或者可以不关闭防火墙,但是要在iptables中打开相关的端口:
view plain copy
[*] # vim /etc/sysconfig/iptables
[*] -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
[*] -A INPUT -m state --state NEW -m tcp -p tcp --dport 9200 -j ACCEPT
[*] -A INPUT -m state --state NEW -m tcp -p tcp --dport 9292 -j ACCEPT
[*] # service iptables restart
3 安装JDK
ElasticSearch和Logstash依赖于JDK,所以需要安装JDK:
view plain copy
[*] # yum -y install java-1.7.0-openjdk*
[*] # java -version
4 安装ElasticSearch
ElasticSearch默认的对外服务的HTTP端口是9200,节点间交互的TCP端口是9300。
下载ElasticSearch:
view plain copy
[*] # mkdir -p /opt/software && cd /opt/software
[*] # sudo wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.4.2.tar.gz
[*] # sudo tar -zxvf elasticsearch-1.4.2.tar.gz -C /usr/local/
[*] # ln -s /usr/local/elasticsearch-1.4.2 /usr/local/elasticsearch
安装elasticsearch-servicewrapper,并启动ElasticSearch服务:
view plain copy
[*] # sudo wget https://github.com/elasticsearch/elasticsearch-servicewrapper/archive/master.tar.gz
[*] # sudo tar -zxvf master
[*] # mv /opt/software/elasticsearch-servicewrapper-master/service /usr/local/elasticsearch/bin/
[*] # /usr/local/elasticsearch/bin/service/elasticsearch start
测试ElasticSearch服务是否正常,预期返回200的状态码:
view plain copy
[*] # curl -X GET http://localhost:9200
5 安装Logstash
Logstash默认的对外服务的端口是9292。
下载Logstash:
view plain copy
[*] # sudo wget https://download.elasticsearch.org/logstash/logstash/logstash-1.4.2.tar.gz
[*] # sudo tar -zxvf logstash-1.4.2.tar.gz -C /usr/local/
[*] # ln -s /usr/local/logstash-1.4.2 /usr/local/logstash
简单测试Logstash服务是否正常,预期可以将输入内容以简单的日志形式打印在界面上:
view plain copy
[*] # /usr/local/logstash/bin/logstash -e 'input { stdin { } } output { stdout {} }'
创建Logstash配置文件,并再次测试Logstash服务是否正常,预期可以将输入内容以结构化的日志形式打印在界面上:
view plain copy
[*] # mkdir -p /usr/local/logstash/etc
[*] # vim /usr/local/logstash/etc/hello_search.conf
[*] input {
[*] stdin {
[*] type => "human"
[*] }
[*] }
[*]
[*] output {
[*] stdout {
[*] codec => rubydebug
[*] }
[*]
[*] elasticsearch {
[*] host => "10.111.121.22"
[*] port => 9300
[*] }
[*] }
[*] # /usr/local/logstash/bin/logstash -f /usr/local/logstash/etc/hello_search.conf
6 安装Kibana
CentOS默认预装了Apache,所以将Kibana的代码直接拷贝到Apache可以访问的目录下即可。
view plain copy
[*] # sudo wget https://download.elasticsearch.org/kibana/kibana/kibana-3.1.2.tar.gz
[*] # sudo tar -zxvf kibana-3.1.2.tar.gz
[*] # mv kibana-3.1.2 /var/www/html/kibana
修改Kibana的配置文件,把elasticsearch所在行的内容替换成如下:
view plain copy
[*] # vim /var/www/html/kibana/config.js
[*] elasticsearch: "http://10.111.121.22:9200",
启动一下HTTP服务:
view plain copy
[*] # service httpd start
修改ElasticSearch的配置文件,追加一行内容,并重启ElasticSearch服务:
view plain copy
[*] # vim /usr/local/elasticsearch/config/elasticsearch.yml
[*] http.cors.enabled: true
[*] # /usr/local/elasticsearch/bin/service/elasticsearch restart
然后就可以通过浏览器访问Kibana了:
view plain copy
[*] http://10.111.121.22/kibana
现在,在之前的Logstash会话中输入任意字符,就可以在Kibana中查看到日志情况。
7 配置Logstash
再次创建Logstash配置文件,这里将HTTP日志和文件系统日志作为输入,输出直接传给ElasticSearch,不再打印在界面上:
view plain copy
[*] # vim /usr/local/logstash/etc/logstash_agent.conf
[*] input {
[*] file {
[*] type => "http.access"
[*] path => ["/var/log/httpd/access_log"]
[*] }
[*]
[*] file {
[*] type => "http.error"
[*] path => ["/var/log/httpd/error_log"]
[*] }
[*]
[*] file {
[*] type => "messages"
[*] path => ["/var/log/messages"]
[*] }
[*] }
[*]
[*] output {
[*] elasticsearch {
[*] host => "10.111.121.22"
[*] port => 9300
[*] }
[*] }
[*] # nohup /usr/local/logstash/bin/logstash -f /usr/local/logstash/etc/logstash_agent.conf &
现在,一个简单的日志分析和监控平台就搭建好了,可以使用Kibana进行查看。
8 参考资料
1. 《安装logstash,elasticsearch,kibana三件套》,http://www.cnblogs.com/yjf512/p/4194012.html
页:
[1]