此實戰方案以 Elk 5.5.2 版本爲準,分佈式日誌將如下圖分佈進行安裝部署以及配置。html
當Elk需監控應用日誌時,需在應用部署所在的服務器中,安裝Filebeat日誌採集工具,日誌採集工具經過配置,採集本地日誌文件,將日誌消息傳輸到Kafka集羣,node
咱們可部署日誌中間服務器,安裝Logstash日誌採集工具,Logstash直接消費Kafka的日誌消息,並將日誌數據推送到Elasticsearch中,而且經過Kibana對日誌數據進行展現。linux
2、ELK安裝部署開始bootstrap
你們安裝部署以前,可先參考官方文檔進行部署。(官方參考文檔地址可點擊一下超連接)vim
注:Elasticsearch 6.4.0 默認安裝了x-pack 安全插件,該插件受權 30天試用。(如過時,則自行選擇購買,或者破解,本方案不提供破解方案)安全
Elasticsearch 6.4.0 Kibana 6.4.0 Logstash 6.4.0 Filebeat 6.4.0bash
一、安裝 Elasticsearch 服務器
1.一、下載安裝Elasticsearch 6.4.0app
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.4.0.tar.gz wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.4.0.tar.gz.sha512 # 當shasum命令不存在時,可執行命令安裝 yum install perl-Digest-SHA shasum -a 512 -c elasticsearch-6.4.0.tar.gz.sha512 tar -xzf elasticsearch-6.4.0.tar.gz cd elasticsearch-6.4.0/
2.一、配置Elasticsearch 集羣cors
2.1.1 配置服務器hosts
因爲模擬生產環境,提高計算能力,跨主機集羣配置爲優選
#1.配置集羣以前先配置每臺節點主機hosts,下圖以測試環境爲例:
配置 es-node1 和 es-node2 兩臺主機名稱, es-node1爲本機主機 ,如若增長主機節點,可配置es-node3 …,elasticsearch可配置上千節點做爲集羣服務節點
vi /etc/hosts 10.240.37.56 es-node1 10.240.37.57 es-node2 10.240.37.58 es-node3
2.1.2 配置Elasticsearch
A.配置es-node1節點集羣配置,以下配置 node.master:true 表示爲主節點,node.data:true 表示主節點也做爲數據節點
[root@10-240-37-56 elasticsearch-6.4.0]# grep ^[a-z] config/elasticsearch.yml cluster.name: my_es_cluster node.name: es-node1 path.data: /data/elk/data/ path.logs: /data/elk/logs network.host: 0.0.0.0 http.port: 9200 transport.tcp.port: 9300 discovery.zen.ping.unicast.hosts: ["10.240.37.56", "10.240.37.57"] http.cors.enabled: true http.cors.allow-origin: "*" node.master: true node.data: true
B.配置es-node2節點集羣配置
[root@10-240-37-57 elasticsearch-6.4.0]# grep ^[a-z] config/elasticsearch.yml cluster.name: my_es_cluster node.name: es-node2 path.data: /data/elk/data path.logs: /data/elk/logs network.host: 0.0.0.0 transport.tcp.port: 9300 transport.tcp.compress: true http.port: 9200 discovery.zen.ping.unicast.hosts: ["10.240.37.56", "10.240.37.57"] http.cors.enabled: true http.cors.allow-origin: "*" node.master: false node.data: true
C.配置es-node3節點集羣配置
[root@10-240-37-58 elasticsearch-6.4.0]# grep ^[a-z] config/elasticsearch.yml cluster.name: my_es_cluster node.name: es-node3 path.data: /data/elk/data path.logs: /data/elk/logs network.host: 0.0.0.0 transport.tcp.port: 9300 transport.tcp.compress: true http.port: 9200 discovery.zen.ping.unicast.hosts: ["10.240.37.56", "10.240.37.57","10.240.37.58"] http.cors.enabled: true http.cors.allow-origin: "*" node.master: false node.data: true
2.1.3 啓動elasticsearch
A.啓動elasticsearch服務以前,需先配置es用戶組和es用戶(因爲es安全因素)
[root@10-240-37-58 app]# groupadd es #增長es組
[root@10-240-37-58 app]# useradd es -g es -p pwd #增長es用戶並附加到es組
[root@10-240-37-58 app]# chown -R es:es elasticsearch-6.4.0 #分配es目錄訪問權限
[root@10-240-37-58 app]#chown -R es:es /data/elk/
[root@10-240-37-58 app]# su es #切換es用戶
[es@10-240-37-58 app]$ ./elasticsearch-6.4.0/bin/elasticsearch & 啓動命令
C.第一次啓動將遇到問題
ERROR: [2] bootstrap checks failed
[1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536]
#切換到root用戶修改 vi /etc/security/limits.conf #在最後面追加 es hard nofile 65536 es soft nofile 65536 #修改後從新登陸es帳號,使用命令查看上面設置是否成功,結果爲65536則成功 ulimit -Hn
[2]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
#切換到root用戶 vi /etc/sysctl.conf #在最後追加 vm.max_map_count=262144 #使用 sysctl -p 查看修改結果 sysctl -p
[3]、system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk
緣由: 這是在由於Centos6不支持SecComp,而ES5.2.0默認bootstrap.system_call_filter爲true進行檢測,因此致使檢測失敗,失敗後直接致使ES不能啓動。 解決: 在elasticsearch.yml中配置bootstrap.system_call_filter爲false,注意要在Memory下面: bootstrap.memory_lock: false bootstrap.system_call_filter: false
實例配置:
[root@10-240-37-58 bin]# grep ^[a-z] ../config/elasticsearch.yml cluster.name: my_es_cluster node.name: es-node3 path.data: /data/elk/data path.logs: /data/elk/logs bootstrap.memory_lock: false bootstrap.system_call_filter: false network.host: 0.0.0.0 transport.tcp.port: 9300 transport.tcp.compress: true http.port: 9200 discovery.zen.ping.unicast.hosts: ["10.240.37.56", "10.240.37.57","10.240.37.58"] http.cors.enabled: true http.cors.allow-origin: "*" node.master: false node.data: true
D.解決以上問題,則先啓動 數據節點,最後啓動主節點
cd /data/ops/app/elasticsearch-6.4.0 ./bin/elasticsearch
F.當全部節點啓動成功後,在主節點服務器執行如下curl命令,以下圖所示,標識Elasticsearch集羣啓動成功。
[root@10-240-37-56 ~]# curl http://10.240.37.56:9200/_nodes/process?pretty
{
"_nodes" : {
"total" : 3,
"successful" : 3,
"failed" : 0
},
二、安裝 Kibana
2.1 下載安裝Kibana
wget https://artifacts.elastic.co/downloads/kibana/kibana-6.4.0-linux-x86_64.tar.gz tar -xzf kibana-6.4.0-linux-x86_64.tar.gz mv kibana-6.4.0-linux-x86_64/ kibana-6.4.0 cd kibana-6.4.0/
2.2 配置kibana
vim config/kibana.yml server.host: "10.240.37.56"
2.3 啓動kibana
/data/ops/app/kibana-6.4.0-linux-x86_64/bin/kibana &
2.4 訪問kibana,以下圖所示,表示啓動成功
http://10.240.37.56:5601/app/kibana
三、安裝 Logstash 與 Filebeat
3.1 下載安裝Logstash和Filebeat
# Logstash wget https://artifacts.elastic.co/downloads/logstash/logstash-6.4.0.tar.gz tar -xzf logstash-6.4.0.tar.gz cd logstash-6.4.0 # Filebeat wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.4.0-linux-x86_64.tar.gz tar -xzf filebeat-6.4.0-linux-x86_64.tar.gz mv filebeat-6.4.0-linux-x86_64 filebeat-6.4.0 cd filebeat-6.4.0
3.2 配置Logstash、Filebeat 最新版引入module的概念,具體查看官方文檔
官方參考地址:https://www.elastic.co/guide/en/logstash/6.4/advanced-pipeline.html
# Logstash-test.yml
cd logstash-6.4.0
vi logstash_test.conf
input{
file {
path => "/var/log/vsftpd.log"
type => "ftp-log-226"
start_position => "beginning"
stat_interval => "2"
}
}
output{
if [type] == "ftp-log-226" {
elasticsearch {
hosts => ["10.240.37.56:9200"]
index => "ftp-meizi-%{+YYYY.MM.dd}"
}
}
}
3.3 啓動Logstash、Filebeat
#後臺啓動 filebeat nohup ./filebeat -c ./filebeat.yml & #啓動Logstash nohup ./bin/logstash -f logstash-test.conf &