簡介
ELK是一個日誌收集分析的平臺,它能收集海量的日誌,並將其根據字段切割。一來方便供開發查看日誌,定位問題;二來能夠根據日誌進行統計分析,經過其強大的呈現能力,挖掘數據的潛在價值,分析重要指標的趨勢和分佈等,可以規避災難和指導決策等。ELK是Elasticsearch公司出品的一組套件,官方站點:https://www.elastic.co,本文中ELK須要用的組件有Elasticsearch、Logstash、Kibana、Filebeat(Beats組合中的一個),主要介紹該集羣的建設部署以及一些注意事項,但願對須要的小夥伴有所幫助,對於文中錯誤,歡迎批評指正。html
環境說明
下面是本文的邏輯架構圖,其中filebeat爲採集日誌的客戶端,其安裝在產生日誌的機器上,收集的日誌插入到redis消息隊列中,logstash從redis取出數據並作相應的處理,其中包括字段拆分定義,並將數據輸出到ES集羣中,ES集羣將數據處理、分片、索引等,最終kibana做爲頁面展現,將從ES集羣取出數據作分析、統計、處理、展現,固然,其中有用到x-pack插件作數據分析、統計和展示(就是一些漂亮的實時圖表)。java
- 本文采用軟件版本均爲6.3.
Filebeat 部署
yum -y install epel-release
mkdir /data/soft -pv
cd /data/soft/
yum install wget vim -y
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.3.1-x86_64.rpm
yum install filebeat-6.3.1-x86_64.rpm -ynode
web上採集配置文件
cat > /etc/filebeat/filebeat.conf <<"EOF"
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/crmwww-dev-access.log
- /var/log/nginx/manager2018crm-dev-access.log
- /var/log/nginx/hybrid-dev-access.log
- /var/log/nginx/cfdwww-dev-access.log
- /var/log/nginx/manager2018cfd-dev-access.log
- /var/log/nginx/market2018cfd-dev-access.log
- /var/log/nginx/api2018cfd-dev-access.log
fields:
project: cfds
env: dev
role: web
logtype: access
ip: 192.168.0.152
fields_under_root: true
#採集信息追加字段,便於分組,fields_under_root指定字段的訪問模式爲直接訪問,沒必要使用fields.project
- type: log
enabled: true
paths:
- /var/log/nginx/manager2018crm-dev-error.log
- /var/log/nginx/manager2018cfd-dev-error.log
- /var/log/nginx/market2018cfd-dev-error.log
- /var/log/nginx/cfdwww-dev-error.log
- /var/log/nginx/hybrid-dev-error.log
- /var/log/nginx/crmwww-dev-error.log
- /var/log/nginx/api2018cfd-dev-error.log
fields:
project: cfds
env: dev
role: web
logtype: error
ip: 192.168.0.152
fields_under_root: true
#將日誌輸出到redis
output.redis:
hosts: ["redis.glinux.top"]
key: "cfds"
db: 0
password: "123456"
timeout: 15
#可經過如下配置測試輸出結果,輸入內容在/tmp/filebeat/filebeat
#output.file:
## path: "/tmp/filebeat"
## filename: filebeat
EOF
app上採集配置文件
cat > /etc/filebeat/filebeat.conf <<"EOF"
filebeat.inputs:
- type: log
enabled: true
paths:
- /data/logs/crm/error/crm.log
fields:
project: cfds
env: dev
role: crm
logtype: error
ip: 192.168.0.155
fields_under_root: true
#處理多行數據,若是不以時間開頭的行歸爲上一行的數據,接到上一行數據後面
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
multiline.timeout: 10s
- type: log
enabled: true
paths:
- /data/logs/crm/info/crm.log
fields:
project: cfds
env: dev
role: crm
logtype: info
ip: 192.168.0.155
fields_under_root: true
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
multiline.timeout: 10s
output.redis:
hosts: ["redis.glinux.top"]
key: "cfds"
db: 0
password: "123456"
timeout: 15
#可經過如下配置測試輸出結果,輸入內容在/tmp/filebeat/filebeat
#output.file:
## path: "/tmp/filebeat"
## filename: filebeat
EOF
filebeat test config /etc/filebeat/filebeat.yml #測試配置文件
systemctl enable filebeat
systemctl restart filebeatlinux
Redis 部署
yum -y install epel-release
yum -y install redisnginx
配置文件
僅須要添加密碼認證便可git
cat >> /etc/redis.conf << "EOF" requirepass "123456"
systemctl enable redis
systemctl start redisgithub
Logstash 部署
yum -y install epel-release
mkdir /data/soft -pv
cd /data/soft/
yum install wget vim -y
wget https://artifacts.elastic.co/downloads/logstash/logstash-6.3.1.rpm
yum install logstash-6.3.1.rpm -y
rpm -ql logstash #查看安裝路徑web
cat > /etc/profile.d/logstash.sh <<"EOF" export PATH=/usr/share/logstash/bin/:$PATH EOF
. /etc/profile.d/logstash.sh #讀取環境變量
yum -y install java-1.8.0-openjdkredis
配置文件
cat > /etc/logstash/logstashserver.conf <<"EOF"
input {
redis {
host => ["127.0.0.1"]
key => "ftms"
port => 6379
password => "123456"
data_type => ["list"]
}
redis {
host => ["127.0.0.1"]
key => "cfds"
port => 6379
password => "123456"
data_type => ["list"]
}
}
filter {
if [role] == "web" and [logtype] == "access" {
grok {
patterns_dir => ["/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-patterns-core-4.1.2/patterns"]
match => ["message" , "%{NGINXACCESS}"]
}
}
if [role] == "web" and [logtype] == "error" {
grok {
patterns_dir => ["/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-patterns-core-4.1.2/patterns"]
match => ["message" , "%{NGINXERROR}"]
}
}
else {
grok {
patterns_dir => ["/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-patterns-core-4.1.2/patterns"]
match => ["message" , "%{TIMESTAMP_ISO8601:logdatetime} %{LOGLEVEL:level} \[%{DATA:thread}\] %{JAVACLASS:class} \[%{JAVAFILE:file}(?::%{NUMBER:line})?\] - %{GREEDYDATA:message}"]
}
}
}
output {
elasticsearch {
hosts => ["http://192.168.30.36:9200","http://192.168.30.37:9200","192.168.30.38:9200"]
index => "%{project}-%{env}-%{role}-%{logtype}-%{+YYYY.MM.dd}"
}
}
EOF
logstash -f /etc/logstash/logstashserver.conf -t #測試配置文件是否有誤
systemctl enable logstash
systemctl restart logstashvim
Elasticsearch 集羣部署
yum install java-1.8.0-openjdk -y
yum -y install epel-release
mkdir /data/soft -pv
cd /data/soft/
yum install wget vim -y
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.3.1.rpm
yum install elasticsearch-6.3.1.rpm -y
rpm -ql elasticsearch
cat > /etc/profile.d/elasticsearch.sh <<"EOF" export PATH=/usr/share/elasticsearch/bin/:$PATH EOF
. /etc/profile.d/elasticsearch.sh
配置文件
node1
cat > /etc/elasticsearch/elasticsearch.yml <<"EOF" cluster.name: logs node.name: node-36-2 #node.master: false #node.data: true path.data: /data/server/elasticsearch path.logs: /var/log/elasticsearch network.host: 0.0.0.0 http.port: 9200 transport.tcp.port: 9300 discovery.zen.ping.unicast.hosts: ["192.168.30.36","192.168.30.37","192.168.30.38"] discovery.zen.minimum_master_nodes: 2
node2
cat > /etc/elasticsearch/elasticsearch.yml <<"EOF" cluster.name: logs node.name: node-37-1 #node.master: false #node.data: true path.data: /data/server/elasticsearch path.logs: /var/log/elasticsearch network.host: 0.0.0.0 http.port: 9200 transport.tcp.port: 9300 discovery.zen.ping.unicast.hosts: ["192.168.30.36","192.168.30.37","192.168.30.38"] discovery.zen.minimum_master_nodes: 2
node3
cat > /etc/elasticsearch/elasticsearch.yml <<"EOF" cluster.name: logs node.name: node-38-3 #node.master: false #node.data: true path.data: /data/server/elasticsearch path.logs: /var/log/elasticsearch network.host: 0.0.0.0 http.port: 9200 transport.tcp.port: 9300 discovery.zen.ping.unicast.hosts: ["192.168.30.36","192.168.30.37","192.168.30.38"] discovery.zen.minimum_master_nodes: 2
systemctl enable elasticsearch
systemctl start elasticsearch
systemctl status elasticsearch
查看集羣狀態
curl 'localhost:9200/_cat/nodes?v'
Kibana 部署
yum -y install epel-release
mkdir -pv /data/soft cd /data/soft/
yum install wget vim -y
wget https://artifacts.elastic.co/downloads/kibana/kibana-6.3.1-x86_64.rpm
yum install kibana-6.3.1-x86_64.rpm -y
cat > /etc/kibana/kibana.yml <<"EOF" server.host: "0.0.0.0" elasticsearch.url: "http://escluster.glinux.top:9200" EOF
systemctl enable kibana.service
systemctl start kibana.service
端口轉發,普通程序不能監聽在1024如下的端口,解決方法
cat > /etc/sysctl.conf <<"EOF" net.ipv4.ip_forward = 1 #從新加載
sysctl -p /etc/sysctl.conf
iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 5601
注意事項
grok模式匹配日誌
logstash模式匹配拆分日誌可謂關鍵的一環其中有些注意要點
- logstash 模式匹配的pattern放在/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-patterns-core-4.1.2/patterns目錄下
- 測試模式匹配樣例,最終匹配到的字段會在kibana中顯示,做爲可供篩選的關鍵字
kibana索引添加
索引的制定能加快查詢速度和項目分類,索引分爲es的索引和kibana的索引。
- 針對es的索引,個人處理方式是在filebeat收集日誌的時候給每條日誌添加fileds字段,以下:
- project: cfds
- env: dev
- logtype: access
- ip: 192.168.0.152
logstash 在拿到日誌後將%{project}-%{env}-%{role}-%{logtype}-%{+YYYY.MM.dd}做爲索引將日誌分類送給es集羣。
2. kibana的索引,就是將es的索引作綜合歸類。
x-pack圖表配置
x-pack能夠試用,網絡上有破解方式,其可根據字段作數據統計呈現,呈現方式衆多,實時更新,可作數據挖掘,數據報告。下面貼上我作的一個示例。
參考文檔
- Filebeat配置文檔: https://www.elastic.co/guide/en/beats/filebeat/current/index.html
- Logstash配置文檔: https://www.elastic.co/guide/en/logstash/current/configuration.html
- ES集羣參考文檔: https://www.jianshu.com/p/149a8da90bbc
- 集羣狀態查看參考文檔: https://segmentfault.com/a/1190000010975383
- logstash優化: http://jaminzhang.github.io/elk/Logstash-Performance-Troubleshooting-Guide