目录
一、介绍
二、安装JDK
三、安装Elasticsearch
四、安装Logstash
五、安装Kibana
六、Kibana简单使用
系统环境:CentOS Linux release 7.4.1708 (Core)
当前问题状况
- 开发人员不能登录线上服务器查看详细日志。
- 各个系统都有日志,日志数据分散难以查找。
- 日志数据量大,查询速度慢,或者数据不够实时。
一、介绍
1、组成
ELK由Elasticsearch、Logstash和Kibana三部分组件组成;
Elasticsearch是个开源分布式搜索引擎,它的特点有:分布式,零配置,自动发现,索引自动分片,索引副本机制,restful风格接口,多数据源,自动搜索负载等。Logstash是一个完全开源的工具,它可以对你的日志进行收集、分析,并将其存储供以后使用kibana 是一个开源和免费的工具,它可以为 Logstash 和 ElasticSearch 提供的日志分析友好的 Web 界面,可以帮助您汇总、分析和搜索重要数据日志。
3、工作流程
在需要收集日志的所有服务上部署logstash,作为logstash agent(logstash shipper)用于监控并过滤收集日志,将过滤后的内容发送到Redis,然后logstash indexer将日志收集在一起交给全文搜索服务ElasticSearch,可以用ElasticSearch进行自定义搜索通过Kibana 来结合自定义搜索进行页面展示。
下面是在两台节点上都安装一下环境。
二、安装JDK
配置阿里源:wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo yum clean allyum makecacheLogstash的运行依赖于Java运行环境,Elasticsearch 要求至少 Java 7。[root@controller ~]# yum install java-1.8.0-openjdk -y[root@controller ~]# java -versionopenjdk version "1.8.0_151"OpenJDK Runtime Environment (build 1.8.0_151-b12)OpenJDK 64-Bit Server VM (build 25.151-b12, mixed mode)1、关闭防火墙systemctl stop firewalld.service #停止firewallsystemctl disable firewalld.service #禁止firewall开机启动2、关闭selinuxsed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/configsetenforce 0
三、安装Elasticsearch
基础环境安装(elk-node1和elk-node2同时操作)
1)下载并安装GPG Key[root@elk-node1 ~]# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch2)添加yum仓库[root@elk-node1 ~]# vim /etc/yum.repos.d/elasticsearch.repo[elasticsearch-2.x]name=Elasticsearch repository for 2.x packagesbaseurl=http://packages.elastic.co/elasticsearch/2.x/centosgpgcheck=1gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearchenabled=13)安装elasticsearch[root@elk-node1 ~]# yum install -y elasticsearch4)添加自启动chkconfig --add elasticsearch5)启动命令systemctl daemon-reloadsystemctl enable elasticsearch.service6)修改配置[root@elk-node1 ~]# cd /etc/elasticsearch/[root@elk-node1 elasticsearch]# lselasticsearch.yml logging.yml scripts[root@elk-node1 elasticsearch]# cp elasticsearch.yml{,.bak}[root@elk-node1 elasticsearch]# mkdir -p /data/es-data[root@elk-node1 elasticsearch]# vim elasticsearch.yml[root@elk-node1 elasticsearch]# grep '^[a-z]' elasticsearch.ymlcluster.name: hejianlai //集群名称node.name: elk-node1 //节点名称path.data: /data/es-data //数据存放目录path.logs: /var/log/elasticsearch/ //日志存放目录bootstrap.memory_lock: true //打开内存network.host: 0.0.0.0 //监听网络http.port: 9200 //端口discovery.zen.ping.multicast.enabled: false //改为单播discovery.zen.ping.unicast.hosts: ["192.168.247.135", "192.168.247.133"][root@elk-node1 elasticsearch]# systemctl start elasticsearchYou have new mail in /var/spool/mail/root[root@elk-node1 elasticsearch]# systemctl status elasticsearch● elasticsearch.service - Elasticsearch Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Thu 2018-07-12 22:00:47 CST; 9s ago Docs: http://www.elastic.co Process: 22333 ExecStart=/usr/share/elasticsearch/bin/elasticsearch -Des.pidfile=${PID_DIR}/elasticsearch.pid -Des.default.path.home=${ES_HOME} -Des.default.path.logs=${LOG_DIR} -Des.default.path.data=${DATA_DIR} -Des.default.path.conf=${CONF_DIR} (code=exited, status=1/FAILURE) Process: 22331 ExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec (code=exited, status=0/SUCCESS) Main PID: 22333 (code=exited, status=1/FAILURE)Jul 12 22:00:47 elk-node1 elasticsearch[22333]: at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)Jul 12 22:00:47 elk-node1 elasticsearch[22333]: at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)Jul 12 22:00:47 elk-node1 elasticsearch[22333]: at sun.nio.fs.UnixFileSystemProvider.createDirectory(UnixFileSystemProvider.java:384)Jul 12 22:00:47 elk-node1 elasticsearch[22333]: at java.nio.file.Files.createDirectory(Files.java:674)Jul 12 22:00:47 elk-node1 elasticsearch[22333]: at java.nio.file.Files.createAndCheckIsDirectory(Files.java:781)Jul 12 22:00:47 elk-node1 elasticsearch[22333]: at java.nio.file.Files.createDirectories(Files.java:767)Jul 12 22:00:47 elk-node1 elasticsearch[22333]: at org.elasticsearch.bootstrap.Security.ensureDirectoryExists(Security.java:337)Jul 12 22:00:47 elk-node1 systemd[1]: elasticsearch.service: main process exited, code=exited, status=1/FAILUREJul 12 22:00:47 elk-node1 systemd[1]: Unit elasticsearch.service entered failed state.Jul 12 22:00:47 elk-node1 systemd[1]: elasticsearch.service failed.[root@elk-node1 elasticsearch]# cd /var/log/elasticsearch/[root@elk-node1 elasticsearch]# lltotal 4-rw-r--r-- 1 elasticsearch elasticsearch 0 Jul 12 22:00 hejianlai_deprecation.log-rw-r--r-- 1 elasticsearch elasticsearch 0 Jul 12 22:00 hejianlai_index_indexing_slowlog.log-rw-r--r-- 1 elasticsearch elasticsearch 0 Jul 12 22:00 hejianlai_index_search_slowlog.log-rw-r--r-- 1 elasticsearch elasticsearch 2232 Jul 12 22:00 hejianlai.log[root@elk-node1 elasticsearch]# tail hejianlai.log at sun.nio.fs.UnixException.translateToIOException(UnixException.java:84) at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102) at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107) at sun.nio.fs.UnixFileSystemProvider.createDirectory(UnixFileSystemProvider.java:384) at java.nio.file.Files.createDirectory(Files.java:674) at java.nio.file.Files.createAndCheckIsDirectory(Files.java:781) at java.nio.file.Files.createDirectories(Files.java:767) at org.elasticsearch.bootstrap.Security.ensureDirectoryExists(Security.java:337) at org.elasticsearch.bootstrap.Security.addPath(Security.java:314) ... 7 more[root@elk-node1 elasticsearch]# less hejianlai.log You have new mail in /var/spool/mail/root[root@elk-node1 elasticsearch]# grep elas /etc/passwdelasticsearch:x:991:988:elasticsearch user:/home/elasticsearch:/sbin/nologin#报错/data/es-data没权限,赋权限即可[root@elk-node1 elasticsearch]# chown -R elasticsearch:elasticsearch /data/es-data/[root@elk-node1 elasticsearch]# systemctl start elasticsearch[root@elk-node1 elasticsearch]# systemctl status elasticsearch● elasticsearch.service - Elasticsearch Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2018-07-12 22:03:28 CST; 4s ago Docs: http://www.elastic.co Process: 22398 ExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec (code=exited, status=0/SUCCESS) Main PID: 22400 (java) CGroup: /system.slice/elasticsearch.service └─22400 /bin/java -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMe...Jul 12 22:03:29 elk-node1 elasticsearch[22400]: [2018-07-12 22:03:29,739][WARN ][bootstrap ] If you are logged in interactively, you will have to re-login for the new limits to take effect.Jul 12 22:03:29 elk-node1 elasticsearch[22400]: [2018-07-12 22:03:29,899][INFO ][node ] [elk-node1] version[2.4.6], pid[22400], build[5376dca/2017-07-18T12:17:44Z]Jul 12 22:03:29 elk-node1 elasticsearch[22400]: [2018-07-12 22:03:29,899][INFO ][node ] [elk-node1] initializing ...Jul 12 22:03:30 elk-node1 elasticsearch[22400]: [2018-07-12 22:03:30,644][INFO ][plugins ] [elk-node1] modules [reindex, lang-expression, lang-groovy], plugins [], sites []Jul 12 22:03:30 elk-node1 elasticsearch[22400]: [2018-07-12 22:03:30,845][INFO ][env ] [elk-node1] using [1] data paths, mounts [[/ (rootfs)]], net usable_space [1.7gb], n...types [rootfs]Jul 12 22:03:30 elk-node1 elasticsearch[22400]: [2018-07-12 22:03:30,845][INFO ][env ] [elk-node1] heap size [1007.3mb], compressed ordinary object pointers [true]Jul 12 22:03:33 elk-node1 elasticsearch[22400]: [2018-07-12 22:03:33,149][INFO ][node ] [elk-node1] initializedJul 12 22:03:33 elk-node1 elasticsearch[22400]: [2018-07-12 22:03:33,149][INFO ][node ] [elk-node1] starting ...Jul 12 22:03:33 elk-node1 elasticsearch[22400]: [2018-07-12 22:03:33,333][INFO ][transport ] [elk-node1] publish_address {192.168.247.135:9300}, bound_addresses {[::]:9300}Jul 12 22:03:33 elk-node1 elasticsearch[22400]: [2018-07-12 22:03:33,345][INFO ][discovery ] [elk-node1] hejianlai/iUUTEKhyTxyL78aGtrrBOwHint: Some lines were ellipsized, use -l to show in full. 访问地址:http://192.168.247.135:9200/
安装ES插件
#统计索引数[root@elk-node1 ~]# curl -i -XGET 'http://192.168.247.135:9200/_count?pretty' -d '> "query": {> "match_all":{}> }'HTTP/1.1 200 OKContent-Type: application/json; charset=UTF-8Content-Length: 95{ "count" : 0, "_shards" : { "total" : 0, "successful" : 0, "failed" : 0 }}#es插件,收费的不建议使用(这个不安装)[root@elk-node1 bin]# /usr/share/elasticsearch/bin/plugin install marvel-agent#安装开源的elasticsearch-head插件[root@elk-node1 bin]# /usr/share/elasticsearch/bin/plugin install mobz/elasticsearch-head-> Installing mobz/elasticsearch-head...Trying https://github.com/mobz/elasticsearch-head/archive/master.zip ...Downloading ...........................................................................................................................................DONEVerifying https://github.com/mobz/elasticsearch-head/archive/master.zip checksums if available ...NOTE: Unable to verify checksum for downloaded plugin (unable to find .sha1 or .md5 file to verify) 访问地址:http://192.168.247.135:9200/_plugin/head/
使用POST方法创建查询
使用GET方法查询数据
基本查询
elk-node2配置
[root@elk-node2 elasticsearch]# grep '^[a-z]' /etc/elasticsearch/elasticsearch.yml cluster.name: hejianlainode.name: elk-node2path.data: /data/es-datapath.logs: /var/log/elasticsearch/bootstrap.memory_lock: truenetwork.host: 0.0.0.0http.port: 9200discovery.zen.ping.multicast.enabled: falsediscovery.zen.ping.unicast.hosts: ["192.168.247.135", "192.168.247.133"]
在构建Elasticsearch(ES)多节点集群的时候,通常情况下只需要将elasticsearch.yml中的cluster.name设置成相同即可,ES会自动匹配并构成集群。但是很多时候可能由于不同的节点在不同的网段下,导致无法自动获取集群。此时可以将启用单播,显式指定节点的发现。具体做法是在elasticsearch.yml文件中设置如下两个参数:
discovery.zen.ping.multicast.enabled: falsediscovery.zen.ping.unicast.hosts: ["192.168.247.135", "192.168.247.133"]
重启elk-node1,并开启elk-node2,访问:192.168.247.135:9200/_plugin/head/
安装监控kopf
[root@elk-node1 ~]# /usr/share/elasticsearch/bin/plugin install lmenezes/elasticsearch-kopf-> Installing lmenezes/elasticsearch-kopf...Trying https://github.com/lmenezes/elasticsearch-kopf/archive/master.zip ...Downloading .........................................................................................................................DONEVerifying https://github.com/lmenezes/elasticsearch-kopf/archive/master.zip checksums if available ...NOTE: Unable to verify checksum for downloaded plugin (unable to find .sha1 or .md5 file to verify)Installed kopf into /usr/share/elasticsearch/plugins/kopf
访问地址:http://192.168.247.135:9200/_plugin/kopf/#!/cluster
四、安装Logstash(客户端即需要收集日志的机子,ES节点上都要安装)
官方文档地址:
1)下载并安装GPG Key[root@elk-node1 ~]# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch2)添加yum仓库[root@elk-node1 ~]# vim /etc/yum.repos.d/logstash.repo[logstash-2.1]name=Logstash repository for 2.1.x packagesbaseurl=http://packages.elastic.co/logstash/2.1/centosgpgcheck=1gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearchenabled=13)安装logstash[root@elk-node1 ~]# yum install -y logstash4)测试数据#简单的输入输出[root@elk-node1 ~]# /opt/logstash/bin/logstash -e 'input { stdin{} } output { stdout{} }'Settings: Default filter workers: 1Logstash startup completedhello world2018-07-13T00:54:34.497Z elk-node1 hello worldhi hejianlai2018-07-13T00:54:44.453Z elk-node1 hi hejianlai来宾张家辉2018-07-13T00:55:35.278Z elk-node1 来宾张家辉^CSIGINT received. Shutting down the pipeline. {:level=>:warn}Logstash shutdown completed#可以使用rubydebug详细输出[root@elk-node1 ~]# /opt/logstash/bin/logstash -e 'input { stdin{} } output { stdout{ codec => rubydebug } }'Settings: Default filter workers: 1Logstash startup completedmimi{ "message" => "mimi", "@version" => "1", "@timestamp" => "2018-07-13T00:58:59.980Z", "host" => "elk-node1"}#内容写进elasticsearch中[root@elk-node1 ~]# /opt/logstash/bin/logstash -e 'input { stdin{} } output { elasticsearch{hosts=>["192.168.247.135"]} }'Settings: Default filter workers: 1Logstash startup completedI love you1232hejianlai渣渣辉^CSIGINT received. Shutting down the pipeline. {:level=>:warn}Logstash shutdown completed[root@elk-node1 ~]# /opt/logstash/bin/logstash -e 'input { stdin{} } output { elasticsearch { hosts => ["192.168.247.135:9200"]} stdout{ codec => rubydebug}}'Settings: Default filter workers: 1Logstash startup completed广州{ "message" => "广州", "@version" => "1", "@timestamp" => "2018-07-13T02:17:40.800Z", "host" => "elk-node1"}hehehehehehehe{ "message" => "hehehehehehehe", "@version" => "1", "@timestamp" => "2018-07-13T02:17:49.400Z", "host" => "elk-node1"} 
logstash日志收集配置文件编写
#交换式输入信息[root@elk-node1 ~]# cat /etc/logstash/conf.d/logstash-01.confinput { stdin { } }output { elasticsearch { hosts => ["192.168.247.135:9200"]} stdout { codec => rubydebug }}执行命令[root@elk-node1 ~]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/logstash-01.conf Settings: Default filter workers: 1Logstash startup completedl o v e{ "message" => "l o v e", "@version" => "1", "@timestamp" => "2018-07-13T02:37:42.670Z", "host" => "elk-node1"}地久梁朝伟{ "message" => "地久梁朝伟", "@version" => "1", "@timestamp" => "2018-07-13T02:38:20.049Z", "host" => "elk-node1"}#收集系统日志[root@elk-node1 conf.d]# cat /etc/logstash/conf.d/systemlog.conf input{ file { path => "/var/log/messages" type => "sysstem" start_position => "beginning" }}output{ elasticsearch{ hosts => ["192.168.247.135:9200"] index => "systemlog-%{+YYYY.MM.dd}" }}#放在后台执行[root@elk-node1 conf.d]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/systemlog.conf & 
收集elk错误日志配置文件编写
[root@elk-node1 ~]# cat /etc/logstash/conf.d/elk_log.conf input { file { path => "/var/log/messages" type => "system" start_position => "beginning" }}input { file { path => "/var/log/elasticsearch/hejianlai.log" type => "es-error" start_position => "beginning" codec => multiline { pattern => "^\[" //正则匹配[开头的为一个事件 negate => true what => "previous" } }}output { if [type] == "system"{ elasticsearch { hosts => ["192.168.247.135:9200"] index => "systemlog-%{+YYYY.MM.dd}" } } if [type] == "es-error"{ elasticsearch { hosts => ["192.168.247.135:9200"] index => "es-error-%{+YYYY.MM.dd}" } }}#放入后台运行[root@elk-node1 ~]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/elk_log.conf &[1] 28574You have new mail in /var/spool/mail/root[root@elk-node1 ~]# Settings: Default filter workers: 1Logstash startup completed 
五、安装Kibana
官方下载地址:https://www.elastic.co/downloads/kibana
官方最新的版本出来了6.3.1太新了,下载后出现很多坑后来就下了4.3.1的·先用着吧~~~
1)kibana的安装:[root@elk-node1 local]# cd /usr/local/[root@elk-node1 local]# wget https://artifacts.elastic.co/downloads/kibana/kibana-4.3.1-linux-x64.tar.gz[root@elk-node1 local]# tar -xf kibana-4.3.1-linux-x64.tar.gz[root@elk-node1 local]# ln -s /usr/local/kibana-4.3.1-linux-x64 /usr/local/kibana[root@elk-node1 local]# cd kibana[root@elk-node1 kibana]# lsbin config installedPlugins LICENSE.txt node node_modules optimize package.json README.txt src webpackShims2)修改配置文件:[root@elk-node1 kibana]# cd config/[root@elk-node1 config]# pwd/usr/local/kibana/config[root@elk-node1 config]# vim kibana.ymlYou have new mail in /var/spool/mail/root[root@elk-node1 config]# grep -Ev "^#|^$" kibana.ymlserver.port: 5601server.host: "0.0.0.0"elasticsearch.url: "http://192.168.247.135:9200"kibana.index: ".kibana"3)screen是一个全屏窗口管理器,它在几个进程(通常是交互式shell)之间复用物理终端。每个虚拟终端提供DEC VT100的功能。[root@elk-node1 local]# yum install -y screen4)启动screen命令后运行kibana最后按ctrl+a+d组合键让其在单独的窗口里运行。[root@elk-node1 config]# screen[root@elk-node1 config]# /usr/local/kibana/bin/kibana log [02:23:34.148] [info][status][plugin:kibana@6.3.1] Status changed from uninitialized to green - Ready log [02:23:34.213] [info][status][plugin:elasticsearch@6.3.1] Status changed from uninitialized to yellow - Waiting for Elasticsearch log [02:23:34.216] [info][status][plugin:xpack_main@6.3.1] Status changed from uninitialized to yellow - Waiting for Elasticsearch log [02:23:34.221] [info][status][plugin:searchprofiler@6.3.1] Status changed from uninitialized to yellow - Waiting for Elasticsearch log [02:23:34.224] [info][status][plugin:ml@6.3.1] Status changed from uninitialized to yellow - Waiting for Elasticsearch[root@elk-node1 config]# screen -lsThere are screens on: 29696.pts-0.elk-node1 (Detached)[root@elk-node1 kibana]# /usr/local/kibana/bin/kibana log [11:25:37.557] [info][status][plugin:kibana] Status changed from uninitialized to green - Ready log [11:25:37.585] [info][status][plugin:elasticsearch] Status changed from uninitialized to yellow - Waiting for Elasticsearch log [11:25:37.600] [info][status][plugin:kbn_vislib_vis_types] Status changed from uninitialized to green - Ready log [11:25:37.602] [info][status][plugin:markdown_vis] Status changed from uninitialized to green - Ready log [11:25:37.604] [info][status][plugin:metric_vis] Status changed from uninitialized to green - Ready log [11:25:37.606] [info][status][plugin:spyModes] Status changed from uninitialized to green - Ready log [11:25:37.608] [info][status][plugin:statusPage] Status changed from uninitialized to green - Ready log [11:25:37.612] [info][status][plugin:table_vis] Status changed from uninitialized to green - Ready log [11:25:37.647] [info][listening] Server running at http://0.0.0.0:5601
六、kibana简单使用
访问kibana地址:http://192.168.247.135:5601
第一次登录我们创建一个elk的es-error索引
添加message和path字段
运用搜索栏功能,我们搜soft关键字
我们在添加之前写的systemlog索引
*为正则匹配
好啦~~到此为止ELK日志平台搭建基本搞掂,,,,累得一笔,,后续可以根据需求编写好需要监控的应用文件添加到kibana上即可。