簡介
提高安全性
集中存放日志
缺陷:對日志的分析困難
成都創(chuàng)新互聯(lián)專注于施秉網(wǎng)站建設(shè)服務(wù)及定制�,我們擁有豐富的企業(yè)做網(wǎng)站經(jīng)驗����。 熱誠為您提供施秉營銷型網(wǎng)站建設(shè),施秉網(wǎng)站制作、施秉網(wǎng)頁設(shè)計�����、施秉網(wǎng)站官網(wǎng)定制��、小程序定制開發(fā)服務(wù)�,打造施秉網(wǎng)絡(luò)公司原創(chuàng)品牌,更為您提供施秉網(wǎng)站排名全網(wǎng)營銷落地服務(wù)。
.jpg)
ELK日志分析系統(tǒng)
Elasticsearch:存儲���,索引池
Logstash:日志收集器
Kibana:數(shù)據(jù)可視化
日志處理步驟
1���,將日志進(jìn)行集中化管理
2����,將日志格式化(Logstash)并輸出到Elasticsearch
3,對格式化后的數(shù)據(jù)進(jìn)行索引和存儲(Elasticsearch)
4����,前端數(shù)據(jù)的展示(Kibana)
Elasticsearch的概述
提供了一個分布式多用戶能力的全文搜索引擎
Elasticsearch的概念
接近實時
集群
節(jié)點
索引:索引(庫)-->類型(表)-->文檔(記錄)
分片和副本
Logstash介紹
一款強大的數(shù)據(jù)處理工具,可以實現(xiàn)數(shù)據(jù)傳輸、格式處理���、格式化輸出
數(shù)據(jù)輸入���、數(shù)據(jù)加工(如過濾,改寫等)以及數(shù)據(jù)輸出
LogStash主要組件
Shipper
Indexer
Broker
Search and Storage
Web Interface
Kibana介紹
一個針對Elasticsearch的開源分析及可視化平臺
搜索����、查看存儲在Elasticsearch索引中的數(shù)據(jù)
通過各種圖表進(jìn)行高級數(shù)據(jù)分析及展示
Kibana主要功能
Elasticsearch無縫之集成
整合數(shù)據(jù),復(fù)雜數(shù)據(jù)分析
讓更多團(tuán)隊成員受益
接口靈活����,分享更容易
配置簡單,可視化多數(shù)據(jù)源
簡單數(shù)據(jù)導(dǎo)出
實驗環(huán)境
.jpg)
1�����、在node1����,node2上安裝elasticsearch(操作相同����,只演示一臺)
[root@node1 ~]# vim /etc/hosts ##配置解析名
192.168.52.133 node1
192.168.52.134 node2
[root@node1 ~]# systemctl stop firewalld.service ##關(guān)閉防火墻
[root@node1 ~]# setenforce 0 ##關(guān)閉增強型安全功能
[root@node1 ~]# java -version ##查看是否支持Java
[root@node1 ~]# mount.cifs //192.168.100.100/tools /mnt/tools/ ##掛載
Password for root@//192.168.100.100/tools:
[root@node1 ~]# cd /mnt/tools/elk/
[root@node1 elk]# rpm -ivh elasticsearch-5.5.0.rpm ##安裝
警告:elasticsearch-5.5.0.rpm: 頭V4 RSA/SHA512 Signature, 密鑰 ID d88e42b4: NOKEY
準(zhǔn)備中... ################################# [100%]
Creating elasticsearch group... OK
Creating elasticsearch user... OK
正在升級/安裝...
1:elasticsearch-0:5.5.0-1 ################################# [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
sudo systemctl start elasticsearch.service
[root@node1 elk]# systemctl daemon-reload ##重載守護(hù)進(jìn)程
[root@node1 elk]# systemctl enable elasticsearch.service ##開機自啟
Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.
[root@node1 elk]# cd /etc/elasticsearch/
[root@node1 elasticsearch]# cp elasticsearch.yml elasticsearch.yml.bak ##備份
[root@node1 elasticsearch]# vim elasticsearch.yml ##修改配置文件
cluster.name: my-elk-cluster ##集群名
node.name: node1 ##節(jié)點名���,第二個節(jié)點為node2
path.data: /data/elk_data ##數(shù)據(jù)存放位置
path.logs: /var/log/elasticsearch/ ##日志存放位置
bootstrap.memory_lock: false ##不在啟動時鎖定內(nèi)存
network.host: 0.0.0.0 ##提供服務(wù)綁定的IP地址�,為所有地址
http.port: 9200 ##端口號為9200
discovery.zen.ping.unicast.hosts: ["node1", "node2"] ##集群發(fā)現(xiàn)通過單播實現(xiàn)
[root@node1 elasticsearch]# grep -v "^#" /etc/elasticsearch/elasticsearch.yml ##檢查配置是否正確
cluster.name: my-elk-cluster
node.name: node1
path.data: /data/elk_data
path.logs: /var/log/elasticsearch/
bootstrap.memory_lock: false
network.host: 0.0.0.0
http.port: 9200
discovery.zen.ping.unicast.hosts: ["node1", "node2"]
[root@node1 elasticsearch]# mkdir -p /data/elk_data ##創(chuàng)建數(shù)據(jù)存放點
[root@node1 elasticsearch]# chown elasticsearch.elasticsearch /data/elk_data/ ##給權(quán)限
[root@node1 elasticsearch]# systemctl start elasticsearch.service ##開啟服務(wù)
[root@node1 elasticsearch]# netstat -ntap | grep 9200 ##查看開啟情況
tcp6 0 0 :::9200 :::* LISTEN 83358/java
[root@node1 elasticsearch]#
查看node1節(jié)點信息
查看node2節(jié)點信息
.jpg)
2����、在瀏覽器上檢查健康和狀態(tài)
node1健康檢查
node2健康檢查
node1狀態(tài)
.jpg)
node2狀態(tài)
.jpg)
3���、在node1����,node2上安裝node組件依賴包(操作相同,只演示一個)
[root@node1 elasticsearch]# yum install gcc gcc-c++ make -y ##安裝編譯工具
[root@node1 elasticsearch]# cd /mnt/tools/elk/
[root@node1 elk]# tar xf node-v8.2.1.tar.gz -C /opt/ ##解壓插件
[root@node1 elk]# cd /opt/node-v8.2.1/
[root@node1 node-v8.2.1]# ./configure ##配置
[root@node1 node-v8.2.1]# make && make install ##編譯安裝
4����、在node1,node2上安裝phantomjs前端框架
[root@node1 node-v8.2.1]# cd /mnt/tools/elk/
[root@node1 elk]# tar xf phantomjs-2.1.1-linux-x86_64.tar.bz2 -C /usr/local/src/
##解壓到/usr/local/src下
[root@node1 elk]# cd /usr/local/src/phantomjs-2.1.1-linux-x86_64/bin/
[root@node1 bin]# cp phantomjs /usr/local/bin/ ##編譯系統(tǒng)識別
5�����、在node1����,node2上安裝elasticsearch-head數(shù)據(jù)可視化
[root@node1 bin]# cd /mnt/tools/elk/
[root@node1 elk]# tar xf elasticsearch-head.tar.gz -C /usr/local/src/ ##解壓
[root@node1 elk]# cd /usr/local/src/elasticsearch-head/
[root@node1 elasticsearch-head]# npm install ##安裝
npm WARN elasticsearch-head@0.0.0 license should be a valid SPDX license expression
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.11 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.11: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
added 71 packages in 7.262s
[root@node1 elasticsearch-head]#
6、修改配置文件
[root@node1 elasticsearch-head]# cd ~
[root@node1 ~]# vim /etc/elasticsearch/elasticsearch.yml
#末行插入
http.cors.enabled: true ##開啟跨域訪問支持����,默認(rèn)為false
http.cors.allow-origin: "*" ##跨域訪問允許的域名地址
[root@node1 ~]# systemctl restart elasticsearch.service ##重啟
[root@node1 ~]# cd /usr/local/src/elasticsearch-head/
[root@node1 elasticsearch-head]# npm run start & ##后臺運行數(shù)據(jù)可視化服務(wù)
[1] 83664
[root@node1 elasticsearch-head]#
> elasticsearch-head@0.0.0 start /usr/local/src/elasticsearch-head
> grunt server
Running "connect:server" (connect) task
Waiting forever...
Started connect web server on http://localhost:9100
[root@node1 elasticsearch-head]#
[root@node1 elasticsearch-head]# netstat -ntap | grep 9200
tcp6 0 0 :::9200 :::* LISTEN 83358/java
[root@node1 elasticsearch-head]# netstat -ntap | grep 9100
tcp 0 0 0.0.0.0:9100 0.0.0.0:* LISTEN 83674/grunt
[root@node1 elasticsearch-head]#
7、在瀏覽器上連接并查看健康值狀態(tài)
node1
.jpg)
.jpg)
node2
.jpg)
.jpg)
8、在node1上創(chuàng)建索引
.jpg)
.jpg)
[root@node2 ~]# curl -XPUT 'localhost:9200/index-demo/test/1?pretty&pretty' -H 'content-Type: application/json' -d '{"user":"zhangsan","mesg":"hello world"}'
##創(chuàng)建索引信息
{
"_index" : "index-demo",
"_type" : "test",
"_id" : "1",
"_version" : 1,
"result" : "created",
"_shards" : {
"total" : 2,
"successful" : 2,
"failed" : 0
},
"created" : true
}
[root@node1 ~]#
.jpg)
9、在Apache服務(wù)器上安裝logstash����,多elasticsearch進(jìn)行對接
[root@apache ~]# systemctl stop firewalld.service
[root@apache ~]# setenforce 0
[root@apache ~]# yum install httpd -y ##安裝服務(wù)
[root@apache ~]# systemctl start httpd.service ##啟動服務(wù)
[root@apache ~]# java -version
[root@apache ~]# mount.cifs //192.168.100.100/tools /mnt/tools/ ##掛載
Password for root@//192.168.100.100/tools:
[root@apache ~]# cd /mnt/tools/elk/
[root@apache elk]# rpm -ivh logstash-5.5.1.rpm ##安裝logstash
警告:logstash-5.5.1.rpm: 頭V4 RSA/SHA512 Signature, 密鑰 ID d88e42b4: NOKEY
準(zhǔn)備中... ################################# [100%]
正在升級/安裝...
1:logstash-1:5.5.1-1 ################################# [100%]
Using provided startup.options file: /etc/logstash/startup.options
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
Successfully created system startup script for Logstash
[root@apache elk]# systemctl start logstash.service ##開啟服務(wù)
[root@apache elk]# systemctl enable logstash.service ##開機自啟
Created symlink from /etc/systemd/system/multi-user.target.wants/logstash.service to /etc/systemd/system/logstash.service.
[root@apache elk]# ln -s /usr/share/logstash/bin/logstash /usr/local/bin/ ##便于系統(tǒng)識別
[root@apache elk]#
10、將系統(tǒng)日志文件輸出到elasticsearch
[root@apache elk]# chmod o+r /var/log/messages ##給其他用戶讀權(quán)限
[root@apache elk]# vim /etc/logstash/conf.d/system.conf ##創(chuàng)建文件
input {
file{
path => "/var/log/messages" ##輸出目錄
type => "system"
start_position => "beginning"
}
}
output {
elasticsearch {
#輸入地址指向node1節(jié)點
hosts => ["192.168.13.129:9200"]
index => "system-%{+YYYY.MM.dd}"
}
}
[root@apache elk]# systemctl restart logstash.service ##重啟服務(wù)
##也可以用數(shù)據(jù)瀏覽查看詳細(xì)信息
11����、在node1服務(wù)器上安裝kibana數(shù)據(jù)可視化
[root@node1 ~]# cd /mnt/tools/elk/
[root@node1 elk]# rpm -ivh kibana-5.5.1-x86_64.rpm ##安裝
警告:kibana-5.5.1-x86_64.rpm: 頭V4 RSA/SHA512 Signature, 密鑰 ID d88e42b4: NOKEY
準(zhǔn)備中... ################################# [100%]
正在升級/安裝...
1:kibana-5.5.1-1 ################################# [100%]
[root@node1 elk]# cd /etc/kibana/
[root@node1 kibana]# cp kibana.yml kibana.yml.bak ##備份
[root@node1 kibana]# vim kibana.yml ##修改配置文件
server.port: 5601 ##端口號
server.host: "0.0.0.0" ##監(jiān)聽任意網(wǎng)段
elasticsearch.url: "http://192.168.13.129:9200" ##本機節(jié)點地址
kibana.index: ".kibana" ##索引名稱
[root@node1 kibana]# systemctl start kibana.service ##開啟服務(wù)
[root@node1 kibana]# systemctl enable kibana.service ##開機自啟
Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /etc/systemd/system/kibana.service.
[root@node1 elk]#
[root@node1 elk]# netstat -ntap | grep 5601 ##查看端口
tcp 0 0 127.0.0.1:5601 0.0.0.0:* LISTEN 84837/node
[root@node1 elk]#
12、瀏覽器訪問kibana
.jpg)
.jpg)
.jpg)
13�����、在apache服務(wù)器中對接apache日志文件����,進(jìn)行統(tǒng)計
[root@apache elk]# vim /etc/logstash/conf.d/apache_log.conf ##創(chuàng)建配置文件
input {
file{
path => "/etc/httpd/logs/access_log" ##輸入信息
type => "access"
start_position => "beginning"
}
file{
path => "/etc/httpd/logs/error_log"
type => "error"
start_position => "beginning"
}
}
output {
if [type] == "access" { ##根據(jù)條件判斷輸出信息
elasticsearch {
hosts => ["192.168.13.129:9200"]
index => "apache_access-%{+YYYY.MM.dd}"
}
}
if [type] == "error" {
elasticsearch {
hosts => ["192.168.13.129:9200"]
index => "apache_error-%{+YYYY.MM.dd}"
}
}
}
[root@apache elk]# logstash -f /etc/logstash/conf.d/apache_log.conf
##根據(jù)配置文件配置logstach
14、訪問網(wǎng)頁信息����,查看kibana統(tǒng)計情況
只有error日志
.jpg)
瀏覽器訪問Apache服務(wù)
.jpg)
生成access日志
.jpg)
##選擇management>Index Patterns>create index patterns
##創(chuàng)建apache兩個日志的信息
在kibana創(chuàng)建access訪問日志
在kibana創(chuàng)建error訪問日志
查看access日志統(tǒng)計情況
.jpg)
查看error日志統(tǒng)計情況
.jpg)
實驗成功?�。�?���!
名稱欄目:ELK日志分析系統(tǒng)(實戰(zhàn)!)
鏈接地址:
http://weahome.cn/article/gijips.html
重慶分公司
重慶分公司
