1、elk解释
ELK分别是Elasticsearch、Logstash、Kibana三个开源框架缩写
Elasticsearch 开源分布式搜索引擎,提供存储、分析、搜索功能。特点:分布式、基于reasful风格、支持海量高并发的准实时搜索场景、稳定、可靠、快速、使用方便等。 接收搜集的海量结构化日志数据,并提供给kibana查询分析
Logstash 开源日志搜集、分析、过滤框架,支持多种数据输入输出方式。 用于收集日志,对日志进行过滤形成结构化数据,并转发到elasticsearch中
Kibana 开源日志报表系统,对elasticsearch以及logstash有良好的web页面支持。 对elasticsearch提供的数据进行分析展示
ELK经典架构
Logstash部署至服务主机,对各个服务的日志进行采集、过滤、推送。
Elasticsearch存储Logstash传送的结构化数据,提供给Kibana。
Kibana提供用户UIweb页面进行,数据展示和分析形成图表等
logs 指各种日志文件以及日志信息:windows,negix,tomcat,webserver等
由于Logstash消耗资源大,而服务器资源相当宝贵,所以引进另一个轻量级日志采集框架Beats,其中包含以下6种
Packetbeat 用于搜集网络流量数据
Heartbeat 用于运行时间监控
Filebeat 用于搜集文件数据
Winlogbeat 用于搜集winodws事件数据
Metricbeat 用于指标
Auditbeat 用于审计数据
高并发场景
由于logstash消耗性能,所以高并发场景容易遇到流量上的瓶颈,及时使用logstash集群也是如此,所以可以添加中间件进行日志缓存处理。由于logstash数据源具有多种方式,所有中间件也可以很多选择,常见的有kafka,redis
logback出现的业务数据可以通过写入redis或者kafka等中间件进行缓存,再通过合理限制流量阀值输送至logstash进行过滤
beats 如果是filebeat其日志若无实时性要求,可以通过控制log文件更新速度限制Beats传输日志流量
2、ELK搭建(非集群)
2.1、下载ELK(保持版本一致)
Elasticsearch 官网elasticsearch-6.3.0.tar
Kibana 官网kibana-6.3.0下载 linux64位
Logstash 官网logstash-6.3.0.tar
Filebeat 官网filebeat-6.3.0 linux64位
环境:centos7.5系统
ip地址:192.168.0.91
通过rz命令上传安装包至centos7虚拟机home目录下
解压
cd /home
tar -zxvf elasticsearch-6.3.0.tar.gz
tar -zxvf kibana-6.3.0-linux-x86_64.tar.gz
tar -zxvf filebeat-6.3.0-linux-x86_64.tar.gz
tar -zxvf logstash-6.3.0.tar.gz
2.2、java环境搭建
请参照:https://www.cnblogs.com/effortsing/p/10012211.html
推荐使用jdk1.8jdk环境配置
2.3、安装elasticsearch
修改配置文件
vi /home/elasticsearch-6.3.0/config/elasticsearch.yml
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: 192.168.0.91 ##服务器ip地址,必须写成ip,默认的localhost是无法通过浏览器访问的,localhost意思是只能从本地访问
#
# Set a custom port for HTTP:
#
http.port: 9200 ##服务端口
#
# For more information, consult the network module documentation.
#
创建elsearch用户
groupadd elsearch
useradd elsearch -g elsearch -p elasticsearch
chown -R elsearch:elsearch elasticsearch-6.3.0
修改系统配置文件限制
sed -i '$avm.max_map_count = 655360' /etc/sysctl.conf
修改安全限制配置文件
cat> /etc/security/limits.conf<<EOF
# End of file
elsearch hard nofile 65536
elsearch soft nofile 65536
* soft nproc 4096
* hard nproc 4096
EOF
重启linux系统,否则不生效
reboot
启动elasticsearch
su elsearch
/home/elasticsearch-6.3.0/bin/elasticsearch #命令窗运行
/home/elasticsearch-6.3.0/bin/elasticsearch -d #后台线程运行
启动报错问题请参照:https://www.cnblogs.com/effortsing/p/10363107.html
说明:
等几分钟,启动比较慢
用后台来启动后就不用管了,等一会查看到elsearch端口后就可以按ctrl+c 停止了,端口会继续存在
关闭elasticsearch
ctrl+c #命令窗关闭
ps -ef | grep elastic #后台线程关闭
kill -9 4442 ##pid 4442为查处线程的pid
查看elasticsearch端口
[root@bogon ~]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 942/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1179/master
tcp6 0 0 192.168.0.91:9200 :::* LISTEN 1401/java
tcp6 0 0 192.168.0.91:9300 :::* LISTEN 1401/java
tcp6 0 0 :::22 :::* LISTEN 942/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1179/master
验证elasticsearch启动
http://192.168.0.91:9200/
{
"name" : "lKlZCZf",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "Cz7ma1ZBQxmLlEqSn0to1A",
"version" : {
"number" : "6.3.0",
"build_flavor" : "default",
"build_type" : "tar",
"build_hash" : "424e937",
"build_date" : "2018-06-11T23:38:03.357887Z",
"build_snapshot" : false,
"lucene_version" : "7.3.1",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
出现上面这个报错是正常的,因为还没有安装es的管理插件,es官方提供一个用于管理es的插件,可清晰直观看到es集群的状态,以及对集群的操作管理,
下面开始安装es管理插件
首先安装npm
下载网址:https://nodejs.org/dist/latest-v8.x/
rz node-v8.15.0-linux-x86.tar.xz
解压安装包
tar -xf /root/node-v8.15.0-linux-x86.tar.xz -C /usr/local/
重命名为node
cd /usr/local/
mv node-v8.15.0-linux-x86 node
添加环境变量
cat>> /etc/profile<<EOF
#set for nodejs
export NODE_HOME=/usr/local/node
export PATH=$NODE_HOME/bin:$PATH
EOF
source /etc/profile
必须重启系统
reboot
查看版本
node -v
缺少libstdc++.so.6库报错解决请参照:https://www.cnblogs.com/effortsing/p/10363921.html
npm -v
安装es的管理插件
下载 elasticsearch-head
mv elasticsearch-head /home/
下面所有操作需要进入elasticsearch-head文件目录
cd /home/elasticsearch-head/
安装grunt命令行工具grunt-cli
npm install -g grunt-cli
安装grunt及其插件
npm install grunt --save-dev
npm install grunt@latest
npm install grunt-cli@latest
npm install grunt-contrib-copy@latest
npm install grunt-contrib-concat@latest
npm install grunt-contrib-uglify@latest
npm install grunt-contrib-clean@latest
npm install grunt-contrib-watch@latest
npm install grunt-contrib-connect@latest
npm install grunt-contrib-jasmine@latest
安装最后这个插件时候会卡住不动,这个时候就已经可以启动elasticsearch-head,不用管它,ctrl+c停止即可
时间比较漫长,要等一会
查看安装版本情况
grunt -version
修改head的连接地址
修改 http://localhost:9200 为 http://192.168.0.91:9200, 这是elasticsearch的地址
vi /home/elasticsearch-head/_site/app.js
(function( app, i18n ) {
var ui = app.ns("ui");
var services = app.ns("services");
app.App = ui.AbstractWidget.extend({
defaults: {
base_uri: null
},
init: function(parent) {
this._super();
this.prefs = services.Preferences.instance();
this.base_uri = this.config.base_uri || this.prefs.get("app-base_uri") || "http://192.168.0.91:9200";
修改服务器的监听地址
添加:hostname: 192.168.0.91, 这是grunt所在的地址
cp /home/elasticsearch-head/Gruntfile.js /home/elasticsearch-head/Gruntfile.js.bak
vi /home/elasticsearch-head/Gruntfile.js
connect: {
server: {
options: {
hostname: 192.168.0.91,
port: 9100,
base: '.',
keepalive: true
}
}
}
});
修改elasticseach的配置文件elasticsearch.yml, 修改对应的ip以及跨域的设置,添加:
http.cors.enabled: true
http.cors.allow-origin: "*"
cat>> /home/elasticsearch-6.3.0/config/elasticsearch.yml<<EOF
http.cors.enabled: true
http.cors.allow-origin: "*"
EOF
重启es
kill -9 6104
su elsearch
/home/elasticsearch-6.3.0/bin/elasticsearch -d
启动head
cd /home/elasticsearch-head/
grunt server
测试
在浏览器输入 http://192.168.0.91:9100
连接elasticsearch
点击浏览器最上表栏里面的连接可以看到下面出现许多文字,表示连接成功
2.4、安装kibana
修改配置文件
vi /home/kibana-6.3.0-linux-x86_64/config/kibana.yml
server.port: 5601 ##服务端口
server.host: "192.168.0.91" ##服务器ip 本机地址
elasticsearch.url: "http://192.168.0.91:9200" ##elasticsearch服务地址 与elasticsearch对应
启动kibana
su elsearch
/home/kibana-6.3.0-linux-x86_64/bin/kibana #命令窗启动
nohup /home/kibana-6.3.0-linux-x86_64/bin/kibana & #后台线程启动
说明:
需要使用和启动elasticsearch同一个用户来启动,否则启动失败
启动有些慢,需要一分钟
查看kibana端口:5601
[root@bogon home]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.0.91:5601 0.0.0.0:* LISTEN 15053/node
tcp 0 0 192.168.0.91:9100 0.0.0.0:* LISTEN 14232/grunt
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 943/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1173/master
tcp6 0 0 192.168.0.91:9200 :::* LISTEN 14105/java
tcp6 0 0 192.168.0.91:9300 :::* LISTEN 14105/java
tcp6 0 0 :::22 :::* LISTEN 943/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1173/master
查看kibana进程
[elsearch@bogon root]$ ps -ef | grep kibana
elsearch 1603 1586 8 08:16 pts/1 00:00:21 /home/kibana-6.3.0-linux-x86_64/bin/../node/bin/node --no-warnings /home/kibana-6.3.0-linux-x86_64/bin/../src/cli
elsearch 1638 1586 0 08:21 pts/1 00:00:00 grep --color=auto kibana
关闭kibana
ctrl+c #命令窗关闭
ps -ef | grep kibana #后台线程关闭
kill -9 1586 ##pid 4525 为查处线程的pid
验证kibana启动
http://192.168.0.91:5601
出现图形界面表示成功
2.5、安装logstash
新建logback-es.conf配置文件
cat> /home/logstash-6.3.0/config/logback-es.conf<<EOF
input {
tcp {
port => 9601
codec => json_lines
}
}
output {
elasticsearch {
hosts => "192.168.0.91:9200"
}
stdout { codec => rubydebug }
}
EOF
说明:
上述文件复制时必须去除多余空格,保持yml文件规范。
上面文件解释:
input { ##input 输入源配置
tcp { ##使用tcp输入源 官网有详细文档
port => 9601 ##服务器监听端口9061 接受日志 默认ip localhost
codec => json_lines ##使用json解析日志 需要安装json解析插件
}
}
filter { ##数据处理
}
output { ##output 数据输出配置
elasticsearch { ##使用elasticsearch接收
hosts => "192.168.0.91:9200" ##集群地址 多个用,隔开,这里不能写localhost,否则无法启动
}
stdout { codec => rubydebug} ##输出到命令窗口
}
检查配置文件是否有语法错
/home/logstash-6.3.0/bin/logstash -f /home/logstash-6.3.0/config/logback-es.conf --config.test_and_exit
正确执行结果:
[root@bogon ~]# /home/logstash-6.3.0/bin/logstash -f /home/logstash-6.3.0/config/logback-es.conf --config.test_and_exit
Sending Logstash's logs to /home/logstash-6.3.0/logs which is now configured via log4j2.properties
[2019-02-12T01:14:22,237][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
Configuration OK
[2019-02-12T01:14:29,129][INFO ][logstash.runner ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash
安装logstash json插件
/home/logstash-6.3.0/bin/logstash-plugin install logstash-codec-json_lines
[root@bogon ~]# /home/logstash-6.3.0/bin/logstash-plugin install logstash-codec-json_lines
Validating logstash-codec-json_lines
Installing logstash-codec-json_lines
Installation successful
启动logstash
su root
/home/logstash-6.3.0/bin/logstash -f /home/logstash-6.3.0/config/logback-es.conf #命令窗形式
nohup /home/logstash-6.3.0/bin/logstash -f /home/logstash-6.3.0/config/logback-es.conf & #后台启动
说明:启动Logstash需要使用root启动,elsearch用户无法启动,试过多次,都不行
查看logstash端口:9601
[root@bogon ~]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.0.91:5601 0.0.0.0:* LISTEN 1684/node
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 942/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1179/master
tcp6 0 0 127.0.0.1:9600 :::* LISTEN 1930/java
tcp6 0 0 :::9601 :::* LISTEN 1930/java
tcp6 0 0 192.168.0.91:9200 :::* LISTEN 1401/java
tcp6 0 0 192.168.0.91:9300 :::* LISTEN 1401/java
tcp6 0 0 :::22 :::* LISTEN 942/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1179/master
查看logstash进程
[root@bogon ~]# ps -ef | grep logstash
root 1930 1554 34 08:56 pts/2 00:03:22 /usr/bin/java -Xms1g -Xmx1g -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djruby.compile.invokedynamic=true -Djruby.jit.threshold=0 -XX:+HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -cp /home/logstash-6.3.0/logstash-core/lib/jars/commons-compiler-3.0.8.jar:/home/logstash-6.3.0/logstash-core/lib/jars/google-java-format-1.1.jar:/home/logstash-6.3.0/logstash-core/lib/jars/guava-19.0.jar:/home/logstash-6.3.0/logstash-core/lib/jars/jackson-annotations-2.9.5.jar:/home/logstash-6.3.0/logstash-core/lib/jars/jackson-core-2.9.5.jar:/home/logstash-6.3.0/logstash-core/lib/jars/jackson-databind-2.9.5.jar:/home/logstash-6.3.0/logstash-core/lib/jars/jackson-dataformat-cbor-2.9.5.jar:/home/logstash-6.3.0/logstash-core/lib/jars/janino-3.0.8.jar:/home/logstash-6.3.0/logstash-core/lib/jars/jruby-complete-9.1.13.0.jar:/home/logstash-6.3.0/logstash-core/lib/jars/log4j-api-2.9.1.jar:/home/logstash-6.3.0/logstash-core/lib/jars/log4j-core-2.9.1.jar:/home/logstash-6.3.0/logstash-core/lib/jars/log4j-slf4j-impl-2.9.1.jar:/home/logstash-6.3.0/logstash-core/lib/jars/logstash-core.jar:/home/logstash-6.3.0/logstash-core/lib/jars/org.eclipse.core.commands-3.6.0.jar:/home/logstash-6.3.0/logstash-core/lib/jars/org.eclipse.core.contenttype-3.4.100.jar:/home/logstash-6.3.0/logstash-core/lib/jars/org.eclipse.core.expressions-3.4.300.jar:/home/logstash-6.3.0/logstash-core/lib/jars/org.eclipse.core.filesystem-1.3.100.jar:/home/logstash-6.3.0/logstash-core/lib/jars/org.eclipse.core.jobs-3.5.100.jar:/home/logstash-6.3.0/logstash-core/lib/jars/org.eclipse.core.resources-3.7.100.jar:/home/logstash-6.3.0/logstash-core/lib/jars/org.eclipse.core.runtime-3.7.0.jar:/home/logstash-6.3.0/logstash-core/lib/jars/org.eclipse.equinox.app-1.3.100.jar:/home/logstash-6.3.0/logstash-core/lib/jars/org.eclipse.equinox.common-3.6.0.jar:/home/logstash-6.3.0/logstash-core/lib/jars/org.eclipse.equinox.preferences-3.4.1.jar:/home/logstash-6.3.0/logstash-core/lib/jars/org.eclipse.equinox.registry-3.5.101.jar:/home/logstash-6.3.0/logstash-core/lib/jars/org.eclipse.jdt.core-3.10.0.jar:/home/logstash-6.3.0/logstash-core/lib/jars/org.eclipse.osgi-3.7.1.jar:/home/logstash-6.3.0/logstash-core/lib/jars/org.eclipse.text-3.5.101.jar:/home/logstash-6.3.0/logstash-core/lib/jars/slf4j-api-1.7.25.jar org.logstash.Logstash -f /home/logstash-6.3.0/config/logback-es.conf
root 2027 1983 0 09:06 pts/3 00:00:00 grep logstash
关闭logstash
ctrl+c #命令窗关闭
ps -ef | grep logstash #后台线程关闭
kill -9 4617 ##pid 4617 为查处线程的pid
2.6、elk收集tomcat日志请参照
https://www.cnblogs.com/kakarott/p/8118906.html
参照文档:
https://blog.sctux.com/2015/11/14/elkkafka-e4-bc-81-e4-b8-9a-e6-97-a5-e5-bf-97-e6-94-b6-e9-9b-86-e5-b9-b3-e5-8f-b0-e4-b8-80/
https://blog.sctux.com/2015/11/14/elkkafka-e4-bc-81-e4-b8-9a-e6-97-a5-e5-bf-97-e6-94-b6-e9-9b-86-e5-b9-b3-e5-8f-b0-e4-ba-8c/
https://blog.csdn.net/qq_22211217/article/details/80764568
zookeeper、kafka 参照:
http://blog.51cto.com/qiangsh/2112675
head插件安装参照:
https://blog.csdn.net/u014516601/article/details/82687895
https://www.cnblogs.com/--1024/p/9306661.html
https://www.cnblogs.com/shanhm1991/p/9903866.html
https://blog.csdn.net/weixin_40271036/article/details/79597083