ELK——01安装ELK

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了ELK——01安装ELK相关的知识,希望对你有一定的参考价值。

参考技术A Centos 7.7

因为搭建ELK需要Java环境,所以需要知道JAVA_HOME。
我最终在 /usr/lib/jvm/jre-1.8.0-openjdk 中知道了JDK,然后指定此路径为JAVA_HOME。

https://www.elastic.co/cn/downloads/

logstash官网
直接安装logstash官网方式安装。

和logstash一样,采用yum安装方式,直接看官网教程,不再赘述。
https://www.elastic.co/guide/en/kibana/7.9/rpm.html#rpm-repo

ELK也是cs架构,所以会有一个服务器用于接收存储并展示日志,此账号用于客户端。
一般而言,会为ELK专门创建一个账号。这个账号会用于所有ELK的相关连接和通信。

user_name改为用户名,your_pwd改为密码。

这是出于系统安全考虑设置的条件。由于ElasticSearch可以接收用户输入的脚本并且执行,为了系统安全考虑,
建议创建一个单独的用户用来运行ElasticSearch。

用curl 访问 http://localhost:9200 ,看是否能得到返回值。若得到返回值,证明elasticsearch服务启动成功。

测试可用性:打开redis客户端,随便设置一个值,并取出来。

yum 安装软件的原文件一版放置于 /etc/ 目录下,kibana也不例外,放在/etc/kibana
修改 /etc/kibana/kibana.yml 配置文件中的server.host 和 server.port,如下图所示。

然后再通过浏览器访问kibana的地址就可以了。

ELK测试

ELK 日志分析系统

        ELK 日志分析系统
            1.0 ELK 介绍
            1.1 ELK 安装准备工作
            1.2 es 安装
            1.3 es配置
            1.4 es测试
            1.5 Kibana安装
            1.6 logstash安装
            1.7 logstash配置解析rsyslog文件
            1.8 kibana查看日志
            1.9 nginx日志收集
            2.0 beats采集日志

1.0 ELK 介绍

官网https://www.elastic.co/cn/

中文指南https://www.gitbook.com/book/chenryn/elk-stack-guide-cn/details

ELK Stack (5.0版本之后)? Elastic Stack == (ELK Stack + Beats)

ELK Stack包含:ElasticSearch、Logstash、Kibana

ElasticSearch是一个搜索引擎,用来搜索、分析、存储日志。它是分布式的,也就是说可以横向扩容,可以自动发现,索引自动分片,总之很强大。文档https://www.elastic.co/guide/cn/elasticsearch/guide/current/index.html

Logstash用来采集日志,把日志解析为json格式交给ElasticSearch。

Kibana是一个数据可视化组件,把处理后的结果通过web界面展示

Beats在这里是一个轻量级日志采集器,其实Beats家族有5个成员
早期的ELK架构中使用Logstash收集、解析日志,但是Logstash对内存、cpu、io等资源消耗比较高。相比 
Logstash,Beats所占系统的CPU和内存几乎可以忽略不计

x-pack对Elastic Stack提供了安全、警报、监控、报表、图表于一身的扩展包,是收费的

1.1 ELK 安装准备工作

环境准备:192.168.137.30、192.168.137.40、192.168.137.45
// 三台机器均安装Elaelasticsearch(后续简称es)、jdk8,设置hosts 
主节点:
192.168.137.30
数据节点:
192.168.137.40、192.168.137.45
所有节点均安装jdk环境
yum install -y java-1.8.0-openjdk

1.2 es 安装

官方文档 https://www.elastic.co/guide/en/elastic-stack/current/installing-elastic-stack.html
三台机器均都要执行以下操作
[[email protected] ~]# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
[[email protected] ~]# cat /etc/yum.repos.d/elastic.repo

[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

[[email protected] ~]# yum install -y elasticsearch
或者方法安装
[[email protected] ~]# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.0.0.rpm
[[email protected] ~]# rpm -ivh elasticsearch-6.0.0.rpm

1.3 es配置

elasticsearch配置文件/etc/elasticsearch和/etc/sysconfig/elasticsearch 
参考https://www.elastic.co/guide/en/elasticsearch/reference/6.0/rpm.html 
主节点:192.168.137.30编辑配置文件

[[email protected] ~]# cat /etc/elasticsearch/elasticsearch.yml 
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
#cluster.name: my-application
cluster.name: linux-node3.com
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
#node.name: node-1
node.name: linux-node3.com
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
 node.master: true
 node.data: false

#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /var/lib/elasticsearch
#
# Path to log files:
#
path.logs: /var/log/elasticsearch
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: 192.168.137.30
#
# Set a custom port for HTTP:
#
#http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when new node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.zen.ping.unicast.hosts: ["host1", "host2"]
discovery.zen.ping.unicast.hosts: ["192.168.137.30", "192.168.137.40", "192.168.137.45"]
#
# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
#
#discovery.zen.minimum_master_nodes: 
#
# For more information, consult the zen discovery module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
[[email protected] ~]#

同理修改数据节点配置:

[[email protected] ~]# cat /etc/elasticsearch/elasticsearch.yml 
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
#cluster.name: my-application
cluster.name: linux-node3.com
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
#node.name: node-1
node.name: linux-node4.com
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
 node.master: false
 node.data: true

#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /var/lib/elasticsearch
#
# Path to log files:
#
path.logs: /var/log/elasticsearch
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: 192.168.137.40
#
# Set a custom port for HTTP:
#
#http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when new node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.zen.ping.unicast.hosts: ["host1", "host2"]
discovery.zen.ping.unicast.hosts: ["192.168.137.30", "192.168.137.40", "192.168.137.45"]
#
# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
#
#discovery.zen.minimum_master_nodes: 
#
# For more information, consult the zen discovery module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
[[email protected] ~]# 

三台均启动服务

[[email protected] ~]# systemctl start elasticsearch
[[email protected] ~]# ps -aux |grep elasticsearch
elastic+   3140 23.7 45.9 1482312 459248 ?      Ssl  14:29   0:00 /bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+AlwaysPreTouch -server -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/elasticsearch -Des.path.home=/usr/share/elasticsearch -Des.path.conf=/etc/elasticsearch -cp /usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch -p /var/run/elasticsearch/elasticsearch.pid --quiet
root       3168  5.0  0.0 112680   716 pts/1    S+   14:29   0:00 grep --color=auto elasticsearch
[[email protected] ~]# 
[[email protected] ~]# netstat -lntnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      966/sshd            
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1095/master         
tcp        0      0 192.168.137.30:27017    0.0.0.0:*               LISTEN      1006/mongod         
tcp        0      0 127.0.0.1:27017         0.0.0.0:*               LISTEN      1006/mongod         
tcp6       0      0 192.168.137.30:9200     :::*                    LISTEN      1422/java           
tcp6       0      0 :::8080                 :::*                    LISTEN      1185/java           
tcp6       0      0 :::80                   :::*                    LISTEN      961/httpd           
tcp6       0      0 192.168.137.30:9300     :::*                    LISTEN      1422/java           
tcp6       0      0 :::22                   :::*                    LISTEN      966/sshd            
tcp6       0      0 ::1:25                  :::*                    LISTEN      1095/master         
[[email protected] ~]# 
// 依次启动数据节点。端口分别为9200,9300
[[email protected] ~]# ss -ltnp |grep -E ‘9200|9300‘
LISTEN     0      128      ::ffff:192.168.137.45:9200                    :::*                   users:(("java",pid=2758,fd=118))
LISTEN     0      128      ::ffff:192.168.137.45:9300                    :::*                   users:(("java",pid=2758,fd=108))
[[email protected] ~]#
[[email protected] ~]# ss -ltnp |grep -E ‘9200|9300‘
LISTEN     0      128      ::ffff:192.168.137.40:9200                    :::*                   users:(("java",pid=3257,fd=119))
LISTEN     0      128      ::ffff:192.168.137.40:9300                    :::*                   users:(("java",pid=3257,fd=110))

1.4 es测试

健康检查

[[email protected] ~]# curl ‘192.168.137.30:9200/_cluster/health?pretty‘
{
  "cluster_name" : "linux-node3.com",
  "status" : "green",   //健康状态
  "timed_out" : false,
  "number_of_nodes" : 3,     //3个节点
  "number_of_data_nodes" : 2,  //2个数据节点
  "active_primary_shards" : 0,
  "active_shards" : 0,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}
[[email protected] ~]#

集群详细信息

[[email protected] ~]# curl ‘192.168.137.30:9200/_cluster/state?pretty‘ 
{
  "cluster_name" : "linux-node3.com",
  "compressed_size_in_bytes" : 355,
  "version" : 5,
  "state_uuid" : "RBH5dvstTyqgHVVSdfNi_Q",
  "master_node" : "d1yLa9f9RfSPwUXPvm_lqQ",
  "blocks" : { },
  "nodes" : {
    "d1yLa9f9RfSPwUXPvm_lqQ" : {
      "name" : "linux-node3.com",
      "ephemeral_id" : "DGs6lBiaQvaJlmyasez-TA",
      "transport_address" : "192.168.137.30:9300",
      "attributes" : { }
    },
    "pyOddTkYRN6fRjWjb-ehBw" : {
      "name" : "linux-05.com",
      "ephemeral_id" : "X8oa-yozSxqVmb6Dp2fhAQ",
      "transport_address" : "192.168.137.45:9300",
      "attributes" : { }
    },
    "mf7rEM3oScqEOqNFniEJfA" : {
      "name" : "linux-node4.com",
      "ephemeral_id" : "eZ4jATDJRDyv3rmnup3zfg",
      "transport_address" : "192.168.137.40:9300",
      "attributes" : { }
    }
  },
  "metadata" : {
    "cluster_uuid" : "3_2FFY-XTPexeDEZ6MXR1Q",
    "templates" : { },
    "indices" : { },
    "index-graveyard" : {
      "tombstones" : [ ]
    }
  },
  "routing_table" : {
    "indices" : { }
  },
  "routing_nodes" : {
    "unassigned" : [ ],
    "nodes" : {
      "mf7rEM3oScqEOqNFniEJfA" : [ ],
      "pyOddTkYRN6fRjWjb-ehBw" : [ ]
    }
  },
  "restore" : {
    "snapshots" : [ ]
  },
  "snapshots" : {
    "snapshots" : [ ]
  },
  "snapshot_deletions" : {
    "snapshot_deletions" : [ ]
  }
}
[[email protected] ~]#

1.5 Kibana安装

主节点安装:kibana
[[email protected] ~]#  yum install -y kibana //会很慢
[[email protected] ~]# wget https://artifacts.elastic.co/downloads/kibana/kibana-6.0.0-x86_64.rpm
[[email protected] ~]# rpm -ivh kibana-6.0.0-x86_64.rpm 
准备中...                          ################################# [100%]
正在升级/安装...
1:kibana-6.0.0-1                   ################################# [100%]
[[email protected] ~]# 
[[email protected] ~]# grep -v "^#" /etc/kibana/kibana.yml 
server.port: 5601  //监听端口
server.host: "192.168.137.30"

elasticsearch.url: "http://192.168.137.30:9200" //es访问地址

logging.dest: /var/log/kibana.log

[[email protected] ~]#
[[email protected] log]# touch kibana.log
[[email protected] log]# chmod 777 kibana.log 
[[email protected] log]# systemctl restart kibana
[[email protected] log]# ps aux | grep kibana
kibana     1626 39.5 11.6 1121852 116968 ?      Ssl  17:09   0:04 /usr/share/kibana/bin/../node/bin/node --no-warnings /usr/share/kibana/bin/../src/cli -c /etc/kibana/kibana.yml
root       1638  0.0  0.0 112680   980 pts/0    R+   17:10   0:00 grep --color=auto kibana
[[email protected] log]# netstat -lntnp | grep nod
tcp        0      0 192.168.137.30:5601     0.0.0.0:*               LISTEN      1626/node           
[[email protected] log]#
浏览器里访问 http://192.168.137.30:5601

1.6 logstash安装

数据节点安装: logstash
[[email protected] ~]# yum install -y  logstash 或者使用
wget https://artifacts.elastic.co/downloads/logstash/logstash-6.0.0.rpm
rpm -ivh logstash-6.0.0.rpm 
[[email protected] ~]# rpm -ivh logstash-6.0.0.rpm 
准备中...                          ################################# [100%]
正在升级/安装...
1:logstash-1:6.0.0-1               ################################# [100%]
Using provided startup.options file: /etc/logstash/startup.options
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
Successfully created system startup script for Logstash

1.7 logstash配置解析rsyslog文件

[[email protected] ~]# cat /etc/logstash/conf.d/syslog.conf

 input {
  syslog {
    type => "system-syslog"
    port => 10514  
  }
}
output {
  stdout {
    codec => rubydebug
  }
}

[[email protected] ~]# 
检测配置文件是否有错
[[email protected] ~]# cd /usr/share/logstash/bin
[[email protected] bin]# ./logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf --config.test_and_exit
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
Sending Logstash‘s logs to /var/log/logstash which is now configured via log4j2.properties
Configuration OK
启动logstash
vim /etc/rsyslog.conf//在#### RULES下面增加一行
*.* @@192.168.137.40:10514
[[email protected] ~]# systemctl restart rsyslog
[[email protected] ~]# netstat -lnp |grep 10514
tcp6       0      0 :::10514                :::*                    LISTEN      3708/java           
udp        0      0 0.0.0.0:10514           0.0.0.0:*                           3708/java
[[email protected] bin]#  ./logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf

OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
Sending Logstash‘s logs to /var/log/logstash which is now configured via log4j2.properties
{
          "severity" => 6,
           "program" => "rsyslogd",
           "message" => "[origin software="rsyslogd" swVersion="7.4.7" x-pid="3768" x-info="http://www.rsyslog.com"] start
",
              "type" => "system-syslog",
          "priority" => 46,
         "logsource" => "linux-node4",
        "@timestamp" => 2017-12-14T10:07:03.000Z,
          "@version" => "1",
              "host" => "192.168.137.40",
          "facility" => 5,
    "severity_label" => "Informational",
         "timestamp" => "Dec 14 18:07:03",
    "facility_label" => "syslogd"
}
{
          "severity" => 6,
           "program" => "systemd",
           "message" => "Stopping System Logging Service...
",
              "type" => "system-syslog",
          "priority" => 30,
         "logsource" => "linux-node4",
        "@timestamp" => 2017-12-14T10:07:03.000Z,
          "@version" => "1",
              "host" => "192.168.137.40",
          "facility" => 3,
    "severity_label" => "Informational",
         "timestamp" => "Dec 14 18:07:03",
    "facility_label" => "system"
}
{
          "severity" => 6,
           "program" => "systemd",
           "message" => "Starting System Logging Service...
",
              "type" => "system-syslog",
          "priority" => 30,
         "logsource" => "linux-node4",
        "@timestamp" => 2017-12-14T10:07:03.000Z,
          "@version" => "1",
              "host" => "192.168.137.40",
          "facility" => 3,
    "severity_label" => "Informational",
         "timestamp" => "Dec 14 18:07:03",
    "facility_label" => "system"
}
{
          "severity" => 6,
           "program" => "systemd",
           "message" => "Started System Logging Service.
",
              "type" => "system-syslog",
          "priority" => 30,
         "logsource" => "linux-node4",
        "@timestamp" => 2017-12-14T10:07:03.000Z,
          "@version" => "1",
              "host" => "192.168.137.40",
          "facility" => 3,
    "severity_label" => "Informational",
         "timestamp" => "Dec 14 18:07:03",
    "facility_label" => "system"
}
{
          "severity" => 5,
               "pid" => "654",
           "program" => "polkitd",
           "message" => "Unregistered Authentication Agent for unix-process:3761:2437779 (system bus name :1.47, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) (disconnected from bus)
",
              "type" => "system-syslog",
          "priority" => 85,
         "logsource" => "linux-node4",
        "@timestamp" => 2017-12-14T10:07:03.000Z,
          "@version" => "1",
              "host" => "192.168.137.40",
          "facility" => 10,
    "severity_label" => "Notice",
         "timestamp" => "Dec 14 18:07:03",
    "facility_label" => "security/authorization"
}

// 注:启动后不能敲命令,屏幕上查看到日志输出

1.8 kibana查看日志

数据节点配置日志收集:
启动logstash
[[email protected] ~]# cat /etc/logstash/conf.d/syslog.conf

input {
  syslog {
    type => "system-syslog"
    port => 10514  
  }
}
output {
  elasticsearch {
  hosts => ["192.168.137.30:9200"]
  index => "system-syslog-%{+YYYY.MM}" 
  }
}

[[email protected] ~]# chown -R logstash /var/lib/logstash
[[email protected] ~]# systemctl start logstash
[[email protected] ~]#
[[email protected] ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      963/sshd            
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1238/master         
tcp6       0      0 192.168.137.40:9200     :::*                    LISTEN      13890/java          
tcp6       0      0 :::10514                :::*                    LISTEN      14164/java          
tcp6       0      0 192.168.137.40:9300     :::*                    LISTEN      13890/java          
tcp6       0      0 :::22                   :::*                    LISTEN      963/sshd            
tcp6       0      0 ::1:25                  :::*                    LISTEN      1238/master         
tcp6       0      0 127.0.0.1:9600          :::*                    LISTEN      14164/java 
// 默认是127.0.0.1:9600,修改
[[email protected] ~]# grep -v "^#" /etc/logstash/logstash.yml 
path.data: /var/lib/logstash
path.config: /etc/logstash/conf.d/*.conf


http.host: "192.168.137.40"
path.logs: /var/log/logstash

[[email protected] ~]#
[[email protected] ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      965/sshd            
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1224/master         
tcp6       0      0 192.168.137.40:9200     :::*                    LISTEN      2215/java           
tcp6       0      0 :::10514                :::*                    LISTEN      5450/java           
tcp6       0      0 192.168.137.40:9300     :::*                    LISTEN      2215/java           
tcp6       0      0 :::22                   :::*                    LISTEN      965/sshd            
tcp6       0      0 ::1:25                  :::*                    LISTEN      1224/master         
tcp6       0      0 192.168.137.40:9600     :::*                    LISTEN      5450/java
主节点查看索引信息
[[email protected] ~]# curl ‘192.168.137.30:9200/_cat/indices?v‘ //可以获取索引信息
health status index                 uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   .kibana               Z7JVUVlLSRSu5xqySplQ5w   1   1          1            0      6.9kb          3.4kb
green  open   system-syslog-2017.12 c9ZmYijTTYSMLMIESb3N4Q   5   1          1            0     24.5kb         12.2kb
[[email protected] ~]#

    [[email protected] ~]# curl -XGET ‘192.168.137.30:9200/indexname?pretty‘ 
{  // 获指定索引详细信息
  "error" : {
    "root_cause" : [
      {
        "type" : "index_not_found_exception",
        "reason" : "no such index",
        "resource.type" : "index_or_alias",
        "resource.id" : "indexname",
        "index_uuid" : "_na_",
        "index" : "indexname"
      }
    ],
    "type" : "index_not_found_exception",
    "reason" : "no such index",
    "resource.type" : "index_or_alias",
    "resource.id" : "indexname",
    "index_uuid" : "_na_",
    "index" : "indexname"
  },
  "status" : 404
}

[[email protected] ~]#
curl -XDELETE ‘localhost:9200/logstash-xxx-*‘ 可以删除指定索引
浏览器访问192.168.137.40:5601,到kibana配置索引
左侧点击“Managerment”-> “Index Patterns”-> “Create Index Pattern”
Index pattern这里需要根据前面curl查询到的索引名字来写,否则下面的按钮是无法点击
输入:system-syslog-2017.12 或者system-syslog-*

1.9 nginx日志收集

[[email protected] ~]# cat /etc/logstash/conf.d/nginx.conf

input {
  file {
    path => "/tmp/elk_access.log"
    start_position => "beginning"
    type => "nginx"
  }
}
filter {
    grok {
        match => { "message" => "%{IPORHOST:http_host} %{IPORHOST:clientip} - %{USERNAME:remote_user} [%{HTTPDATE:timestamp}] "(?:%{WORD:http_verb} %{NOTSPACE:http_request}(?: HTTP/%{NUMBER:http_version})?|%{DATA:raw_http_request})" %{NUMBER:response} (?:%{NUMBER:bytes_read}|-) %{QS:referrer} %{QS:agent} %{QS:xforwardedfor} %{NUMBER:request_time:float}"}
    }
    geoip {
        source => "clientip"
    }
}
output {
    stdout { codec => rubydebug }
    elasticsearch {
        hosts => ["192.168.137.40:9200"]
	index => "nginx-test-%{+YYYY.MM.dd}"
  }
}

[[email protected] ~]# cd /usr/share/logstash/bin
[[email protected] bin]# ./logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/nginx.conf --config.test_and_exit
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
Sending Logstash‘s logs to /var/log/logstash which is now configured via log4j2.properties
Configuration OK 
//没有nginx的需要安装nginx
[[email protected] ~]# yum -y install nginx
[[email protected] ~]# cat /etc/nginx/conf.d/elk.conf

server {
            listen 80;
            server_name elk.linux.com;

            location / {
                proxy_pass      http://192.168.137.30:5601;
                proxy_set_header Host   $host;
                proxy_set_header X-Real-IP      $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            }
            access_log  /tmp/elk_access.log main2;
        }

[[email protected] ~]#
配置日志
vim /etc/nginx/nginx.conf//增加如下内容

log_format main2 ‘$http_host $remote_addr - $remote_user [$time_local] "$request" ‘
                      ‘$status $body_bytes_sent "$http_referer" ‘
                      ‘"$http_user_agent" "$upstream_addr" $request_time‘;

[[email protected] ~]# systemctl start nginx
[[email protected] ~]# ps -ef | grep nginx
root       2916      1  0 14:48 ?        00:00:00 nginx: master process /usr/sbin/nginx
nginx      2917   2916  0 14:48 ?        00:00:00 nginx: worker process
root       2919   2732  0 14:48 pts/4    00:00:00 grep --color=auto nginx
[[email protected] ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2916/nginx: master  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      972/sshd            
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1247/master         
tcp6       0      0 :::80                   :::*                    LISTEN      2916/nginx: master  
tcp6       0      0 192.168.137.40:9200     :::*                    LISTEN      2214/java           
tcp6       0      0 :::10514                :::*                    LISTEN      2304/java           
tcp6       0      0 192.168.137.40:9300     :::*                    LISTEN      2214/java           
tcp6       0      0 :::22                   :::*                    LISTEN      972/sshd            
tcp6       0      0 ::1:25                  :::*                    LISTEN      1247/master         
tcp6       0      0 192.168.137.40:9600     :::*                    LISTEN      2304/java           
[[email protected] ~]#
绑定hosts 192.168.137.40 elk.linux.com
浏览器访问,检查是否有日志产生
[[email protected] ~]# systemctl restart logstash  

主节点查看获取的索引
[[email protected] ~]# curl ‘192.168.137.30:9200/_cat/indices?v‘ 
health status index                 uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   .kibana               Z7JVUVlLSRSu5xqySplQ5w   1   1          2            0     20.4kb         10.2kb
green  open   system-syslog-2017.12 c9ZmYijTTYSMLMIESb3N4Q   5   1        127            0    723.8kb        317.6kb
green  open   nginx-test-2017.12.18 w3j3J-wXT6eXzaVf6ycmBg   5   1         20            0     42.7kb           466b
[[email protected] ~]#
// 检查是否有nginx-test开头的索引生成 
如果有,才能到kibana里去配置该索引
左侧点击“Managerment”-> “Index Patterns”-> “Create Index Pattern”
Index pattern这里写nginx-test-*
之后点击左侧的Discover

2.0 beats采集日志

官网:https://www.elastic.co/cn/products/beats
优点:可扩展,支持自定义构建
数据节点:linux-05.com
[[email protected] ~]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.0.0-x86_64.rpm
[[email protected] ~]# rpm -ivh filebeat-6.0.0-x86_64.rpm 
Preparing...                          ################################# [100%]
Updating / installing...
1:filebeat-6.0.0-1                 ################################# [100%]
[[email protected] ~]#
编辑配置文件
[[email protected] ~]# grep  -v "^#" /etc/filebeat/filebeat.yml  | grep -v "#" |grep -v "^$"

filebeat.prospectors:
- type: log
  paths:
    - /var/log/messages
output.console:
  enable: true

/usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml //可以在屏幕上看到对应的日志信息

[[email protected] ~]# /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml 
^C[[email protected] ~]# /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml 
{"@timestamp":"2017-12-18T07:32:01.785Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.0.0"},"prospector":{"type":"log"},"beat":{"name":"linux-05.com","hostname":"linux-05.com","version":"6.0.0"},"message":"Dec 18 12:30:01 linux-05 systemd: Started Session 6 of user root.","source":"/var/log/messages","offset":66}
{"@timestamp":"2017-12-18T07:32:01.785Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.0.0"},"offset":133,"message":"Dec 18 12:30:01 linux-05 systemd: Starting Session 6 of user root.","prospector":{"type":"log"},"beat":{"version":"6.0.0","name":"linux-05.com","hostname":"linux-05.com"},"source":"/var/log/messages"}...........

再编辑配置文件
vim /etc/filebeat/filebeat.yml //增加或者更改

filebeat.prospectors:
- input_type: log 
  paths:
    - /var/log/messages
output.elasticsearch:
  hosts: ["192.168.137.30:9200"]

[[email protected] ~]# systemctl start  filebeat
[[email protected] ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/systemd           
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      933/sshd            
tcp        0      0 192.168.137.45:27017    0.0.0.0:*               LISTEN      1061/mongod         
tcp        0      0 127.0.0.1:27017         0.0.0.0:*               LISTEN      1061/mongod         
tcp6       0      0 :::3306                 :::*                    LISTEN      1454/mysqld         
tcp6       0      0 :::111                  :::*                    LISTEN      1/systemd           
tcp6       0      0 192.168.137.45:9200     :::*                    LISTEN      888/java            
tcp6       0      0 192.168.137.45:9300     :::*                    LISTEN      888/java            
tcp6       0      0 :::22                   :::*                    LISTEN      933/sshd            
[[email protected] ~]# ps aux |grep filebeat
root       5123  0.0  1.2 277436 12324 ?        Ssl  15:45   0:00 /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebea
root       5140  0.0  0.0 112652   964 pts/3    R+   15:46   0:00 grep --color=auto filebeat
[[email protected] ~]#


拓展
x-pack 收费,免费  http://www.jianshu.com/p/a49d93212eca
https://www.elastic.co/subscriptions
Elastic stack演进  http://70data.net/1505.html
基于kafka和elasticsearch,linkedin构建实时日志分析系统 http://t.cn/RYffDoE  
使用redis http://blog.lishiming.net/?p=463
ELK+Filebeat+Kafka+ZooKeeper 构建海量日志分析平台  https://www.cnblogs.com/delgyd/p/elk.html
http://www.jianshu.com/p/d65aed756587

  

以上是关于ELK——01安装ELK的主要内容,如果未能解决你的问题,请参考以下文章

Centos6搭建ELK - 01 安装Elasticsearch7.13

2021年大数据ELK:安装Elasticsearch

2021年大数据ELK:安装Elasticsearch

ELK实战,Linux版docker安装ElasticSearchES-headLogstashKiabana入门,无坑详细图解

2021年大数据ELK:安装Elasticsearch-head插件

filebeat+kafka+ELK5.4安装与部署