ELK

#環境 centos 7.4 ,ELK 6 ,單節點

 

#服務端

Logstash 收集,過濾   

Elasticsearch 存儲,索引日誌

Kibana 可視化

 

#客戶端

filebeat 監控、轉發,做爲agent

filebeat-->Logstash-->Elasticsearch-->Kibana

 

#內核

echo '

* hard nofile 65536

* soft nofile 65536

* soft nproc 65536

* hard nproc 65536

'>>/etc/security/limit.conf

echo ' vm.max_map_count = 262144

net.core.somaxconn=65535

net.ipv4.ip_forward = 1

'>>/etc/sysctl.conf

sysctl -p

 

#關閉selinux、防火牆

systemctl stop firewalld.service

systemctl disable firewalld.service

firewall-cmd --state

sed -i '/^SELINUX=.*/c SELINUX=disabled' /etc/selinux/config

sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=disabled/g' /etc/selinux/config

grep --color=auto '^SELINUX' /etc/selinux/config

setenforce 0

 

 

#配置yum源

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

echo '

[elk-6]

name=elk-6

baseurl= https://artifacts.elastic.co/packages/6.x/yum

gpgcheck=1

gpgkey= https://artifacts.elastic.co/GPG-KEY-elasticsearch

enabled=1

'>/etc/yum.repos.d/elk.repo

 

 

安裝

yum install java-1.8.0-openjdk -y

yum install elasticsearch -y

yum install logstash -y

yum install kibana -y

 

elasticsearch配置

cp /etc/elasticsearch/elasticsearch.yml{,.bak}

echo '

path.data: /var/lib/elasticsearch

path.logs: /var/log/elasticsearch

cluster.name: ELK

node.name: elk.novalocal 

network.host: 0.0.0.0

http.port: 9200

discovery.zen.ping.unicast.hosts: ["192.168.1.30:9300"]

discovery.zen.minimum_master_nodes: 1 

'>/etc/elasticsearch/elasticsearch.yml

 

systemctl daemon-reload

systemctl enable elasticsearch

systemctl restart elasticsearch

systemctl status elasticsearch

 

logstash配置

cp /etc/logstash/logstash.yml{,.bak}

echo 'path.config: /etc/logstash/conf.d'>>/etc/logstash/logstash.yml

#添加一個日誌處理文件

#filebeat->logstash->elasticsearch

echo '

input {

 

#收集本地log#

  file {

     type => "logtest"

     path => "/var/log/logtest.txt"

     start_position => "beginning"

  }

 

#filebeat客戶端#

  beats {

     port => 5045

  }

}

#篩選

#filter { }

 

output {

 

#標準輸出，調試使用#

  stdout {

   codec => rubydebug { }

  }

 

# 輸出到es#

  elasticsearch {

    hosts => ["http://192.168.1.30:9200"]

    index => "%{type}-%{+YYYY.MM.dd}"

  }

 

}

'>/etc/logstash/conf.d/logstash-01.conf

 

#檢測配置 

/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash-01.conf --config.test_and_exit

 

#生成測試

echo $(date +"%F-%T") log-test >>/var/log/logtest.txt

 

#啓動，查看生成日誌

nohup /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash-01.conf &

 

 

kibana配置

cp /etc/kibana/kibana.yml{,.bak}

echo '

server.port: 5601

server.host: "0.0.0.0"

# ES的url的一個ES節點#

elasticsearch.url: "http://192.168.1.30:9200"

kibana.index: ".kibana"

#kibana.defaultAppId: "home"

'>/etc/kibana/kibana.yml

 

#啓動 

systemctl enable kibana

systemctl restart kibana

 

客戶端安裝

yum install -y filebeat

 

配置filebeat收集nginx日誌

echo '

#filebeat#

filebeat.prospectors:

#nginx

- input_type: log

  enable: yes

  #tags: nginx-access

  paths:

    - /usr/local/nginx/logs/access.log

  exclude_lines: ["^$"]

  fields:

    type: "nginx-access"

  fields_under_root: true

 

 

output.logstash:

  hosts: ["10.0.0.30:5044"]

  #hosts: ["172.16.50.32:5044"]

  #index: filebeat

'>/etc/filebeat/filebeat.yml

 

啓動

systemctl enable filebeat

systemctl restart filebeat

systemctl status filebeat

 

 

 

 

 

 

nginx默認日誌格式

log_format main    '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent                                   "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"';

 

建立nginx正則表達式(引用grok正則)

echo '#nginx-access

WZ ([^ ]*)

NGINXACCESS %{IP:remote_ip} \- \- \[%{HTTPDATE:timestamp}\] "%{WORD:method} %{WZ:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:status} %{NUMBER:bytes} %{QS:referer} %{QS:agent} %{QS:xforward}

'>/etc/logstash/conf.d/nginx-access

 

從新生成logstash配置文件

echo '

input {

 

#收集本地log#

  file {

     type => "logtest"

     path => "/var/log/logtest.txt"

     start_position => "beginning"

  }

 

#filebeat客戶端#

  beats {

     port => 5044

  }

 

}

 

# #篩選

filter {

 

# 若是是nginx訪問日誌

  if ( [type] == "nginx-access" ) {

 

    #按字段切割

    grok {

      patterns_dir=>"/etc/logstash/conf.d/nginx-access"

      match => { "message" => "%{NGINXACCESS}" }

      }

 

    # 時間格式轉換

    date {

      match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]

      }

 

    # 刪除不須要的字段

    mutate {

      remove_field => [ "offset", "@version", "beat", "input_type", "tags","id"]

      }

    }

}

 

output {

 

#標準輸出，調試使用#

  stdout {

   codec => rubydebug { }

  }

 

# 輸出到es#

  elasticsearch {

    hosts => ["http://172.16.50.32:9200"]

    index => "%{type}-%{+YYYY.MM.dd}"

  }

 

}

'>/etc/logstash/conf.d/logstash-01.conf

 

 

檢測配置

/usr/share/logstash/bin/logstash -t -f /etc/logstash/conf.d/logstash-01.conf

 

調試logstash

#關閉

systemctl stop  logstash

#在終端啓動查看

/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash-01.conf

 

 

修改時區

timedatectl list-timezones |grep Shanghai #查找中國時區的完整名稱

Asia/Shanghai

timedatectl set-timezone Asia/Shanghai #其餘時區以此類推

 

ntpdate 0.asia.pool.ntp.org