1 ELK简介
ELK是Elasticsearch+Logstash+Kibana的简称
-
ElasticSearch是一个基于Lucene的分布式全文搜索引擎,提供 RESTful API进行数据读写
-
Logstash是一个收集,处理和转发事件和日志消息的工具
- Kibana是Elasticsearch的开源数据可视化插件,为查看存储在ElasticSearch提供了友好的Web界面,并提供了条形图,线条和散点图,饼图和地图等分析工具
总的来说,ElasticSearch负责存储数据,Logstash负责收集日志,并将日志格式化后写入ElasticSearch,Kibana提供可视化访问ElasticSearch数据的功能。
1.1 环境准备
10.0.0.7 elasticsearch 10.0.0.8 logstash 10.0.0.9 kibana 环境准备: [root@es-node1 ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) [root@logstash ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) [root@kibana ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) #官网下载地址 https://www.elastic.co/downloads
- 每台机器需要优化操作系统否则报错
[root@es-node1 ~]# cat /etc/security/limits.conf|tail -5 * soft nofile 65536 * hard nofile 65536 * soft nproc 65536 * hard nproc 65536 [root@es-node1 ~]# cat /etc/security/limits.d/20-nproc.conf|tail -2 * soft nproc 65536 root soft nproc unlimited [root@es-node1 ~]# cat /etc/sysctl.conf |tail -2 vm.max_map_count=655360 fs.file-max=655360 [root@es-node1 ~]# sysctl -p vm.max_map_count = 655360 fs.file-max = 655360
1.2 搭建单机6.0版本elasticsearch
[root@es-node1 ~]# ll
total 197448
-rw-r--r-- 1 root root 28017602 Sep 12 23:02 elasticsearch-6.0.0.tar.gz
-rw-r--r-- 1 root root 174163338 Sep 12 23:02 jdk-8u151-linux-x64.rpm
[root@es-node1 ~]# useradd elasticsearch
[root@es-node1 ~]# mv elasticsearch-6.0.0.tar.gz /usr/local/src/
[root@es-node1 ~]# rpm -ivh jdk-8u151-linux-x64.rpm
Preparing... ################################# [100%]
Updating / installing...
1:jdk1.8-2000:1.8.0_151-fcs ################################# [100%]
Unpacking JAR files...
tools.jar...
plugin.jar...
javaws.jar...
deploy.jar...
rt.jar...
jsse.jar...
charsets.jar...
localedata.jar...
[root@es-node1 ~]# cd /usr/local/src/
[root@es-node1 src]# ll
total 27364
-rw-r--r-- 1 root root 28017602 Sep 12 23:02 elasticsearch-6.0.0.tar.gz
[root@es-node1 src]# tar xf elasticsearch-6.0.0.tar.gz -C ../
[root@es-node1 src]# cd ..
[root@es-node1 local]# mv elasticsearch-6.0.0/ elasticsearch
[root@es-node1 local]# cd elasticsearch/
[root@es-node1 elasticsearch]# chown -R elasticsearch.elasticsearch .
[root@es-node1 elasticsearch]# mkdir -p /data/es/logs /data/es/data
[root@es-node1 elasticsearch]# chown -R elasticsearch.elasticsearch /data/es/logs /data/es/data
[root@es-node1 elasticsearch]# su - elasticsearch
[elasticsearch@es-node1 ~]$ cd /usr/local/elasticsearch/
[elasticsearch@es-node1 elasticsearch]$ cd config/
[elasticsearch@es-node1 config]$ cp elasticsearch.yml{,.bak}
[elasticsearch@es-node1 config]$ cat elasticsearch.yml
cluster.name: es
node.name: es1
path.data: /data/es/data
path.logs: /data/es/logs
network.host: 10.0.0.7
http.port: 9200
transport.tcp.port: 9300
node.master: true
node.data: true
discovery.zen.ping.unicast.hosts: ["10.0.0.7:9300"]
discovery.zen.minimum_master_nodes: 1
http.cors.enabled: true
http.cors.allow-origin: "*"
#增加端口
[root@es-node1 ~]# firewall-cmd --add-port=9200/tcp --permanent
[root@es-node1 ~]# firewall-cmd --add-port=9300/tcp --permanent
#重新加载防火墙规则
[root@es-node1 ~]# firewall-cmd --reload
#后台启动
[elasticsearch@es-node1 ~]$ /usr/local/elasticsearch/bin/elasticsearch -d
[root@es-node1 ~]# curl http://10.0.0.7:9200/_cluster/health #显示green为正常
- green 最健康得状态,说明所有的分片包括备份都可用
- yellow 基本的分片可用,但是备份不可用(或者是没有备份)
- red 部分的分片可用,表明分片有一部分损坏。此时执行查询部分数据仍然可以查到,遇到这种情况,还是赶快解决比较好
1.3 安装elasticsearch-head
#安装node步骤略 [elasticsearch@es-node1 ~]$ cd /usr/local/src/ [elasticsearch@es-node1 ~]$ git clone https://github.com/mobz/elasticsearch-head.git [elasticsearch@es-node1 ~]$ cd /usr/local/src/elasticsearch-head/ [elasticsearch@es-node1 ~]$ npm install [elasticsearch@es-node1 ~]$ npm run start &
1.4 安装logstash
[root@logstash ~]# ll total 279772 -rw-r--r-- 1 root root 174163338 Sep 13 03:08 jdk-8u151-linux-x64.rpm -rw-r--r-- 1 root root 112316625 Sep 13 03:08 logstash-6.0.0.tar.gz [root@logstash ~]# rpm -ivh jdk-8u151-linux-x64.rpm [root@logstash ~]# tar xf logstash-6.0.0.tar.gz -C /usr/local/ [root@logstash ~]# cd /usr/local/ [root@logstash ~]# mv logstash-6.0.0/ logstash
- 修改配置文件
[root@logstash config]# mkdir -p /data/logstash/{data,logs}
[root@logstash config]# cat logstash.yml
path.data: /data/logstash/data
path.logs: /data/logstash/logs
- 编写收集日志的conf文件
[root@logstash logstash]# mkdir -p /usr/local/logstash/conf.d
[root@logstash logstash]# cd /usr/local/logstash/conf.d
[root@logstash logstash]# cat conf.d/system-log.conf
input {
file {
path => "/var/log/messages"
type => "systemlog"
start_position => "beginning"
stat_interval => "3"
}
file {
path => "/var/log/secure"
type => "securelog"
start_position => "beginning"
stat_interval => "3"
}
}
output {
if [type] == "systemlog" {
elasticsearch {
hosts => ["10.0.0.7:9200"]
index => "system-log-%{+YYYY.MM.dd}"
}
}
if [type] == "securelog" {
elasticsearch {
hosts => ["10.0.0.7:9200"]
index => "secury-log-%{+YYYY.MM.dd}"
}
}
}
#检查文件ogstash
[root@logstash logstash]# ./bin/logstash -f ./conf.d/system-log.conf -t
#启动logstash
[root@logstash logstash]# ./bin/logstash -f ./conf.d/system-log.conf
此时elasticsearch的状态
1.5 安装kibana
[root@kibana src]# ll /usr/local/src/ total 61216 -rw-r--r-- 1 root root 62681537 Sep 11 10:27 kibana-6.0.0-linux-x86_64.tar.gz [root@kibana src]# tar xf kibana-6.0.0-linux-x86_64.tar.gz [root@kibana src]# mv kibana-6.0.0-linux-x86_64 ../kibana #更改配置文件 [root@kibana config]# cat kibana.yml server.port: 5601 server.host: "10.0.0.9" elasticsearch.url: "http://10.0.0.7:9200" #启动kibana [root@kibana kibana]# ./bin/kibana
- 添加索引
- 这样我们最基本的收集日志就完成了,当然了这只是开始还差很多优化以及dashboard图形等展示