ELK日志分析管理
序号IP 用途 备注
1 172.18.146.163kibana, logstash
2172.18.146.160elasticsearch
Elasticsearch配置部分
172.18.146.160
vi /etc/security/limits.conf
hard nofile 65536
soft nofile 65536
[*]soft nproc 10240
[*]hard nproc 10240
添加用户
useradd es
mkdir –p /workspace/app/elasticsearch-6.4.0/
tar xvfz /tmp/ elasticsearch-6.4.0.tar.gz –C /workspace/app/elasticsearch-6.4.0/
path.data: /workspace/data/elasticsearch
path.logs: /workspace/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
Kibana配置部分
/workspace/app/kibana-6.4.0/config/kibana.yml
server.host: "0.0.0.0"
elasticsearch.url: "http://172.18.146.160:9200"
kibana.index: ".kibana"
启动服务:
nohupkibana&
logstash配置部分
配置文件存放路径:/workspace/app/logstash-6.4.0/config/conf.d/
/workspace/app/logstash-6.4.0/config/conf.d/sync.conf
input {
file {
path => "/workspace/data/webapps/witc-sync-web/witc-sync-web.log"
type => "witc-sync-web01"
start_position => "beginning"
}
}
filter {
multiline {
pattern => "^%{TIMESTAMP_ISO8601:time}\s+(?(\S+))."
negate => true
what => "previous"
}
grok {
match => [ "^%{TIMESTAMP_ISO8601:time}\s+(?(\S+)).","message" ]
}
}
output {
elasticsearch {
hosts => ["172.18.146.160:9200"]
index => "witc-sync-web01-%{+YYYY.MM.dd}"
}
}
mkdir /workspace/data/logstash/witc-sync-web
启动服务:
nohup logstash -f /workspace/app/logstash-6.4.0/config/conf.d/ sync.conf --path.data=/workspace/data/logstash/witc-sync-web &
停止服务:
杀进程
kibana使用
http://i2.运维网.com/images/blog/201810/11/39086a342386ca10c7bf0005088061ed.png
页:
[1]