(1)用户通过nginx或haproxy访问ELK日志统计平台,IP地址为keepalived的vip地址。
(2)nginx将请求转发到kibana
(3)kibana到elasticsearch获取数据,elasticsearch是两台做的集群,数据会随机保存在任意一台elasticsearch服务器。
(4)logstash①从redis中取出数据并发送到elasticsearch中。
(5)redis服务器做数据的临时保存,避免web服务器日志量过大的时候造成的数据收集与保存不一致而导致日志丢失,其中redis可以做集群,然后再由logstash服务器在非高峰时期从redis持续的取出数据。
(6)logstash②过滤从filebeat取出的日志信息,并放入redis中进行保存。
(7)filebeat进行收集web的日志
注:其中为什么要在redis前面增加一台logstash呢?是因为在大量的日志数据写入时,容易导致数据的丢失和混乱,为了解决这一问题,增加一台logstash可以通过类型进行过滤,降低数据传输的臃肿。
1、ELK架构实用演示
(1)修改filebeat输出到logstash
[root@linux-node2 ~]# vim /etc/filebeat/filebeat.yml output.logstash: hosts: ["192.168.56.11:5044"] enabled: true worker: 2 compression_level: 3 [root@linux-node2 ~]# systemctl restart filebeat
(2)配置linux-node1上的logstash并测试标准输出
[root@linux-node1 conf.d]# cat beats.conf input { beats { port => "5044" } } output { stdout { codec => rubydebug } } #写入日志测试 [root@linux-node2 ~]# echo "5044" >> /var/log/messages #查看是否有标准输出 [root@linux-node1 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/beat.conf OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console [INFO ] 2018-01-02 14:25:04.358 [[main]<beats] Server - Starting server on port: 5044 { "@timestamp" => 2018-01-02T06:25:00.731Z, "offset" => 3170283, "@version" => "1", "beat" => { "name" => "linux-node2", "hostname" => "linux-node2", "version" => "6.0.1" }, "host" => "linux-node2", "prospector" => { "type" => "log" }, "source" => "/var/log/messages", "message" => "5044", "tags" => [ [0] "beats_input_codec_plain_applied" ] }
(3)配置linux-node1的logstash输出到redis
[root@linux-node1 conf.d]# vim beats.conf input { beats { port => "5044" } } output { redis { data_type => "list" host => "192.168.56.12" db => "4" port => "6379" password => "123456" key => "filebeat-systemlog-5612" } } [root@linux-node1 conf.d]# systemctl restart logstash #写入日志 [root@linux-node2 conf.d]# echo "999999999999" >> /var/log/messages [root@linux-node2 conf.d]# echo "999999999999" >> /var/log/messages [root@linux-node2 conf.d]# echo "999999999999" >> /var/log/messages #查看redis的记录 [root@linux-node2 ~]# redis-cli -h 192.168.56.12 -a 123456 192.168.56.12:6379> select 4 OK 192.168.56.12:6379[4]> keys * 1) "filebeat-systemlog-5612" 192.168.56.12:6379[4]> keys * 1) "filebeat-systemlog-5612"
(4)配置linux-node2上的logstash从redis中取出数据
[root@linux-node2 conf.d]# vim redis-es.conf input { redis { data_type => "list" host => "192.168.56.12" db => "4" port => "6379" key => "filebeat-systemlog-5612" password => "123456" } } output { elasticsearch { hosts => ["192.168.56.11:9200"] index => "redis22-systemlog-%{+YYYY.MM.dd}" } } [root@linux-node2 conf.d]# systemctl restart logstash
(5)head插件查看并添加Kibana索引
#写入日志测试,并在Kibana查看 [root@linux-node2 conf.d]# echo "999999999999" >> /var/log/messages [root@linux-node2 conf.d]# echo "999999999999" >> /var/log/messages [root@linux-node2 conf.d]# echo "999999999999" >> /var/log/messages [root@linux-node2 conf.d]# date 2018年 01月 02日 星期二 15:49:33 CST
2、filebeat收集多类型日志
#使用filebeat 6.0写入document_type作为类型判断,无法输出到redis,暂时未找到原因,这里将filebeat换成了5.4版本。 [root@linux-node2 conf.d]# grep -v "#" /etc/filebeat/filebeat.yml |grep -v "^$" filebeat.prospectors: - input_type: log paths: - /var/log/*.log - /var/log/messages exclude_lines: ["^DBG","^$"] document_type: filebeat2-systemlog-5612 - input_type : log #增加一个类型和日志路径 paths: - /usr/local/tomcat/logs/tomcat_access_log.*.log document_type: tomcat-accesslog-5612 output.logstash: hosts: ["192.168.56.11:5044"] worker: 2 compression_level: 3 [root@linux-node2 conf.d]# systemctl restart filebeat #修改linux-node1上的logstash配置 [root@linux-node1 conf.d]# cat beats.conf input { beats { port => "5044" } } output { if [type] == "filebeat2-systemlog-5612" { redis { data_type => "list" host => "192.168.56.12" db => "4" port => "6379" password => "123456" key => "filebeat-systemlog-5612" }} if [type] == "tomcat-accesslog-5612" { redis { data_type => "list" host => "192.168.56.12" db => "6" port => "6379" password => "123456" key => "tomcat-accesslog-5612" } } } #访问tomcat并查看日志 [root@linux-node2 conf.d]# tailf /usr/local/tomcat/logs/tomcat_access_log.2018-01-03.log {"clientip":"192.168.56.1","ClientUser":"-","authenticated":"-","AccessTime":"[03/Jan/2018:09:35:12 +0800]","method":"GET /webdir/index.html HTTP/1.1","status":"200","SendBytes":"31","Query?string":"","partner":"-","AgentVersion":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"} {"clientip":"192.168.56.1","ClientUser":"-","authenticated":"-","AccessTime":"[03/Jan/2018:09:35:12 +0800]","method":"GET /favicon.ico HTTP/1.1","status":"200","SendBytes":"21630","Query?string":"","partner":"http://192.168.56.12:8080/webdir/index.html","AgentVersion":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"} {"clientip":"192.168.56.1","ClientUser":"-","authenticated":"-","AccessTime":"[03/Jan/2018:09:35:12 +0800]","method":"GET /webdir/index.html HTTP/1.1","status":"200","SendBytes":"31","Query?string":"","partner":"-","AgentVersion":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"} {"clientip":"192.168.56.1","ClientUser":"-","authenticated":"-","AccessTime":"[03/Jan/2018:09:35:12 +0800]","method":"GET /favicon.ico HTTP/1.1","status":"200","SendBytes":"21630","Query?string":"","partner":"http://192.168.56.12:8080/webdir/index.html","AgentVersion":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"} {"clientip":"192.168.56.1","ClientUser":"-","authenticated":"-","AccessTime":"[03/Jan/2018:09:35:12 +0800]","method":"GET /webdir/index.html HTTP/1.1","status":"200","SendBytes":"31","Query?string":"","partner":"-","AgentVersion":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"} {"clientip":"192.168.56.1","ClientUser":"-","authenticated":"-","AccessTime":"[03/Jan/2018:09:35:12 +0800]","method":"GET /favicon.ico HTTP/1.1","status":"200","SendBytes":"21630","Query?string":"","partner":"http://192.168.56.12:8080/webdir/index.html","AgentVersion":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"} {"clientip":"192.168.56.1","ClientUser":"-","authenticated":"-","AccessTime":"[03/Jan/2018:09:35:13 +0800]","method":"GET /webdir/index.html HTTP/1.1","status":"200","SendBytes":"31","Query?string":"","partner":"-","AgentVersion":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"} #查看redis是否有数据 [root@linux-node2 ~]# redis-cli -h 192.168.56.12 -a 123456 192.168.56.12:6379[4]> select 6 OK 192.168.56.12:6379[6]> keys * 1) "tomcat-accesslog-5612" 192.168.56.12:6379[6]> keys * 1) "tomcat-accesslog-5612" 192.168.56.12:6379[6]> llen tomcat-accesslog-5612 (integer) 54
3、通过nginx代理kibana并实现登录验证
(1)配置nginx
[root@linux-node1 ~]# yum install -y nginx [root@linux-node1 ~]# vim /etc/nginx/nginx.conf #增加 include /etc/nginx/conf.d/*.conf; [root@linux-node1 conf.d]# vim /etc/nginx/conf.d/kibana.conf upstream kibana_server { server 127.0.0.1:5601 weight=1 max_fails=3 fail_timeout=60; } server { listen 80; server_name www.kibana5611.com; location / { proxy_pass http://kibana_server; proxy_http_version 1.1; } } [root@linux-node1 conf.d]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@linux-node1 conf.d]# systemctl reload nginx
(2)配置kibana.yml
[root@linux-node1 ~]# vim /etc/kibana/kibana.yml #修改server.host server.host: "127.0.0.1" [root@linux-node1 conf.d]# systemctl restart kibana
(3)浏览器访问
windows做hosts解析:192.168.56.11 www.kibana5611.com
浏览器访问:www.kibana5611.com
(4)配置密码验证登录
[root@linux-node1 ~]# yum install -y httpd-tools [root@linux-node1 ~]# htpasswd -bc /etc/nginx/conf.d/htpasswd.users zhangshan 123456 [root@linux-node1 ~]# ll /etc/nginx/conf.d/htpasswd.users -rw-r--r-- 1 root root 48 1月 3 10:33 /etc/nginx/conf.d/htpasswd.users [root@linux-node1 ~]# chown nginx.nginx /etc/nginx/conf.d/htpasswd.users [root@linux-node1 ~]# vim /etc/nginx/nginx.conf upstream kibana_server { server 127.0.0.1:5601 weight=1 max_fails=3 fail_timeout=60; } server { listen 80; server_name www.kibana5611.com; auth_basic "Restricted Access"; auth_basic_user_file /etc/nginx/conf.d/htpasswd.users; location / { proxy_pass http://kibana_server; proxy_http_version 1.1; } } [root@linux-node1 ~]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@linux-node1 ~]# systemctl reload nginx 浏览器访问www.kibana5611.com会出现输入用户密码验证登录