|
|
一、Elasticsearch 集群相关介绍
Elasticsearch用于构建高可用和可扩展的系统。扩展的方式可以是购买更好的服务器(纵向扩展)或者购买更多的服务器(横向扩展),Elasticsearch能从更强大的硬件中获得更好的性能,但是纵向扩展也有一定的局限性。真正的扩展应该是横向的,它通过增加节点来传播负载和增加可靠性。对于大多数数据库而言,横向扩展意味着你的程序将做非常大的改动来利用这些新添加的设备。对比来说,Elasticsearch天生是分布式的:它知道如何管理节点来提供高扩展和高可用,这意味着你的程序不需要关心这些。
对于Elasticsearch集群搭建,可以把索引进行分片存储,一个索引可以分成若干个片,分别存储到集群里面,而对于集群里面的负载均衡,副本分配,索引动态均衡(根据节点的增加或者减少)都是elasticsearch自己内部完成的,一有情况就会重新进行分配。
以下先是介绍几个关于elasticsearch 的几个名词:
cluster:代表一个集群,集群中有多个节点,其中有一个为主节点,这个主节点是可以通过选举产生的,主从节点是对于集群内部来说的。es的一个概念就是去中心化,字面上理解就是无中心节点,这是对于集群外部来说的,因为从外部来看es集群,在逻辑上是个整体,你与任何一个节点的通信和与整个es集群通信是等价的。
shards:代表索引分片,es可以把一个完整的索引分成多个分片,这样的好处是可以把一个大的索引拆分成多个,分布到不同的节点上,构成分布式搜索。分片的数量只能在索引创建前指定,并且索引创建后不能更改。
replicas:代表索引副本,es可以设置多个索引的副本,副本的作用一是提高系统的容错性,当某个节点某个分片损坏或丢失时可以从副本中恢复。二是提高es的查询效率,es会自动对搜索请求进行负载均衡。
recovery:代表数据恢复或叫数据重新分布,es在有节点加入或退出时会根据机器的负载对索引分片进行重新分配,挂掉的节点重新启动时也会进行数据恢复。
river:代表es的一个数据源,也是其它存储方式(如:数据库)同步数据到es的一个方法。它是以插件方式存在的一个es服务,通过读取river中的数据并把它索引到es中,官方的river有couchDB的,RabbitMQ的,Twitter的,Wikipedia的等。
gateway:代表es索引的持久化存储方式,es默认是先把索引存放到内存中,当内存满了时再持久化到硬盘。当这个es集群关闭再重新启动时就会从gateway中读取索引数据。es支持多种类型的gateway,有本地文件系统(默认),分布式文件系统,Hadoop的HDFS和amazon的s3云存储服务。
discovery.zen:代表es的自动发现节点机制,es是一个基于p2p的系统,它先通过广播寻找存在的节点,再通过多播协议来进行节点之间的通信,同时也支持点对点的交互。
Transport:代表es内部节点或集群与客户端的交互方式,默认内部是使用tcp协议进行交互,同时它支持http协议(json格式)、thrift、servlet、memcached、zeroMQ等的传输协议(通过插件方式集成)
集群和节点:节点(node)是你运行的Elasticsearch实例。一个集群(cluster)是一组具有相同cluster.name的节点集合,他们协同工作,共享数据并提供故障转移和扩展功能,当有新的节点加入或者删除节点,集群就会感知到并平衡数据。集群中一个节点会被选举为主节点(master),它用来管理集群中的一些变更,例如新建或删除索引、增加或移除节点等;当然一个节点也可以组成一个集群。
节点通信:我们能够与集群中的任何节点通信,包括主节点。任何一个节点互相知道文档存在于哪个节点上,它们可以转发请求到我们需要数据所在的节点上。我们通信的节点负责收集各节点返回的数据,最后一起返回给客户端。这一切都由Elasticsearch透明的管理。
分片与副本分片:分片用于Elasticsearch在你的集群中分配数据。想象把分片当作数据的容器。文档存储在分片中,然后分片分配给你集群中的节点上。 当你的集群扩容或缩小,Elasticsearch将会自动在你的节点间迁移分片,以使集群保持平衡。一个分片(shard)是一个最小级别的“工作单元(worker unit)”,它只是保存索引中所有数据的一小片.我们的文档存储和被索引在分片中,但是我们的程序不知道如何直接与它们通信。取而代之的是,他们直接与索引通信。Elasticsearch中的分片分为主分片和副本分片,复制分片只是主分片的一个副本,它用于提供数据的冗余副本,在硬件故障之后提供数据保护,同时服务于像搜索和检索等只读请求,主分片的数量和复制分片的数量都可以通过配置文件配置。但是主切片的数量只能在创建索引时定义且不能修改.相同的分片不会放在同一个节点上。
分片算法: shard = hash(routing) % number_of_primary_shards
routing值是一个任意字符串,它默认是_id,但也可以自定义,这个routing字符串通过哈希函数生成一个数字,然后除以主切片的数量得到一个余数(remainder),余数的范围永远是0到number_of_primary_shards - 1,这个数字就是特定文档所在的分片。这也解释了为什么主切片的数量只能在创建索引时定义且不能修改:如果主切片的数量在未来改变了,所有先前的路由值就失效了,文档也就永远找不到了。所有的文档API(get、index、delete、bulk、update、mget)都接收一个routing参数,它用来自定义文档到分片的映射。自定义路由值可以确保所有相关文档.比如用户的文章,按照用户账号路由,就可以实现属于同一用户的文档被保存在同一分片上。
分片和副本交互:新建、索引和删除请求都是写(write)操作,它们必须在主分片上成功完成才能复制到相关的复制分片上,下面我们罗列在主分片和复制分片上成功新建、索引或删除一个文档必要的顺序步骤:
1、客户端给Node 1发送新建、索引或删除请求。
2、节点使用文档的_id确定文档属于分片0。它转发请求到Node 3,分片0位于这个节点上。
3、Node 3在主分片上执行请求,如果成功,它转发请求到相应的位于Node 1和Node 2的复制节点上。当所有的复制节点报告成功,Node 3报告成功到请求的节点,请求的节点再报告给客户端。
客户端接收到成功响应的时候,文档的修改已经被应用于主分片和所有的复制分片。你的修改生效了。
副本分片复制时的相关的参数说明: (replication)复制默认的值是sync。这将导致主分片得到复制分片的成功响应后才返回,如果你设置replication为async,请求在主分片上被执行后就会返回给客户端。它依旧会转发请求给复制节点,但你将不知道复制节点成功与否。默认的sync复制允许Elasticsearch强制反馈传输。async复制可能会因为在不等待其它分片就绪的情况下发送过多的请求而使Elasticsearch过载。
consistency: 默认主分片在尝试写入时需要规定一定数量(quorum)或过半的分片(可以是主节点或复制节点)可用。这是防止数据被写入到错的网络分区。规定的数量计算公式如下:
int( (primary + number_of_replicas) / 2 ) + 1
consistency允许的值为one(只有一个主分片),all(所有主分片和复制分片)或者默认的quorum或过半分片。注意number_of_replicas是在索引中的设置,用来定义复制分片的数量,而不是现在活动的复制节点的数量。如果你定义了索引有3个复制节点,那规定数量是:int( (primary + 3 replicas) / 2 ) + 1 = 3但如果你只有2个节点,那你的活动分片不够规定数量,也就不能索引或删除任何文档。
注意: 新索引默认有1个复制分片,这意味着为了满足quorum的要求需要两个活动的分片。当然,这个默认设置将阻止我们在单一节点集群中进行操作。为了避开这个问题,规定数量只有在number_of_replicas大于一时才生效。
timeout:当分片副本不足时Elasticsearch会等待更多的分片出现。默认等待一分钟。如果需要,你可以设置timeout参数让它终止的更早:100表示100毫秒,30s表示30秒。
参考链接:http://my.oschina.net/davehe/blog/549189
二、Elasticsearch 集群架构图(草图)
服务器配置:Centos6.6 x86_64 CPU:1核心 MEM:2G (做实验,配置比较低一些)
注:这里配置elasticsearch集群用了3台服务器,可以根据自己的实际情况进行调整。
三、开始安装配置nginx和logstash
注:这里使用yum安装,如果需要较高版本的,可以使用编译安装。
在10.0.18.144上操作,10.0.18.145配置方式和144是一样的。
1、安装nginx
配置yum源并安装nginx
#vim /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1
安装
#yum install nginx -y
查看版本
#rpm -qa nginx
nginx-1.10.1-1.el6.ngx.x86_64 修改nginx配置文件,修改为如下:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log notice; #默认是warn
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $http_x_forwarded_for $request_length $msec $connection_requests $request_time';
##添加了$request_length $msec $connection_requests $request_time
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
access_log /var/log/nginx/access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
}
修改nginx默认页面
#vi /usr/share/nginx/html/index.html
Welcome to nginx!
改为
Welcome to nginx! 144 启动nginx,并访问测试:
#service nginx start
#chkconfig --add nginx
#chkconfig nginx on
查看启动情况
#netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1023/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1101/master
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1353/nginx
tcp 0 0 :::22 :::* LISTEN 1023/sshd
tcp 0 0 ::1:25 :::* LISTEN 1101/master 在浏览器访问测试,如下:
2、安装配置java环境
直接使用rpm包安装,比较方便
#rpm -ivh jdk-8u92-linux-x64.rpm
Preparing... ########################################### [100%]
1:jdk1.8.0_92 ########################################### [100%]
Unpacking JAR files...
tools.jar...
plugin.jar...
javaws.jar...
deploy.jar...
rt.jar...
jsse.jar...
charsets.jar...
localedata.jar...
#java -version
java version "1.8.0_92"
Java(TM) SE Runtime Environment (build 1.8.0_92-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.92-b14, mixed mode) 3、安装配置logstash
配置logstash的yum源,如下:
#vim /etc/yum.repos.d/logstash.repo
[logstash-2.3]
name=Logstash repository for 2.3.x packages
baseurl=https://packages.elastic.co/logstash/2.3/centos
gpgcheck=1
gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
安装logstash
#yum install logstash -y
查看版本
#rpm -qa logstash
logstash-2.3.4-1.noarch 配置logstash的配置文件
#cd /etc/logstash/conf.d
#vim logstash.conf
input {
file {
path => ["/var/log/nginx/access.log"]
type => "nginx_log"
start_position => "beginning"
}
}
output {
stdout {
codec => rubydebug
}
}
检测语法是否有错
#/opt/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --configtest
Configuration OK #语法OK 启动并查看收集nginx日志情况:
#列出一部分
#/opt/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf
Settings: Default pipeline workers: 1
Pipeline main started
{
"message" => "10.0.90.8 - - [26/Aug/2016:15:30:18 +0800] \"GET / HTTP/1.1\" 304 0 \"-\" \"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\" \"-\" 415 1472196618.085 1 0.000",
"@version" => "1",
"@timestamp" => "2016-08-26T07:30:32.699Z",
"path" => "/var/log/nginx/access.log",
"host" => "0.0.0.0",
"type" => "nginx_log"
}
{
"message" => "10.0.90.8 - - [26/Aug/2016:15:30:18 +0800] \"GET / HTTP/1.1\" 304 0 \"-\" \"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\" \"-\" 415 1472196618.374 2 0.000",
"@version" => "1",
"@timestamp" => "2016-08-26T07:30:32.848Z",
"path" => "/var/log/nginx/access.log",
"host" => "0.0.0.0",
"type" => "nginx_log"
}
………………
PS:在网上看到其他版本logstash的pipeline workers是默认为4,但我安装的2.3.4版本这个默认值为1
这是因为这个默认值和服务器本身的cpu核数有关,我这里的服务器cpu都是1核,故默认值为1。
可以通过 /opt/logstash/bin/logstash -h 命令查看一些参数 修改logstash的配置文件,将日志数据输出到redis
#cat /etc/logstash/conf.d/logstash.conf
input {
file {
path => ["/var/log/nginx/access.log"]
type => "nginx_log"
start_position => "beginning"
}
}
output {
redis {
host => "10.0.18.146"
key => 'logstash-redis'
data_type => 'list'
}
} 检查语法并启动服务
#/opt/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --configtest
Configuration OK
#service logstash start
logstash started.
查看启动进程
#ps -ef | grep logstash
logstash 2029 1 72 15:37 pts/0 00:00:18 /usr/bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -Djava.io.tmpdir=/var/lib/logstash -Xmx1g -Xss2048k -Djffi.boot.library.path=/opt/logstash/vendor/jruby/lib/jni -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -Djava.io.tmpdir=/var/lib/logstash -XX:HeapDumpPath=/opt/logstash/heapdump.hprof -Xbootclasspath/a:/opt/logstash/vendor/jruby/lib/jruby.jar -classpath : -Djruby.home=/opt/logstash/vendor/jruby -Djruby.lib=/opt/logstash/vendor/jruby/lib -Djruby.script=jruby -Djruby.shell=/bin/sh org.jruby.Main --1.9 /opt/logstash/lib/bootstrap/environment.rb logstash/runner.rb agent -f /etc/logstash/conf.d -l /var/log/logstash/logstash.log
root 2076 1145 0 15:37 pts/0 00:00:00 grep logstash 四、安装配置redis
下载并安装redis
#yum install wget gcc gcc-c++ -y #安装过的,就不需要再安装了
#wget http://download.redis.io/releases/redis-3.0.7.tar.gz
#tar xf redis-3.0.7.tar.gz
#cd redis-3.0.7
#make
make没问题之后,创建目录
#mkdir -p /usr/local/redis/{conf,bin}
#cp ./*.conf /usr/local/redis/conf/
#cp runtest* /usr/local/redis/
#cd utils/
#cp mkrelease.sh /usr/local/redis/bin/
#cd ../src
#cp redis-benchmark redis-check-aof redis-check-dump redis-cli redis-sentinel redis-server redis-trib.rb /usr/local/redis/bin/
创建redis数据存储目录
#mkdir -pv /data/redis/db
#mkdir -pv /data/log/redis 修改redis配置文件
#cd /usr/local/redis/conf
#vi redis.conf
dir ./ 修改为dir /data/redis/db/
保存退出
启动redis
#nohup /usr/local/redis/bin/redis-server /usr/local/redis/conf/redis.conf &
查看redis进程
#ps -ef | grep redis
root 4425 1149 0 16:21 pts/0 00:00:00 /usr/local/redis/bin/redis-server *:6379
root 4435 1149 0 16:22 pts/0 00:00:00 grep redis
#netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1402/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1103/master
tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN 4425/redis-server *
tcp 0 0 :::22 :::* LISTEN 1402/sshd
tcp 0 0 ::1:25 :::* LISTEN 1103/master
tcp 0 0 :::6379 :::* LISTEN 4425/redis-server * 五、安装配置logstash server
1、安装jdk
#rpm -ivh jdk-8u92-linux-x64.rpm
Preparing... ########################################### [100%]
1:jdk1.8.0_92 ########################################### [100%]
Unpacking JAR files...
tools.jar...
plugin.jar...
javaws.jar...
deploy.jar...
rt.jar...
jsse.jar...
charsets.jar...
localedata.jar... 2、安装logstash
配置yum源
#vim /etc/yum.repos.d/logstash.repo
[logstash-2.3]
name=Logstash repository for 2.3.x packages
baseurl=https://packages.elastic.co/logstash/2.3/centos
gpgcheck=1
gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
安装logstash
#yum install logstash -y 配置logstash server
配置文件如下:
#cd /etc/logstash/conf.d
#vim logstash_server.conf
input {
redis {
port => "6379"
host => "10.0.18.146"
data_type => "list"
key => "logstash-redis"
type => "redis-input"
}
}
output {
stdout {
codec => rubydebug
}
}
检查语法
#/opt/logstash/bin/logstash -f /etc/logstash/conf.d/logstash_server.conf --configtest
Configuration OK 语法没问题之后,测试查看收集nginx日志的情况,如下:
#/opt/logstash/bin/logstash -f /etc/logstash/conf.d/logstash_server.conf
Settings: Default pipeline workers: 1
Pipeline main started
{
"message" => "10.0.90.8 - - [26/Aug/2016:15:42:01 +0800] \"GET /favicon.ico HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36\" \"-\" 263 1472197321.350 1 0.000",
"@version" => "1",
"@timestamp" => "2016-08-26T08:45:25.214Z",
"path" => "/var/log/nginx/access.log",
"host" => "0.0.0.0",
"type" => "nginx_log"
}
{
"message" => "10.0.90.8 - - [26/Aug/2016:16:40:53 +0800] \"GET / HTTP/1.1\" 200 616 \"-\" \"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36\" \"-\" 374 1472200853.324 1 0.000",
"@version" => "1",
"@timestamp" => "2016-08-26T08:45:25.331Z",
"path" => "/var/log/nginx/access.log",
"host" => "0.0.0.0",
"type" => "nginx_log"
}
{
"message" => "10.0.90.8 - - [26/Aug/2016:16:40:53 +0800] \"GET /favicon.ico HTTP/1.1\" 404 571 \"http://10.0.18.144/\" \"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36\" \"-\" 314 1472200853.486 2 0.000",
"@version" => "1",
"@timestamp" => "2016-08-26T08:45:25.332Z",
"path" => "/var/log/nginx/access.log",
"host" => "0.0.0.0",
"type" => "nginx_log"
}
{
"message" => "10.0.90.8 - - [26/Aug/2016:16:42:05 +0800] \"GET / HTTP/1.1\" 304 0 \"-\" \"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36\" \"-\" 481 1472200925.259 1 0.000",
"@version" => "1",
"@timestamp" => "2016-08-26T08:45:25.332Z",
"path" => "/var/log/nginx/access.log",
"host" => "0.0.0.0",
"type" => "nginx_log"
}
{
"message" => "10.0.90.9 - - [26/Aug/2016:16:47:35 +0800] \"GET / HTTP/1.1\" 200 616 \"-\" \"Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko\" \"-\" 298 1472201255.813 1 0.000",
"@version" => "1",
"@timestamp" => "2016-08-26T08:47:36.623Z",
"path" => "/var/log/nginx/access.log",
"host" => "0.0.0.0",
"type" => "nginx_log"
}
{
"message" => "10.0.90.9 - - [26/Aug/2016:16:47:42 +0800] \"GET /favicon.ico HTTP/1.1\" 404 169 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko\" \"-\" 220 1472201262.653 1 0.000",
"@version" => "1",
"@timestamp" => "2016-08-26T08:47:43.649Z",
"path" => "/var/log/nginx/access.log",
"host" => "0.0.0.0",
"type" => "nginx_log"
}
{
"message" => "10.0.90.8 - - [26/Aug/2016:16:48:09 +0800] \"GET / HTTP/1.1\" 200 616 \"-\" \"Mozilla/5.0 (Windows; U; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; BIDUBrowser 8.4)\" \"-\" 237 1472201289.662 1 0.000",
"@version" => "1",
"@timestamp" => "2016-08-26T08:48:09.684Z",
"path" => "/var/log/nginx/access.log",
"host" => "0.0.0.0",
"type" => "nginx_log"
}
………………………… 注:执行此命令之后不会立即有信息显示,需要等一会,也可以在浏览器刷新144和145的nginx页面或者同一网段的其他机器访问144、145,就会由如上信息出现。
3、修改logstash配置文件,将搜集到的数据输出到ES集群中
#vim /etc/logstash/conf.d/logstash_server.conf
input {
redis {
port => "6379"
host => "10.0.18.146"
data_type => "list"
key => "logstash-redis"
type => "redis-input"
}
}
output {
elasticsearch {
hosts => "10.0.18.149" #其中一台ES 服务器
index => "nginx-log-%{+YYYY.MM.dd}" #定义的索引名称,后面会用到
}
}
启动logstash
#service logstash start
logstash started.
查看logstash server 进程
#ps -ef | grep logstash
logstash 1740 1 24 17:24 pts/0 00:00:25 /usr/bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -Djava.io.tmpdir=/var/lib/logstash -Xmx1g -Xss2048k -Djffi.boot.library.path=/opt/logstash/vendor/jruby/lib/jni -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -Djava.io.tmpdir=/var/lib/logstash -XX:HeapDumpPath=/opt/logstash/heapdump.hprof -Xbootclasspath/a:/opt/logstash/vendor/jruby/lib/jruby.jar -classpath : -Djruby.home=/opt/logstash/vendor/jruby -Djruby.lib=/opt/logstash/vendor/jruby/lib -Djruby.script=jruby -Djruby.shell=/bin/sh org.jruby.Main --1.9 /opt/logstash/lib/bootstrap/environment.rb logstash/runner.rb agent -f /etc/logstash/conf.d -l /var/log/logstash/logstash.log
root 1783 1147 0 17:25 pts/0 00:00:00 grep logstash 六、安装配置Elasticsearch
在10.0.18.148、10.0.18.149、10.0.18.150三台ES上安装jdk和Elasticsearch!jdk的安装都是一样的,这里不做赘述。
1、添加elasticsearch用户,因为Elasticsearch服务器启动的时候,需要在普通用户权限下来启动。
#adduser elasticsearch
#passwd elasticsearch #为用户设置密码
#su - elasticsearch
下载Elasticsearch包
$wget https://download.elastic.co/elasticsearch/release/org/elasticsearch/distribution/tar/elasticsearch/2.3.4/elasticsearch-2.3.4.tar.gz
$tar xf elasticsearch-2.3.4.tar.gz
$cd elasticsearch-2.3.4 将elasticsearch的配置文件末尾添加如下:
#vim conf/elasticsearch.yml
cluster.name: serverlog #集群名称,可以自定义
node.name: node-1 #节点名称,也可以自定义
path.data: /home/elasticsearch/elasticsearch-2.3.4/data #data存储路径
path.logs: /home/elasticsearch/elasticsearch-2.3.4/logs #log存储路径
network.host: 10.0.18.148 #节点ip
http.port: 9200 #节点端口
discovery.zen.ping.unicast.hosts: ["10.0.18.149","10.0.18.150"] #集群ip列表
discovery.zen.minimum_master_nodes: 3 #集群几点数 启动服务
$cd elasticsearch-2.3.4
$./bin/elasticsearch -d
查看进程
$ps -ef | grep elasticsearch
root 1550 1147 0 17:44 pts/0 00:00:00 su - elasticsearch
500 1592 1 4 17:56 pts/0 00:00:13 /usr/bin/java -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:+DisableExplicitGC -Dfile.encoding=UTF-8 -Djna.nosys=true -Des.path.home=/home/elasticsearch/elasticsearch-2.3.4 -cp /home/elasticsearch/elasticsearch-2.3.4/lib/elasticsearch-2.3.4.jar:/home/elasticsearch/elasticsearch-2.3.4/lib/* org.elasticsearch.bootstrap.Elasticsearch start -d
500 1649 1551 0 18:00 pts/0 00:00:00 grep elasticsearch
查看端口
$netstat -tunlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 ::ffff:10.0.18.148:9300 :::* LISTEN 1592/java
tcp 0 0 :::22 :::* LISTEN -
tcp 0 0 ::1:25 :::* LISTEN -
tcp 0 0 ::ffff:10.0.18.148:9200 :::* LISTEN 1592/java 启动连个端口:9200集群之间事务通信,9300集群之间选举通信。
启动之后,查看三台Elasticsearch的日志,会看到“选举”产生的master节点
第一台:10.0.18.148
$tail -f logs/serverlog.log
…………………………
[2016-08-26 17:56:05,771][INFO ][env ] [node-1] heap size [1015.6mb], compressed ordinary object pointers [true]
[2016-08-26 17:56:05,774][WARN ][env ] [node-1] max file descriptors [4096] for elasticsearch process likely too low, consider increasing to at least [65536]
[2016-08-26 17:56:09,416][INFO ][node ] [node-1] initialized
[2016-08-26 17:56:09,416][INFO ][node ] [node-1] starting ...
[2016-08-26 17:56:09,594][INFO ][transport ] [node-1] publish_address {10.0.18.148:9300}, bound_addresses {10.0.18.148:9300}
[2016-08-26 17:56:09,611][INFO ][discovery ] [node-1] serverlog/py6UOr4rRCCuK3KjA-Aj-Q
[2016-08-26 17:56:39,622][WARN ][discovery ] [node-1] waited for 30s and no initial state was set by the discovery
[2016-08-26 17:56:39,633][INFO ][http ] [node-1] publish_address {10.0.18.148:9200}, bound_addresses {10.0.18.148:9200}
[2016-08-26 17:56:39,633][INFO ][node ] [node-1] started
[2016-08-26 17:59:33,303][INFO ][cluster.service ] [node-1] detected_master {node-2}{k0vpt0khTOG0Kmen8EepAg}{10.0.18.149}{10.0.18.149:9300}, added {{node-3}{lRKjIPpFSd-_NVn7-0-JeA}{10.0.18.150}{10.0.18.150:9300},{node-2}{k0vpt0khTOG0Kmen8EepAg}{10.0.18.149}{10.0.18.149:9300},}, reason: zen-disco-receive(from master [{node-2}{k0vpt0khTOG0Kmen8EepAg}{10.0.18.149}{10.0.18.149:9300}]) 可以看到自动“选举”node-2,即10.0.18.149为master节点
第二台:10.0.18.149
$tail -f logs/serverlog.log
……………………
[2016-08-26 17:58:20,854][WARN ][bootstrap ] unable to install syscall filter: seccomp unavailable: requires kernel 3.5+ with CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER compiled in
[2016-08-26 17:58:21,480][INFO ][node ] [node-2] version[2.3.4], pid[1552], build[e455fd0/2016-06-30T11:24:31Z]
[2016-08-26 17:58:21,491][INFO ][node ] [node-2] initializing ...
[2016-08-26 17:58:22,537][INFO ][plugins ] [node-2] modules [reindex, lang-expression, lang-groovy], plugins [], sites []
[2016-08-26 17:58:22,574][INFO ][env ] [node-2] using [1] data paths, mounts [[/ (/dev/mapper/vg_template-lv_root)]], net usable_space [14.9gb], net total_space [17.1gb], spins? [possibly], types [ext4]
[2016-08-26 17:58:22,575][INFO ][env ] [node-2] heap size [1015.6mb], compressed ordinary object pointers [true]
[2016-08-26 17:58:22,578][WARN ][env ] [node-2] max file descriptors [4096] for elasticsearch process likely too low, consider increasing to at least [65536]
[2016-08-26 17:58:26,437][INFO ][node ] [node-2] initialized
[2016-08-26 17:58:26,440][INFO ][node ] [node-2] starting ...
[2016-08-26 17:58:26,783][INFO ][transport ] [node-2] publish_address {10.0.18.149:9300}, bound_addresses {10.0.18.149:9300}
[2016-08-26 17:58:26,815][INFO ][discovery ] [node-2] serverlog/k0vpt0khTOG0Kmen8EepAg
[2016-08-26 17:58:56,838][WARN ][discovery ] [node-2] waited for 30s and no initial state was set by the discovery
[2016-08-26 17:58:56,853][INFO ][http ] [node-2] publish_address {10.0.18.149:9200}, bound_addresses {10.0.18.149:9200}
[2016-08-26 17:58:56,854][INFO ][node ] [node-2] started
[2016-08-26 17:59:33,130][INFO ][cluster.service ] [node-2] new_master {node-2}{k0vpt0khTOG0Kmen8EepAg}{10.0.18.149}{10.0.18.149:9300}, added {{node-1}{py6UOr4rRCCuK3KjA-Aj-Q}{10.0.18.148}{10.0.18.148:9300},{node-3}{lRKjIPpFSd-_NVn7-0-JeA}{10.0.18.150}{10.0.18.150:9300},}, reason: zen-disco-join(elected_as_master, [2] joins received)
[2016-08-26 17:59:33,686][INFO ][gateway ] [node-2] recovered [0] indices into cluster_state 也可以看到自动“选举”node-2,即10.0.18.149为master节点
第三台:10.0.18.150
$tail -f logs/serverlog.log
…………………………
[2016-08-26 17:59:25,644][INFO ][node ] [node-3] initializing ...
[2016-08-26 17:59:26,652][INFO ][plugins ] [node-3] modules [reindex, lang-expression, lang-groovy], plugins [], sites []
[2016-08-26 17:59:26,689][INFO ][env ] [node-3] using [1] data paths, mounts [[/ (/dev/mapper/vg_template-lv_root)]], net usable_space [14.9gb], net total_space [17.1gb], spins? [possibly], types [ext4]
[2016-08-26 17:59:26,689][INFO ][env ] [node-3] heap size [1015.6mb], compressed ordinary object pointers [true]
[2016-08-26 17:59:26,693][WARN ][env ] [node-3] max file descriptors [4096] for elasticsearch process likely too low, consider increasing to at least [65536]
[2016-08-26 17:59:30,398][INFO ][node ] [node-3] initialized
[2016-08-26 17:59:30,398][INFO ][node ] [node-3] starting ...
[2016-08-26 17:59:30,549][INFO ][transport ] [node-3] publish_address {10.0.18.150:9300}, bound_addresses {10.0.18.150:9300}
[2016-08-26 17:59:30,564][INFO ][discovery ] [node-3] serverlog/lRKjIPpFSd-_NVn7-0-JeA
[2016-08-26 17:59:33,924][INFO ][cluster.service ] [node-3] detected_master {node-2}{k0vpt0khTOG0Kmen8EepAg}{10.0.18.149}{10.0.18.149:9300}, added {{node-1}{py6UOr4rRCCuK3KjA-Aj-Q}{10.0.18.148}{10.0.18.148:9300},{node-2}{k0vpt0khTOG0Kmen8EepAg}{10.0.18.149}{10.0.18.149:9300},}, reason: zen-disco-receive(from master [{node-2}{k0vpt0khTOG0Kmen8EepAg}{10.0.18.149}{10.0.18.149:9300}])
[2016-08-26 17:59:33,999][INFO ][http ] [node-3] publish_address {10.0.18.150:9200}, bound_addresses {10.0.18.150:9200}
[2016-08-26 17:59:34,000][INFO ][node ] [node-3] started 也是可以看到自动“选举”node-2,即10.0.18.149为master节点!
2、其他信息查看
查看健康信息:
#curl -XGET 'http://10.0.18.148:9200/_cluster/health?pretty'
{
"cluster_name" : "serverlog",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 3,
"number_of_data_nodes" : 3,
"active_primary_shards" : 0,
"active_shards" : 0,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
} 3、查看节点数
#curl -XGET 'http://10.0.18.148:9200/_cat/nodes?v'
host ip heap.percent ram.percent load node.role master name
10.0.18.148 10.0.18.148 7 51 0.00 d m node-1
10.0.18.150 10.0.18.150 5 50 0.00 d m node-3
10.0.18.149 10.0.18.149 7 51 0.00 d * node-2 注意:*表示当前master节点
4、查看节点分片的信息
#curl -XGET 'http://10.0.18.148:9200/_cat/indices?v'
health status index pri rep docs.count docs.deleted store.size pri.store.size 还没有看到分片的信息,后面会介绍原因。
5、在三台Elasticsearch节点上安装插件,如下:
#su - elasticsearch
$cd elasticsearch-2.3.4
$./bin/plugin install license #license插件
-> Installing license...
Trying https://download.elastic.co/elasticsearch/release/org/elasticsearch/plugin/license/2.3.4/license-2.3.4.zip ...
Downloading .......DONE
Verifying https://download.elastic.co/elasticsearch/release/org/elasticsearch/plugin/license/2.3.4/license-2.3.4.zip checksums if available ...
Downloading .DONE
Installed license into /home/elasticsearch/elasticsearch-2.3.4/plugins/license
$ ./bin/plugin install marvel-agent #marvel-agent插件
-> Installing marvel-agent...
Trying https://download.elastic.co/elasticsearch/release/org/elasticsearch/plugin/marvel-agent/2.3.4/marvel-agent-2.3.4.zip ...
Downloading ..........DONE
Verifying https://download.elastic.co/elasticsearch/release/org/elasticsearch/plugin/marvel-agent/2.3.4/marvel-agent-2.3.4.zip checksums if available ...
Downloading .DONE
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: plugin requires additional permissions @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.lang.RuntimePermission setFactory
* javax.net.ssl.SSLPermission setHostnameVerifier
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.
Continue with installation? [y/N]y #输入y,表示同意安装此插件
Installed marvel-agent into /home/elasticsearch/elasticsearch-2.3.4/plugins/marvel-agent
$ ./bin/plugin install mobz/elasticsearch-head #安装head插件
-> Installing mobz/elasticsearch-head...
Trying https://github.com/mobz/elasticsearch-head/archive/master.zip ...
Downloading ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................DONE
Verifying https://github.com/mobz/elasticsearch-head/archive/master.zip checksums if available ...
NOTE: Unable to verify checksum for downloaded plugin (unable to find .sha1 or .md5 file to verify)
Installed head into /home/elasticsearch/elasticsearch-2.3.4/plugins/head
安装bigdesk插件
$cd plugins/
$mkdir bigdesk
$cd bigdesk
$git clone https://github.com/lukas-vlcek/bigdesk _site
Initialized empty Git repository in /home/elasticsearch/elasticsearch-2.3.4/plugins/bigdesk/_site/.git/
remote: Counting objects: 5016, done.
remote: Total 5016 (delta 0), reused 0 (delta 0), pack-reused 5016
Receiving objects: 100% (5016/5016), 17.80 MiB | 1.39 MiB/s, done.
Resolving deltas: 100% (1860/1860), done.
修改_site/js/store/BigdeskStore.js文件,大致在142行,如下:
return (major == 1 && minor >= 0 && maintenance >= 0 && (build != 'Beta1' || build != 'Beta2'));
修改为:
return (major >= 1 && minor >= 0 && maintenance >= 0 && (build != 'Beta1' || build != 'Beta2'));
添加插件的properties文件:
$cat >plugin-descriptor.properties"2016-08-26T20:33:28.404000+0800", :message=>"failed to open /var/log/nginx/access.log: Permission denied - /var/log/nginx/access.log", :level=>:warn}
{:timestamp=>"2016-08-26T20:38:29.110000+0800", :message=>"failed to open /var/log/nginx/access.log: Permission denied - /var/log/nginx/access.log", :level=>:warn}
{:timestamp=>"2016-08-26T20:43:30.834000+0800", :message=>"failed to open /var/log/nginx/access.log: Permission denied - /var/log/nginx/access.log", :level=>:warn}
{:timestamp=>"2016-08-26T20:48:31.559000+0800", :message=>"failed to open /var/log/nginx/access.log: Permission denied - /var/log/nginx/access.log", :level=>:warn}
{:timestamp=>"2016-08-26T20:53:32.298000+0800", :message=>"failed to open /var/log/nginx/access.log: Permission denied - /var/log/nginx/access.log", :level=>:warn}
{:timestamp=>"2016-08-26T20:58:33.028000+0800", :message=>"failed to open /var/log/nginx/access.log: Permission denied - /var/log/nginx/access.log", :level=>:warn}在两台nginx服务器操作
#chmod 755 /var/log/nginx/access.log 重新刷新kibana页面,并创建index名为nginx-log-*的索引,这次就可以了,如下:
点击绿色按钮“Create”,就可以创建成功了!然后查看kibana界面的“Discovery”,就会看到搜集的nginx日志了,如下:
可以看到已经搜集到日志数据了!
5、访问head,查看集群是否一致,如下图:
6、访问bigdesk,查看信息,如下图:
上图中也标记了node-2为master节点(有星星标记),上图显示的数据是不断刷新的!
7、访问kopf,查看信息,如下图:
上面提到了查看节点分片的信息,结果是没有数据(因为刚配置好,还没有创建索引,所以分片信息还没有),现在再测试一次,就可以看到数据了,如下图:
#curl -XGET '10.0.18.148:9200/_cat/indices?v'
health status index pri rep docs.count docs.deleted store.size pri.store.size
green open .kibana 1 1 3 0 45.2kb 23.9kb
green open nginx-log-2016.08.26 5 1 222 0 549.7kb 272.4kb 8、在kibana界面可以查看到nginx-log-*这个index搜集到的nginx日志数据,也可以看到Elasticsearch集群的index--marvel-es-1-*关于集群的一些信息,如下图:
八、ELK遇到的一些问题
1、关于kibana端口
配置过kibana的都知道kibana的默认端口是5601,我想修改为80,结果启动kibana报错,如下:
#cat /var/log/kibana/kibana.stderr
FATAL { [Error: listen EACCES 0.0.0.0:80]
cause:
{ [Error: listen EACCES 0.0.0.0:80]
code: 'EACCES',
errno: 'EACCES',
syscall: 'listen',
address: '0.0.0.0',
port: 80 },
isOperational: true,
code: 'EACCES',
errno: 'EACCES',
syscall: 'listen',
address: '0.0.0.0',
port: 80 }
FATAL { [Error: listen EACCES 10.0.18.150:80]
cause:
{ [Error: listen EACCES 10.0.18.150:80]
code: 'EACCES',
errno: 'EACCES',
syscall: 'listen',
address: '10.0.18.150',
port: 80 },
isOperational: true,
code: 'EACCES',
errno: 'EACCES',
syscall: 'listen',
address: '10.0.18.150',
port: 80 }
#tail /var/log/kibana/kibana.stdout
{"type":"log","@timestamp":"2016-08-29T02:54:21+00:00","tags":["fatal"],"pid":3217,"level":"fatal","message":"listen EACCES 10.0.18.150:80","error":{"message":"listen EACCES 10.0.18.150:80","name":"Error","stack":"Error: listen EACCES 10.0.18.150:80\n at Object.exports._errnoException (util.js:873:11)\n at exports._exceptionWithHostPort (util.js:896:20)\n at Server._listen2 (net.js:1237:19)\n at listen (net.js:1286:10)\n at net.js:1395:9\n at nextTickCallbackWith3Args (node.js:453:9)\n at process._tickDomainCallback (node.js:400:17)","code":"EACCES"}} 没有找到解决方法,只能将端口改为默认的5601了。
2、关于nginx日志问题
本次实验是使用yum安装的nginx,版本是1.10.1,开始是因为nginx日志权限,导致无法读取nginx日志,后来将日志文件权限修改为了755,就可以了。但是,nginx日志是每天进行logrotate的,新生成的日志依然是640的权限,所以依然获取不到日志数据。所以只能修改nginx的默认logrotate文件了:
#cd /etc/logrotate.d
#cat nginx #默认如下
/var/log/nginx/*.log {
daily
missingok
rotate 52
compress
delaycompress
notifempty
create 640 nginx adm #可以看到默认权限是640,属主和属组分别是nginx和adm
sharedscripts
postrotate
[ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
endscript
}
修改后如下:
/var/log/nginx/*.log {
daily
missingok
rotate 52
compress
delaycompress
notifempty
create 755 nginx nginx #修改为755,属主和属组都是nginx
sharedscripts
postrotate
[ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
endscript
}
然后重启nginx,以后在logrotage的日志权限就是755了。 3、关于Marvel的问题
说明:Marvel是Elasticsearch集群的monitor ,英文解释如下:
Marvel is the best way to monitor your Elasticsearch cluster and provide actionable insights to help you get the most out of your cluster. It is free to use in both development and production.
Marvel是监控你的Elasticsearch集群,并提供可操作的见解,以帮助您充分利用集群的最佳方式,它是免费的在开发和生产中使用。
问题:Elasticsearch集群都搭建好之后,在浏览器访问Marvel,查看监控信息的时候页面报错,无法显示监控的信息大致意识是no-data之类的,后来通过排查三台Elasticsearch的log,有一些错误,具体没有搞清楚是什么错,于是重启了三台Elasticsearch的elasticsearch服务,再访问Marvel的监控页面,就OK了,如下图:
可以看到serverlog是我配置的集群名称,点进去继续查看,如下图:
4、节点分片信息相关的问题
在本次实验的过程中,第一次查看分片信息是没有的,因为没有创建索引,后面等创建过索引之后,就可以看到创建的索引信息了,但是还有集群的信息没有显示出来,问题应该和第2个一样,Elasticsearch有问题,重启之后,就查看到了如下:
查看节点分片信息:
#curl -XGET '10.0.18.148:9200/_cat/indices?v'
health status index pri rep docs.count docs.deleted store.size pri.store.size
green open nginx-log-2016.08.29 5 1 2374 0 1.7mb 902.9kb
green open nginx-log-2016.08.27 5 1 2323 0 1mb 528.6kb
green open .marvel-es-data-1 1 1 5 3 17.6kb 8.8kb
green open .kibana 1 1 3 0 45.2kb 21.3kb
green open .marvel-es-1-2016.08.29 1 1 16666 108 12.1mb 6.1mb
green open nginx-log-2016.08.26 5 1 1430 0 800.4kb 397.8kb 5、关于创建多个index索引名称,存储不同类型日志的情况
也许我们不止nginx这一种日志需要搜集分析,还有httpd、tomcat、mysql等日志,但是如果都搜集在nginx-log-*这个索引下面,会很乱,不易于排查问题,如果每一种类型的日志都创建一个索引,这样分类创建索引,会比较直观,实现是在logstash server 服务器上创建多个conf文件,然后逐个启动,如下:
#cd /etc/logstash/conf.d/
#cat logstash_server.conf
input {
redis {
port => "6379"
host => "10.0.18.146"
data_type => "list"
key => "logstash-redis"
type => "redis-input"
}
}
output {
elasticsearch {
hosts => "10.0.18.149"
index => "nginx-log-%{+YYYY.MM.dd}"
}
}
#cat logstash_server1.conf
input {
redis {
port => "6379"
host => "10.0.18.146"
data_type => "list"
key => "logstash-redisa"
type => "redis-input"
}
}
output {
elasticsearch {
hosts => "10.0.18.149"
index => "httpd-log-%{+YYYY.MM.dd}"
}
}
如果还有其他日志,仿照上面的conf文件即可,不同的是index名称和key
然后逐个启动
#nohup /opt/logstash/bin/logstash -f /etc/logstash/conf.d/logstash_server.conf &
#nohup /opt/logstash/bin/logstash -f /etc/logstash/conf.d/logstash_server1.conf &
再对应的日志服务器(称为客户端)本身配置conf文件,如下:
#cat /etc/logstash/conf.d/logstash-web.conf
input {
file {
path => ["/var/log/httpd/access_log"]
type => "httpd_log" #type
start_position => "beginning"
}
}
output {
redis {
host => "10.0.18.146"
key => 'logstash-redisa' #key
data_type => 'list'
}
}
然后启动logstash服务,再到kibana界面创建新的索引httpd-log-*,就可以在这个索引下面查看到搜集到的httpd日志了! 6、elasticsearch启动之后,提示最大文件数太小的问题
ELK集群搭建好之后,开启elasticsearch,提示下面的warn:
[WARN ][env ] [node-1] max file descriptors [65535] for elasticsearch process likely too low, consider increasing to at least [65536]
于是修改文件/etc/security/limits.conf ,添加如下:
* soft nofile 65536
* hard nofile 65536 参考链接:http://ckl893.blog.运维网.com/8827818/1772287
不足之处,请多多指出!
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2019-1-28 11:19:04
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡