elk架构-搭建一个日志收集系统

Posted lummg-DAY

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了elk架构-搭建一个日志收集系统相关的知识,希望对你有一定的参考价值。

一、日志收集端

1、nginx:nginx-1.16.1.tar.gz

为了kibana收集nginx日志获取字段,先将日志转化为json格式。格式样式如下:

log_format access_json \'{"@timestamp":"$time_iso8601",\'
    \'"host":"$server_addr",\'
    \'"clientip":"$remote_addr",\'
    \'"size":$body_bytes_sent,\'
    \'"responsetime":$request_time,\'
    \'"upstreamtime":"$upstream_response_time",\'
    \'"upstreamhost":"$upstream_addr",\'
    \'"http_host":"$host",\'
    \'"uri":"$uri",\'
    \'"domain":"$host",\'
    \'"xff":"$http_x_forwarded_for",\'
    \'"referer":"$http_referer",\'
    \'"tcp_xff":"$proxy_protocol_addr",\'
    \'"http_user_agent":"$http_user_agent",\'
    \'"status":"$status"}\';
access_log /apps/nginx/logs/access_json.log access_json;

2、安装完filebeat,安装包:filebeat-7.6.1-amd64.deb

修改它的配置文件,下面为修改的内容:

vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /usr/local/nginx/logs/access_json.log
  fields:                                       
    type: nginx-access-log         #添加字段(fields.type)
    host: 192.168.134.191
 - type: log
   enabled: true
   fields:
     type: nginx-error-log
     host: 192.168.134.191
   paths:
     - /usr/local/nginx/logs/error.log
 - type: log
   enabled: true
   fields:
     type: nginx-syslog
     host: 192.168.134.191
   paths:
     - /var/log/syslog

二、日志转发端

1、配置 logstash 转发filebeat收集的nginx日志

软件包:logstash-7.6.1.deb,logstash需要Java环境。

安装jdk环境
apt-get update
apt-get install openjdk-8-jdk -y
dpkg -i logstash-7.6.1.deb
由于logstash要收集日志修改logstash的权限,或修改日志权限
vim /etc/logstash/startup.options 
LS_USER=root
LS_GROUP=root
运行:
/usr/share/logstash/bin/system-install
systemctl restart logstash
root@logstash-1:/etc/logstash# ps -ef | grep logstash
root      10431      1 99 20:34 ?        00:00:06 /usr/bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC

2、logstash与filebeat建立联系

https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html

https://www.elastic.co/guide/en/beats/filebeat/current/logstash-output.html

filebeat的配置

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /usr/local/nginx/logs/access_json.log  #收集日志路径
  fields:    #用于kibana区分的字段
    type: nginx-access-log
    host: 192.168.134.191
- type: log
  enabled: true
  fields:
    type: nginx-error-log
    host: 192.168.134.191
  paths:
    - /usr/local/nginx/logs/error.log
- type: log
  enabled: true
  fields:
    type: nginx-syslog
    host: 192.168.134.191
  paths:
    - /var/log/syslog
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~
output.logstash:     #file收集的日志发给logstash
  hosts: ["192.168.134.193:5044", "192.168.134.194:5045"]  #支持多个logstash
loadbalance: true
worker: 5

 logstash配置

root@logstash-2:~# vim /etc/logstash/conf.d/log-redis.conf 

      password => "123456"
      data_type => "list"
      key => "nginx-access-log-192"
      codec => "json"

     }
     }
  if [fields][type] == "nginx-error-log" {
    redis {
      host => "192.168.134.194"
      port => "6379"
      db => "1"
      password => "123456"
      data_type => "list"
      key => "nginx-error-log-192"
     }
     }

  if [fields][type] == "nginx-syslog" {
    redis {
      host => "192.168.134.194"
      port => "6379"
      db => "1"
      password => "123456"
      data_type => "list"
      key => "nginx-syslog-192"

     }

}
}

验证是否存入redis

127.0.0.1:6379[1]> KEYS *
1) "nginx-error-log-192"
2) "nginx-syslog-192"
3) "nginx-access-log-192"

三、日志缓存

使用redis做日志缓存

配置redis

[root@linux-host2 redis]# grep "^[a-Z]" redis.conf  #主要改动的地方
bind 0.0.0.0 
protected-mode yes 
port 6379 
tcp-backlog 511 
timeout 0 
tcp-keepalive 300 
daemonize yes 
supervised no 
pidfile /var/run/redis_6379.pid 
loglevel notice 
logfile "" 
databases 16 
requirepass 123456
save ""  
rdbcompression no  #是否压缩 
rdbchecksum no  #是否校验 

 日志Json格式:

 检测redis收集的日志的条数

#!/usr/bin/env python 
#coding:utf-8 
import redis 
def redis_conn():
pool=redis.ConnectionPool(host="192.168.134.199",port=6379,db=1,password=123456) conn = redis.Redis(connection_pool=pool) data = conn.llen(\'tomcat-accesslog-1512\') print(data) redis_conn()

四、日志提取和过滤

使用logstash日志提取,使用 [fields][type]进行过滤。

input {
    redis {
      host => "192.168.134.194"
      port => "6379"
      db => "1"
      password => "123456"
      data_type => "list"
      key => "nginx-access-log-192"
      codec => "json"
     }
    redis {
      host => "192.168.134.194"
      port => "6379"
      db => "1"
      password => "123456"
      data_type => "list"
      key => "nginx-error-log-192"
     }
  
    redis {
      host => "192.168.134.194"
      port => "6379"
      db => "1"
      password => "123456"
      data_type => "list"
      key => "nginx-syslog-192"

     }
}

output {
   if [fields][type] == "nginx-access-log" {
     elasticsearch {
      hosts => ["192.168.134.199:9200"]
      index =>  "nginx-access-log-192-%{+YYYY.MM.dd}"
    }

}
   if [fields][type] == "nginx-error-log" {
     elasticsearch {
      hosts => ["192.168.134.199:9200"]
      index =>  "nginx-error-log-192-%{+YYYY.MM.dd}"
    }
}
   if [fields][type] == "nginx-syslog" {
     elasticsearch {
      hosts => ["192.168.134.199:9200"]
      index =>  "nginx-syslog-192-%{+YYYY.MM.dd}"
    }
}
}

五、利用elasticsearch和kibana进行日志展示和搜索

配置 elasticsearch 服务器

安装包:elasticsearch-7.6.1-amd64.deb

root@elasticsearch-198:~#  grep "^[a-Z]"   /etc/elasticsearch/elasticsearch.yml 
cluster.name: elasticsearch-test
node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["192.168.134.199", "192.168.134.198"]
cluster.initial_master_nodes: ["192.168.134.199", "192.168.134.198"]
gateway.recover_after_nodes: 1
action.destructive_requires_name: true
修改内存限制,并同步配置文件: 
 vim /usr/lib/systemd/system/elasticsearch.service #修改内存限制 LimitMEMLOCK=infinity  #无限制使用内存 
ss -nlt
LISTEN                0                      128                                                 *:9200                                             *:*                    
LISTEN                0                      128                                                 *:9300                                             *:*                    

通过浏览器访问 elasticsearch 服务端口: 

 安装 elasticsearch 插件之 head

1、docker 版本启动 head 插件

在 elasticsearch 5.x 版本以后不再支持直接安装 head 插件,而是需要通过启动 一个服务方式,git 地址:https://github.com/mobz/elasticsearch-head 

docker run -d -p 9100:9100 mobz/elasticsearch-head:5  #for Elasticsearch 5.x

修改 elasticsearch 服务配置文件: 

添加:
http.cors.enabled: true  #开启支持跨域访问 
http.cors.allow-origin: "*" #指定允许访问范围 

测试:

安装并配置kibana:

安装包:kibana-7.6.1-amd64.deb

root@elasticsearch-198:~# grep -n "^[a-Z]" /etc/kibana/kibana.yml 
2:server.port: 5601
7:server.host: "0.0.0.0"
28:elasticsearch.hosts: ["http://192.168.134.198:9200"]
115:i18n.locale: "zh-CN"

 结果展示

 kibana展示:

为了保证高可用

安装haproxy和keepalived。这里仅显示配置信息,完整高可用实验配置这里省略。

keepalived配置:
global_defs {
    notification_email {
    root@localhost
    }
notification_email_from keepalived@localhost
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id ha1.example.com
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0

vrrp_mcast_group4 224.0.0.18
#vrrp_iptables
}

vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 80
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass stevenux
}
virtual_ipaddress {
    192.168.134.200 dev eth0 label eth0:0
}
}
haproxy配置 listen stats mode http bind
0.0.0.0:9999 stats enable log global stats uri /haproxy-status stats auth haadmin:stevenux listen elasticsearch_elasticsearch mode http balance roundrobin bind 192.168.134.200:19200 server 192.168.134.199 192.168.134.199:9200 check inter 3s fall 3 rise 5 server 192.168.134.198 192.168.134.198:9200 check inter 3s fall 3 rise 5 listen elasticsearch_kibana mode http balance roundrobin bind 192.168.134.200:56001 server 192.168.134.199 192.168.134.199:5601 check inter 3s fall 3 rise 5 server 192.168.134.198 192.168.134.198:5601 check inter 3s fall 3 rise 5

如何删除多余或过期的的index

#!/bin/bash
DATE=`date -d "2 days ago" +%Y.%m.%d`
index="
nginx-syslog-192-
nginx-error-log-192-
nginx-access-log-192-
"
for NAME in ${index};do
  FULL_NAME="$NAME-$DATE"
  curl -XDELETE http://192.168.134.200:19200/${FULL_NAME}
done

 

以上是关于elk架构-搭建一个日志收集系统的主要内容,如果未能解决你的问题,请参考以下文章

Linux ELK日志分析系统 | logstash日志收集 | elasticsearch 搜索引擎 | kibana 可视化平台 | 架构搭建 | 超详细

Rsyslog+ELK日志分析系统搭建总结1.0(测试环境)

ELK 学习总结—— 从零搭建一个基于 ELK 的日志指标收集与监控系统

ELK 学习总结—— 从零搭建一个基于 ELK 的日志指标收集与监控系统

elk系统搭建并收集nginx日志-主要步骤

Kafka+Zookeeper+Filebeat+ELK 搭建日志收集系统