今天給大家?guī)淼氖情_源實時日志分析 ELK , ELK 由 ElasticSearch 、 Logstash 和 Kiabana 三個開源工具組成。官方網(wǎng)站:https://www.elastic.co
成都創(chuàng)新互聯(lián)公司是一家專業(yè)的成都網(wǎng)站建設(shè)公司,我們專注成都做網(wǎng)站、成都網(wǎng)站制作、成都外貿(mào)網(wǎng)站建設(shè)、網(wǎng)絡(luò)營銷、企業(yè)網(wǎng)站建設(shè),友情鏈接,廣告投放為企業(yè)客戶提供一站式建站解決方案,能帶給客戶新的互聯(lián)網(wǎng)理念。從網(wǎng)站結(jié)構(gòu)的規(guī)劃UI設(shè)計到用戶體驗提高,創(chuàng)新互聯(lián)力求做到盡善盡美。
其中的3個軟件是:
Elasticsearch 是個開源分布式搜索引擎,它的特點有:分布式,零配置,自動發(fā)現(xiàn),索引自動分片,索引副本機制, restful 風格接口,多數(shù)據(jù)源,自動搜索負載等。
Logstash 是一個完全開源的工具,他可以對你的日志進行收集、分析,并將其存儲供以后使用(如,搜索)。
kibana 也是一個開源和免費的工具,他 Kibana 可以為 Logstash 和 ElasticSearch 提供的日志分析友好的 Web 界面,可以幫助您匯總、分析和搜索重要數(shù)據(jù)日志
系統(tǒng) | 系統(tǒng)需要安裝的軟件 | ip | 描述 |
centos6.5 | Elasticsearch/test5 | 192.168.253.210 | 搜索存儲日志 |
centos6.5 | Elasticsearch/test4 | 192.168.253.200 | 搜索存儲日志 |
centos6.5 | Logstash/nginx/test1 | 192.168.253.150 | 用來收集日志給上面 |
centos6.5 | Kibana/nginx/test2 | 192.168.253.100 | 用來后端的展示 |
架構(gòu)原理圖:
一、先安裝elasticsearch集群,并測試通過再進行其他軟件安裝。
在test5,test4上安裝分別安裝elasticsearch-2.3.3.rpm 前提要安裝java1.8 步驟如下:
yum remove java-1.7.0-openjdk
rpm -ivh jdk-8u51-linux-x64.rpm
java -version
yum localinstall elasticsearch-2.3.3.rpm -y
service elasticsearch start
cd /etc/elasticsearch/
vim elasticsearch.yml
修改如下配置
cluster.name: myelk #設(shè)置集群的名稱,在一個集群里面都是這個名稱,必須相同
node.name: test5 #設(shè)置每一個節(jié)點的名,每個節(jié)點的名稱必須不一樣。
path.data: /path/to/data #指定數(shù)據(jù)的存放位置,線上的機器這個要放到單一的大分區(qū)里面。
path.logs: /path/to/logs #日志的目錄
bootstrap.mlockall: true #啟動最優(yōu)內(nèi)存配置,啟動就分配了足夠的內(nèi)存,性能會好很多,測試我就不啟動了。
network.host: 0.0.0.0 #監(jiān)聽的ip地址,這個表示所有的地址。
http.port: 9200 #監(jiān)聽的端口號
discovery.zen.ping.unicast.hosts: ["hostip", "hostip"] #知道集群的ip有那些,沒有集群就會出現(xiàn)就一臺工作
mkdir -pv /path/to/{data,logs}
chown elasticsearch.elasticsearch /path -R
啟動服務器 service elasticsearch start 并查看監(jiān)控端口啟動
[root@test4 ~]# ss -tln
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 :::54411 :::*
LISTEN 0 128 :::111 :::*
LISTEN 0 128 *:111 *:*
LISTEN 0 50 :::9200 :::*
LISTEN 0 50 :::9300 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 *:51574 *:*
LISTEN 0 128 127.0.0.1:631 *:*
LISTEN 0 128 ::1:631 :::*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 100 127.0.0.1:25 *:*
兩臺的配置都一樣就是上面的IP和note名稱要配置不一樣就行
[root@test5 ~]# ss -tln
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:45822 *:*
LISTEN 0 128 :::39620 :::*
LISTEN 0 128 :::111 :::*
LISTEN 0 128 *:111 *:*
LISTEN 0 50 :::9200 :::*
LISTEN 0 50 :::9300 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 127.0.0.1:631 *:*
LISTEN 0 128 ::1:631 :::*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 100 127.0.0.1:25 *:*
安裝插件 head和kopf 之后訪問 ip:9200/_plugin/head 和ip:9200/_plugin/kopf (插件可以圖形查看elasticsearch的狀態(tài)和刪除創(chuàng)建索引)
/usr/share/elasticsearch/bin/plugin install lmenezes/elasticsearch-kopf
/usr/share/elasticsearch/bin/plugin install mobz/elasticsearch-head
[root@test5]# /usr/share/elasticsearch/bin/plugin install lmenezes/elasticsearch-kopf
-> Installing lmenezes/elasticsearch-kopf...
Trying https://github.com/lmenezes/elasticsearch-kopf/archive/master.zip ...
Downloading ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................DONE
Verifying https://github.com/lmenezes/elasticsearch-kopf/archive/master.zip checksums if available ...
NOTE: Unable to verify checksum for downloaded plugin (unable to find .sha1 or .md5 file to verify)
Installed kopf into /usr/share/elasticsearch/plugins/kopf
[root@test5 ]# /usr/share/elasticsearch/bin/plugin install mobz/elasticsearch-head
-> Installing mobz/elasticsearch-head...
Trying https://github.com/mobz/elasticsearch-head/archive/master.zip ...
Downloading ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................DONE
Verifying https://github.com/mobz/elasticsearch-head/archive/master.zip checksums if available ...
NOTE: Unable to verify checksum for downloaded plugin (unable to find .sha1 or .md5 file to verify)
Installed head into /usr/share/elasticsearch/plugins/head
二、安裝nginx和logstash軟件
yum -y install zlib zlib-devel openssl openssl--devel pcre pcre-devel
nginx-1.8.1-1.el6.ngx.x86_64.rpm
logstash-2.3.3-1.noarch.rpm
jdk-8u51-linux-x64.rpm
在test1上安裝好nginx服務 就是收集它的日志呢
日志在/var/log/nginx/access.log
然后在test1上安裝logstash-2.3.3-1.noarch.rpm
yum remove java-1.7.0-openjdk
rpm -ivh jdk-8u91-linux-x64.rpm
rpm -ivh logstash-2.3.3-1.noarch.rpm
/etc/init.d/logstash start #啟動服務
/opt/logstash/bin/logstash -e "input {stdin{}} output{stdout{ codec=>"rubydebug"}}" #檢測環(huán)境 執(zhí)行這個命令檢測環(huán)境正常否,啟動完成后 直接輸入東西就會出現(xiàn)
Settings: Default pipeline workers: 1
Pipeline main started
hello world
{
"message" => "hello world",
"@version" => "1",
"@timestamp" => "2017-05-24T08:04:46.993Z",
"host" => "0.0.0.0"
}
之后輸入/opt/logstash/bin/logstash -e 'input {stdin{}} output{ elasticsearch { hosts => ["192.168.253.200:9200"] index => "test"}}'
就是輸入東西到253.200的elasticsearch上 會在/path/to/data/myelk/nodes/0/indices 生成你名稱test索引文件目錄 可以多輸入幾個到253.200的目錄看看有沒有文件有就證明正常。
[root@test4 ~]# ls /path/to/data/myelk/nodes/0/indices/
test
之后在test1的/etc/logstash/conf.d 建立以.conf結(jié)尾的配置文件,我收集nginx就叫nginx.conf了內(nèi)容如下
[root@test1 nginx]# cd /etc/logstash/conf.d/
[root@test1 conf.d]# ls
nginx.conf
[root@test1 conf.d]# cat nginx.conf
input {
file {
type => "accesslog"
path => "/var/log/nginx/access.log"
start_position => "beginning"
}
}
output {
if [type] == "accesslog" {
elasticsearch {
hosts => ["192.168.253.200"]
index => "nginx-access-%{+YYYY.MM.dd}"
}
}
}
/etc/init.d/logstash configtest
ps -ef |grep java
/opt/logstash/bin/logstash -f nginx.conf
之后在elasticearch查看有沒有索引生成。多訪問下nginx服務
如果沒有就修改這個文件
vi /etc/init.d/logstash
LS_USER=root ###把這里換成root或者把訪問的日志加個權(quán)限可以讓logstash可以讀取它 重啟服務就會生成索引了
LS_GROUP=root
LS_HOME=/var/lib/logstash
LS_HEAP_SIZE="1g"
LS_LOG_DIR=/var/log/logstash
LS_LOG_FILE="${LS_LOG_DIR}/$name.log"
LS_CONF_DIR=/etc/logstash/conf.d
LS_OPEN_FILES=16384
LS_NICE=19
KILL_ON_STOP_TIMEOUT=${KILL_ON_STOP_TIMEOUT-0} #default value is zero to this variable but could be updated by user request
LS_OPTS=""
test4查看:
[root@test4 ~]# ls /path/to/data/myelk/nodes/0/indices/
nginx-access-2017.05.23 test
[root@test1 logstash]# cat logstash.log
{:timestamp=>"2017-05-24T16:05:19.659000+0800", :message=>"Pipeline main started"}
三、安裝kibana軟件
上面的都安裝完成后在test2上面安裝kibana
rpm -ivh kibana-4.5.1-1.x86_64.rpm
編輯配置文件在這里/opt/kibana/config/kibana.yml 就修改下面幾項就行
server.port: 5601 端口
server.host: "0.0.0.0" 監(jiān)聽
elasticsearch.url: "http://192.168.48.200:9200" elasticsearch地址
/etc/init.d/kibana start 啟動服務
訪問kibana http://ip:5601
添加展示的索引,就是在上面定義的 nginx-access-2016.07.03
配置kibana上面的收集Nginx日志的logstash
在kibana那臺服務器上面安裝logstash(按照之前的步驟安裝)
然后再logstash的/etc/logstash/conf.d/下面
寫一個配置文件:
[root@test2 conf.d]# vim nginx.conf
input {
file {
type => "accesslog"
path => "/var/log/nginx/access.log"
start_position => "beginning"
}
}
output {
if [type] == "accesslog" {
elasticsearch {
hosts => ["192.168.253.200"]
index => "nginx-access-%{+MM.dd.YYYY}"
}
}
}
/opt/logstash/bin/logstash -f nginx.conf
查看Elasticsearch中多出了一個以月-日-年的Nginx訪問日志索引
[root@test4 ~]# ls /path/to/data/myelk/nodes/0/indices/
nginx-access-05.23.2017 nginx-access-2017.05.23 test
然后在kibana,瀏覽器上面按照之前的創(chuàng)建,生成一個新的日志文件
四、其他的一些配置。
kibana是直接訪問的比較不安全,我們需要用nginx訪問代理,并設(shè)置權(quán)限用戶名和密碼訪問
先在kibana服務器上安裝nginx 不介紹了
在nginx里面配置
#############################################################################
server
{
listen 80;
server_name localhost;
auth_basic "Restricted Access";
auth_basic_user_file /usr/local/nginx/conf/htpasswd.users; #密碼和用戶
location / {
proxy_pass http://localhost:5601; #代理kibana的5601之后就可以直接80訪問了
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
#############################################################################
創(chuàng)建密碼和用戶文件:htpasswd.users
需要安裝httpd-tool包先安裝它
htpasswd -bc /usr/local/nginx/conf/htpasswd.users admin paswdadmin #前面是用戶后面是密碼
之后通過訪問需要密碼和用戶并且是80端口了