安装部署 下面列一下一个简易LEK体验环境的搭建步骤 安装jdk 1.7 oracle java主页 省略安装过程,推荐1.7+版本 java -version 设置java的环境变量,比如 sudo vim ~/.bashrc >> export JAVA_HOME=/usr/lib/jvm/java-7-oracle export JRE_HOME=${JAVA_HOME}/jre export CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/lib export PATH=${JAVA_HOME}/bin:$PATH >> source ~/.bashrc 安装redis redis主页 cd ~/src wget http://download.redis.io/releases/redis-2.6.16.tar.gz tar -zxf redis-2.6.16.tar.gz cd redis-2.6.16 make sudo make install 可以通过redis源代码里utils/install_server下的脚本简化配置工作 cd utils sudo ./install_server.sh install_server.sh在问你几个问题后会把redis安装为开机启动的服务,可以通过下面的命令行来启动/停止服务 sudo /etc/init.d/redis_ start/end 启动redis客户端来验证安装 redis-cli > keys * 安装Elasticsearch Elasticsearch主页 cd /search sudo mkdir elasticsearch cd elasticsearch sudo wget http://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-0.90.5.zip sudo unzip elasticsearch-0.90.5.zip elasticsearch解压即可使用非常方便,接下来我们看一下效果,首先启动ES服务,切换到elasticsearch目录,运行bin下的elasticsearch cd /search/elasticsearch/elasticsearch-0.90.5 bin/elasticsearch -f 访问默认的9200端口 curl -X GET http://localhost:9200 安装logstash logstash主页 cd /search sudo mkdir logstash cd logstash sudo wget http://download.elasticsearch.org/logstash/logstash/logstash-1.2.1-flatjar.jar logstash下载即可使用,命令行参数可以参考logstash flags,主要有 agent #运行Agent模式 -f CONFIGFILE #指定配置文件 web #自动Web服务 -p PORT #指定端口,默认9292 安装kibana logstash的最新版已经内置kibana,你也可以单独部署kibana。kibana3是纯粹JavaScript+html的客户端,所以可以部署到任意http服务器上。 cd /search sudo mkdir kibana sudo wget http://download.elasticsearch.org/kibana/kibana/kibana-latest.zip sudo unzip kibana-latest.zip sudo cp -r kibana-latest /var/www/html 可以修改config.js来配置elasticsearch的地址和索引。 用浏览器访问试试看 http://127.0.0.1/html/kibana-latest/index.html 集成 把上面的系统集成起来 首先把redis和elasticsearch都启动起来 为logstash新建一个配置文件 cd /search/logstash sudo vi redis.conf 配置文件内容如下 input { redis { host => "127.0.0.1" port => "6379" key => "logstash:demo" data_type => "list" codec => "json" type => "logstash-redis-demo" tags => ["logstashdemo"] } } output { elasticsearch { host => "127.0.0.1" } } 用这个配置文件启动logstash agent java -jar /search/logstash/logstash-1.2.1-flatjar.jar agent -f /search/logstash/redis.conf & 启动logstash内置的web java -jar /search/logstash/logstash-1.2.1-flatjar.jar web & 查看web,应该还没有数据 http://127.0.0.1:9292 在redis 加一条数据 RPUSH logstash:demo "{"time": "2013-01-01T01:23:55", "message": "logstash demo message"}" 看看elasticsearch中的索引现状 curl 127.0.0.1:9200/_search?pretty=true curl -s http://127.0.0.1:9200/_status?pretty=true | grep logstash 再通过logstash web查询一下看看 http://127.0.0.1:9292 通过单独的kibana界面查看 http://127.0.0.1/html/kibana-latest/index.html#/dashboard/file/logstash.json 数据清理 logstash默认按天创建ES索引,这样的好处是删除历史数据时直接删掉整个索引就可以了,方便快速。 elasticsearch也可以设置每个文档的ttl(time to live),相当于设置文档的过期时间,但相比删除整个索引要耗费更多的IO操作。 索引 elasticsearch默认会按照分隔符对字段拆分,日志有些字段不要分词,比如url,可以为这类字段设置not_analyzed属性。 设置multi-field-type属性可以将字段映射到其他类型。multi-field-type。 大量日志导入时用bulk方式。 对于日志查询来说,filter比query更快 过滤器里不会执行评分而且可以被自动缓存。query-dsl。 elasticsearch默认一个索引操作会在所有分片都完成对文档的索引后才返回,你可以把复制设置为异步来加快批量日志的导入。 elasticsearch 优化 优化JVM 优化系统可以打开最大文件描述符的数量 适当增加索引刷新的间隔 最佳实践 首先你的程序要写日志 记录的日志要能帮助你分析问题,只记录"参数错误"这样的日志对解决问题毫无帮助 不要依赖异常,异常只处理你没考虑到的地方 要记录一些关键的参数,比如发生时间、执行时间、日志来源、输入参数、输出参数、错误码、异常堆栈信息等 要记录sessionid、transitionid、userid等帮你快速定位以及能把各个系统的日志串联起来的关键参数 推荐纯文本+json格式 使用队列 其他日志辅助工具 rsyslog syslog-ng graylog fluentd nxlog 资源: 1.ELK整体介绍(Elasticsearch + Logstash + Kibana) (必看) Using elasticsearch, logstash & kibana to create realtime dashboards https://speakerdeck.com/elasticsearch/using-elasticsearch-logstash-and-kibana-to-create-realtime-dashboards Elasticsearch官方的slide (必看) Collect & visualize your logs with Logstash, Elasticsearch & Redis http://michael.bouvy.net/blog/en/2013/11/19/collect-visualize-your-logs-logstash-elasticsearch-redis-kibana/ 对搭建ELK平台的具体操作做了详细介绍。 (必看)2014 SCALE12X-Introduction to Elasticsearch, Logstash and Kibana https://speakerdeck.com/elasticsearch/scale-12x-introduction-to-elasticsearch-logstash-and-kibana Elasticsearch的说明占50%,logstash的说明占40%,Kibana的说明占10% 使用logstash+elasticsearch+kibana快速搭建日志平台 http://www.cnblogs.com/buzzlight/p/logstash_elasticsearch_kibana_log.html Kibana+Logstash+Elasticsearch 日志查询系统 http://enable.blog.51cto.com/747951/1049411 Log Analytics Using Elasticsearch-Logstash-Kibana(Part 1) http://blog.nugrahais.me/blog/2013/12/23/log-analytics-using-elasticsearch-logstash-kibana-part-1/ Using ElasticSearch and Logstash to Serve Billions of Searchable Events for Customers http://www.elasticsearch.org/blog/using-elasticsearch-and-logstash-to-serve-billions-of-searchable-events-for-customers/ 使用ELK的一个介绍 一个很简洁,很简洁的ELK介绍 (2014年9月16日更新) http://slides.com/garyelephant/elk-intro#/ 2.logstash介绍 (必看) Logstash -Nicolas Szalay http://slides.com/aurelienrougemont/logstash/ (必看) Getting started with Logstash - New to Logstash? Start here! http://logstash.net/docs/1.4.0/tutorials/getting-started-with-logstash (必看) Logstash-Jordan Sissel http://semicomplete.com/presentations/logstash-scale11x/#/ Logstash and friends http://www.slideshare.net/roidelapluie/logstash-and-friends?qid=0c61ce8f-1a87-4678-a9c7-61a18ae74993&v=default&b=&from_search=11 Logstash http://www.slideshare.net/startit/logstash-29012201?qid=0c61ce8f-1a87-4678-a9c7-61a18ae74993&v=default&b=&from_search=7 page 11 to page 32:直观的罗列了一些input,filter,output,讲解了一下grok pattern Starting out with grok in Logstash http://antonlindstrom.com/2012/09/24/starting-out-with-grok-in-logstash.html 介绍Logstash Grok Filter (重要) Logstash1.4.0 Grok Filter Docs http://logstash.net/docs/1.4.0/filters/grok (重要) Logstash1.4.0 Grok Filter 的 Predefined Patterns https://github.com/elasticsearch/logstash/tree/v1.4.0/patterns 如BASE10NUM的Predefined Pattern是 (?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:.[0-9]+)?)|(?:.[0-9]+))) (重要) http://grokdebug.herokuapp.com/ 可以用来学习和测试Grok匹配的一个网站 3.Elasticsearch介绍 (必看) Elasticsearch :Search made easy for (web) developers http://spinscale.github.io/elasticsearch/2012-03-jugm.html#/ (必看) Getting Down and dirty with Elasticsearch http://www.slideshare.net/clintongormley/down-and-dirty-with-elasticsearch 200pages+的slide,对Elasticsearch的Rest API介绍的比较多 (必看) Elasticsearch :Pluggable architecture under the hood http://spinscale.github.io/elasticsearch-intro-plugins/#/ (必看) An interactive coder oriented Elasticsearch tutorial [此条目更新于2014-10-10] https://github.com/s1monw/hammertime 作者是Elasticsearch的一个主要开发者。纯代码形式的tutorial,简单过了一下Es的主要功能,可以下载下来执行一下。 (必看) Exploring Elasticsearch http://exploringelasticsearch.com/ 系统的介绍了Elasticsearch, 当然这本书“Elasticsearch Server”比它更全面、细节更多 (重要) Terms of endearment - the ElasticSearch Query DSL explained http://www.slideshare.net/clintongormley/terms-of-endearment-the-elasticsearch-query-dsl-explained Apache Lucene - Query Parser Syntax (1) http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html#query-string-syntax (2) http://lucene.apache.org/core/4_6_0/queryparser/org/apache/lucene/queryparser/classic/package-summary.html#Overview Lucene的Query语法格式 Learning Elasticsearch http://slides.com/garyelephant/learning-elasticsearch 推荐一下我制作的slide, 参考了很多资料集百家之所长、有针对性做的,从各方面介绍Elasticsearch, 内容不断更新中。 (重要) Elasticsearch References: Glossary of terms http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/glossary.html#glossary Elasticsearch的一些核心概念 (重要) What is an ElasticSearch Index? http://euphonious-intuition.com/2013/02/what-is-an-elasticsearch-index/ 详细介绍Index (重要) An introduction to mapping in elasticsearch http://euphonious-intuition.com/2012/07/an-introduction-to-mapping-in-elasticsearch/ inquisitor https://github.com/polyfractal/elasticsearch-inquisitor 这个elasticsearch site pluging 可以帮助你测试和理解Query, 如测试一句话使用各种analyzer分词的结果。 Elasticsearch Facets http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/search-facets.html Elasticsearch Aggregations Overview http://chrissimpson.co.uk/elasticsearch-aggregations-overview.html Elastic Search Training#1 (brief tutorial)-ESCC#1 http://www.slideshare.net/medcl/elastic-search-training1-brief-tutorial Lucene Scoring and elasticsearch’s _all Field http://jontai.me/blog/2012/10/lucene-scoring-and-elasticsearch-_all-field/ Elasticsearch 数据的score计算 Advanced Scoring in elasticsearch http://jontai.me/blog/2013/01/advanced-scoring-in-elasticsearch/ Elasticsearch 数据的score计算 4.Elasticsearch优化 elasticsearch configuration http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/setup-configuration.html#setup-configuration-memory elasticsearch configuration and performance tuning.html http://weiweiwang.github.io/elasticsearch-configuration-and-performance-tuning.html ElasticSearch Training#2 (advanced concepts)-ESCC#1 http://www.slideshare.net/medcl/elastic-search-training2-advanced-concepts Elasticsearch的性能优化,查询优化等技巧 Elasticsearch Java Virtual Machine settings explained http://jprante.github.io/2012/11/28/Elasticsearch-Java-Virtual-Machine-settings-explained.html ElasticSearch and Logstash Tuning http://jablonskis.org/2013/elasticsearch-and-logstash-tuning/ Elasticsearch Plugin: Marvel http://www.elasticsearch.org/overview/marvel/ Elasticsearch.org发布的Elasticsearch集群监控工具 Elasticsearch Plugin: Head https://github.com/mobz/elasticsearch-head Elasticsearch Plugin: Bigdesk - Live charts and statistics for elasticsearch cluster. http://bigdesk.org/ Elasticsearch Plugin: Paramedic https://github.com/karmi/elasticsearch-paramedic Scaling Massive Elasticsearch Clusters http://www.slideshare.net/sematext/scaling-massive-elasticsearch-clusters Elasticsearch集群 5.Kibana介绍 (必看) 10 Minute Walk Through Kibana http://www.elasticsearch.org/guide/en/kibana/current/using-kibana-for-the-first-time.html Elasticsearch.org官方的Guide, 最近刚发布的。 Kibana Overview http://www.elasticsearch.org/overview/kibana/ What’s Cooking in Kibana http://www.elasticsearch.org/blog/whats-cooking-kibana/ Kibana 3: Milestone 4 http://www.elasticsearch.org/blog/kibana-3-milestone-4/ Kibana3.m4的新功能特性 Kibana入門-Yusuke Mito https://speakerdeck.com/y310/kibanaru-men?slide=23 page23 ~ page37 里面有各种panel的截图 6.Elasticsearch的实际应用(updated in 2014-05-05) Building a Recipe Search Site with Angular and Elasticsearch http://www.sitepoint.com/building-recipe-search-site-angular-elasticsearch/ 一个使用Angular和Elasticsearch搭建,食谱搜索应用的简单例子 7.最根本最重要的Resources (1) Elasticsearch团队博客,每周更新 http://www.elasticsearch.org/blog (2) Elasticsearch最新版本的API References http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/index.html (3) logstash 1.4.0 的documents http://logstash.net/docs/1.4.0/ (4) Kibana最新版本的documents http://www.elasticsearch.org/guide/en/kibana/current/index.html 7.推荐2本书籍 "Elasticsearch Server" 推荐初学者看此书,至少应看完Chapter1,Chapter2, 而且目录可以帮助你规划学习路线。 "Mastering Elasticsearch" 本文整理的是2014年4月15日以前的学习资源,如果以后发现更优质资源,将随时更新,也欢迎读者提供资源,请私信或评论。 转载本文请注明作者和出处[Gary的影响力]http://garyelephant.me,请勿用于任何商业用途! Author: Gary Gao( garygaowork[at]gmail.com) 关注互联网、分布式、高性能、NoSQL、自动化、软件团队