一、概念/使用环境
- ELK平台是一套完整的日志集中处理解决方案
- 由ElasticSearch、Logstash、Kiabana三个开源工具配合使用
- 是用户对日志的查询、排序、统计的强大工具组合
- 一般用于大型企业,中小型企业一般会选择(rsyslog+日志服务器或者shell+Python收集日志)
二、组件详解
2.1 elasticsearch
- 储存各类日志文件
- 全文检索引擎的架构
- 分布式村塾检所引擎
- 实时的、分布式、可拓展的搜索引擎
2.2 kibana
- 提供web界面,对es的数据提供可视化展示
- 汇总、分析、搜索重要数据
2.3 logstash
- 数据收集引擎(该功能通常会被filebeat替代)
- 具有过滤、分析、丰富、统一格式等操作
- 实现数据传输、格式化处理、格式化输出
- 储存数据到指定位置,一般会发送给es
- 拥有自适用缓冲功能
2.4 filebeat
- 轻量级开源日志收集器
- 通常用来代替logstash日志收集作用
2.5 ELFK的好处
- 自适用缓冲功能
- 从其他数据源提取数据
- 将数据发送到多个目的地
- 使用条件数据流逻辑组成更复杂的处理管道
2.6 fluentd(额外)
- 多用于原生环境,go语言开发
- 功能与logstash类型,通常代理logstash
三、集群搭建
3.1 elasticsearch
- 搭建两个elasticsearch服务器
systemctl stop firewalld setenforce 0 hostnamectl set-hostname node01 su vim /etc/hosts 192.168.13.10 node01 192.168.13.20 node02 cd /opt tar zxvf jdk-8u91-linux-x64.tar.gz -C /usr/local/ cat>>/etc/profile<<EOF export JAVA_HOME=/usr/local/jdk1.8.0_91 export JRE_HOME=${JAVA_HOME}/jre export CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/lib export PATH=${JAVA_HOME}/bin:${JRE_HOME}/bin:$PATH EOF source /etc/profile scp -r /usr/local/jdk1.8.0_91/ node02:/usr/local scp -r /usr/local/jdk1.8.0_91/ 192.168.13.30:/usr/local cd /opt rpm -ivh elasticsearch-6.7.2.rpm cd /etc/elasticsearch/ cp elasticsearch.yml elasticsearch.yml.bak vim elasticsearch.yml 17行:cluster.name: my-elk-cluster 23行:node.name: node01 24行(插入):node.master: true 25行(插入):node.data: true 35行:path.data: /var/lib/elasticsearch 39行:path.logs: /var/log/elasticsearch 45行:bootstrap.memory_lock: false 57行:network.host: 0.0.0.0 61行:http.port: 9200 62行(插入):transport.tcp.port: 9300 71行:discovery.zen.ping.unicast.hosts: ["node01:9300", "node02:9300"] vim /etc/security/limits.conf * soft nofile 65536 * hard nofile 131072 * soft memlock unlimited * hard memlock unlimited ulimit -n 131072 vim /etc/sysctl.conf vm.max_map_count=262144 sysctl -p systemctl start elasticsearch.service systemctl enable elasticsearch.service #等待大约十秒钟启动时间 netstat -antp | grep 9200 #安装 Elasticsearch-head 插件 yum install gcc gcc-c++ make -y cd /opt tar zxvf node-v8.2.1.tar.gz cd node-v8.2.1/ ./configure make -j 2 && make install cd /opt tar jxvf phantomjs-2.1.1-linux-x86_64.tar.bz2 -C /usr/local/src/ cd /usr/local/src/phantomjs-2.1.1-linux-x86_64/bin cp phantomjs /usr/local/bin cd /opt unzip elasticsearch-head-master.zip -d /usr/local/src/ cd /usr/local/src/elasticsearch-head-master/ npm install vim /etc/elasticsearch/elasticsearch.yml 末行:http.cors.enabled: true 末行:http.cors.allow-origin: "*" systemctl restart elasticsearch cd /usr/local/src/elasticsearch-head-master/ #必须先移动到该目录,才能启动head服务 npm run start & curl -X PUT 'localhost:9200/index-demo/test/1?pretty&pretty' -H 'content-Type: application/json' -d '{"user":"zhangsan","mesg":"hello world"}' #该命令创建一个索引,用于测试应用是否成功配置启动。进入192.168.13.10:9100会发现数据默认被分片成5个(此时为成功)
3.2 Apache/Logstash/kibana
- 受电脑性能影响,因此把三个服务安装在一台服务器上
#apache节点(ELK Logstash 部署) systemctl stop firewalld setenforce 0 hostnamectl set-hostname apache su yum -y install httpd systemctl start httpd vim /etc/profile export JAVA_HOME=/usr/local/jdk1.8.0_91 export JRE_HOME=${JAVA_HOME}/jre export CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/lib export PATH=${JAVA_HOME}/bin:${JRE_HOME}/bin:$PATH source /etc/profile cd /opt rpm -ivh logstash-6.7.2.rpm systemctl start logstash.service systemctl enable logstash.service ln -s /usr/share/logstash/bin/logstash /usr/local/bin/ logstash -e 'input { stdin{} } output { stdout{} }' www.baidu.com #测试log工具是否安装成功 chmod +r /var/log/messages vim /etc/logstash/conf.d/system.conf #内容从此开始 input { file{ path =>"/var/log/messages" type =>"system" start_position =>"beginning" } } output { elasticsearch { hosts => ["192.168.13.10:9200","192.168.13.20:9200"] index =>"system-%{+YYYY.MM.dd}" } } #内容到此结束 systemctl restart logstash #apache节点(ELK kibana 部署) cd /opt rpm -ihv kibana-6.7.2-x86_64.rpm vim /etc/kibana/kibana.yml 2行:server.port: 5601 7行:server.host: "0.0.0.0" 28行:elasticsearch.url: ["http://192.168.13.10:9200","http://192.168.13.20:9200"] 37行:kibana.index: ".kibana" 96行:logging.dest: /var/log/kibana.log touch /var/log/kibana.log chown kibana:kibana /var/log/kibana.log systemctl start kibana.service systemctl enable kibana.service netstat -natp | grep 5601 #此时可通过网页查看192.168.13.30:5601验证kibana是否安装成功 vim /etc/logstash/conf.d/apache_log.conf #创建Apache日志文件配置,将 Apache 服务器的日志添加到 Elasticsearch 并通过 Kibana 显示 #文件内容从此开始 input { file{ path => "/etc/httpd/logs/access_log" type => "access" start_position => "beginning" } file{ path => "/etc/httpd/logs/error_log" type => "error" start_position => "beginning" } } output { if [type] == "access" { elasticsearch { hosts => ["192.168.13.10:9200","192.168.13.20:9200"] index => "apache_access-%{+YYYY.MM.dd}" } fi } if [type] == "error" { elasticsearch { hosts => ["192.168.13.10:9200","192.168.13.20:9200"] index => "apache_error-%{+YYYY.MM.dd}" } fi } } #文件内容到此结束 cd /etc/logstash/conf.d/ /usr/share/logstash/bin/logstash -f apache_log.conf #开始收集日志
四、思维导图
五、结语
- 内存要给足,否则要关闭内存锁定选项:bootstrap.memory_lock: false
- java环境最好安装高版本,防止版本不支持
- 要注意细节,比如主机名更改