1.下載相關軟件及插件
http://www.elastic.co --- > 產品 --- > elasticsearch、logstash、kibana、filebeat等html
能夠下載 tar、zip、rpm等多種格式,具體想用哪一個須要按本身的需求選擇
java
或
wget https://download.elastic.co/elasticsearch/release/org/elasticsearch/distribution/tar/elasticsearch/2.3.4/elasticsearch-2.3.4.tar.gz
wget https://download.elastic.co/logstash/logstash/logstash-2.3.4.tar.gz
wget https://download.elastic.co/kibana/kibana/kibana-4.5.3-linux-x64.tar.gz
wget http://download.oracle.com/otn-pub/java/jdk/8u45-b14/jdk-8u45-linux-x64.tar.gznode
2.配置安裝環境
jdk 1.8及以上版本,可以使用oracle jdk 也可以使用 open jdk (視狀況本身選擇)
#系統優化
vim /etc/security/limits.conf #這個初始優化的時候通常都會作好
* soft nofile 1024000
* hard nofile 1024000
# End of file
# vi /etc/sysctl.conf
vm.max_map_count = 655360
# sysctl -plinux
#解壓 elasticsearch
cd /opt/elk/
tar -xvf elasticsearch-6.2.4.tar.gz
mv elasticsearch-6.2.4.tar.gz elasticsearch
cd elasticsearch/config
#編輯配置文件
vim elasticsearch.yml
#寫一下幾項
cluster.name: zmkhua-es
node.name: sc-elk
path.data: /data/es/data
path.logs: /data/es/logs
network.host: 192.168.198.92
http.port: 9200
http.cors.enabled: true
http.cors.allow-origin: "*"
#安裝head插件
ElasticSearch-Head 是一個與Elastic集羣(Cluster)相交互的Web前臺。
ES-Head的主要做用:
它展示ES集羣的拓撲結構,而且能夠經過它來進行索引(Index)和節點(Node)級別的操做
它提供一組針對集羣的查詢API,並將結果以json和表格形式返回
它提供一些快捷菜單,用以展示集羣的各類狀態
5.x之後的版本安裝Head插件比較麻煩,不能像2.x的時候一條#elasticsearch/bin/plugin install mobz/elasticsearch-head #一波搞定
#安裝ndoe.js
#因爲head插件本質上仍是一個nodejs的工程,所以須要安裝node,使用npm來安裝依賴的包。(npm能夠理解爲maven),官網nodejs,https://nodejs.org/en/download/nginx
#wget https://nodejs.org/dist/v8.9.1/node-v8.9.1.tar.gz #新版要編譯時間太長了用舊版本吧
# tar zxf node-v8.9.1.tar.gz
#cd node-v8.9.1
#./configure --prefix=/usr/local/node-8.9.1 && make -j 8 && make install #安裝時間比較長,沒辦法,Centos7的系統要最新版本的nodejs。git
# ln -s /usr/local/node-v6.10.2-linux-x64 /usr/local/node
# vim /etc/profilegithub
Bash############nodejs####################
export NODE_HOME=/usr/local/node
export PATH=$PATH:$NODE_HOME/bin# source /etc/profile
# node -v
Bashv8.9.1# npm -v
Bash5.5.1
下載插件包
# yum install git -y
# git clone https://github.com/mobz/elasticsearch-head.git #下載head插件文件
# cd elasticsearch-head/
# npm install -g grunt --registry=https://registry.npm.taobao.org
#使用國內淘寶源安裝grunt,grunt是基於Node.js的項目構建工具,能夠進行打包壓縮、測試、執行等等的工做,head插件就是經過grunt啓動
Bashnpm WARN deprecated coffee-script@1.10.0: CoffeeScript on NPM has moved to "coffeescript" (no hyphen)
/usr/local/node-8.9.1/bin/grunt -> /usr/local/node-8.9.1/lib/node_modules/grunt/bin/grunt
+ grunt@1.0.1
added 92 packages in 10.604s# ls -d node_modules/grunt
Bashnode_modules/grunt
#若是沒產生此目錄須要:#cd elasticsearch-head && npm install grunt --save
安裝Head插件
# npm install -g grunt-cli --registry=https://registry.npm.taobao.org
# npm install --registry=https://registry.npm.taobao.org #安裝head插件web
修改配置文件
# mkdir /home/elk/pluginnpm
# cp -rf /opt/elasticsearch-head /home/elk/plugin/head
# chown -R elk:elk /home/elk
$ vim /home/elk/plugin/head/Gruntfile.js
Bashconnect: {
server: {
options: {
port: 9100,
hostname: '*', #增長此行
base: '.',
keepalive: true$ vim /home/elk/plugin/head/_site/app.js
this.base_uri = this.config.base_uri || this.prefs.get("app-base_uri") || "http://192.168.14.60:9200"; #這裏改爲es的IP和端口
$ cd /home/elk/plugin/head/ #必定要進入此目錄下啓動命令啊
$ grunt server #服務啓動了
Bash>> Local Npm module "grunt-contrib-jasmine" not found. Is it installed?
(node:1446) ExperimentalWarning: The http2 module is an experimental API.json
Running "connect:server" (connect) task
Waiting forever...
Started connect web server on http://localhost:9100
解決使用 Head 插件鏈接不上集羣:
$ vim elasticsearch/config/elasticsearch.yml #加下面兩句話
Bashhttp.cors.enabled: true
http.cors.allow-origin: "*"
$ /home/elk/elasticsearch/bin/elasticsearch -d #從新啓動es服務
$ pwd
/home/elk/plugin/head$ nohup grunt server
#須要建立 elsearch 用戶,由於elasticsearch麼人是能用root用戶啓動
useradd elsearch
su elsearch
#後臺啓動
/opt/elk/elasticsearch/bin/elasticsearch -d
/opt/software/elasticsearch/elasticsearch-5.2.1/bin/elasticsearch -d
netstat -npltu
192.168.198.92:9200 0.0.0.0:* LISTEN 17755/java
192.168.198.92:9300 0.0.0.0:* LISTEN 17755/java
#看到出現兩個端口 其中9200爲數據傳輸端口 9300爲es集羣中的節點之間互相通訊時使用的
#解壓logstash
cd /opt/elk
tar -xvf logstash-6.2.4.tar.gz
mv logstash-6.2.4.tar.gz logstash
cd logstash/config
#建立新的配置文件
vim logstash-beats.conf
input {
beats {
port => 5044
}
}
filter {
if "nginx-accesslog" in [tags] {
grok {
match => { "message" => "%{HTTPDATE:timestamp}\|%{IP:remote_addr}\|%{IPORHOST:http_host}\|(?:%{DATA:http_x_forwarded_for}|-)\|%{DATA:request_method}\|%{DATA:request_uri}\|%{DATA:server_protocol}\|%{NUMBER:status}\|(?:%{NUMBER:body_bytes_sent}|-)\|(?:%{DATA:http_referer}|-)\|%{DATA:http_user_agent}\|(?:%{DATA:request_time}|-)\|"}
}
mutate {
convert => ["status","integer"]
convert => ["body_bytes_sent","integer"]
convert => ["request_time","float"]
}
geoip {
source=>"remote_addr"
}
date {
match => [ "timestamp","dd/MMM/YYYY:HH:mm:ss Z"]
}
useragent {
source=>"http_user_agent"
}
}
if "sys-messages" in [tags] {
grok {
match => { "message" => "%{SYSLOGLINE}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "timestamp", "MMM d HH:mm:ss" ]
}
#ruby {
# code => "event['@timestamp'] = event['@timestamp'].getlocal"
#}
}
}
output {
elasticsearch {
hosts => ["192.168.198.92:9200"]
index => "logstash-%{type}-%{+YYYY.MM.dd}"
document_type => "%{type}"
}
stdout { codec => rubydebug }
}
#grok 日誌分析規則
vim vendor/bundle/jruby/2.3.0/gems/logstash-patterns-core-4.1.2/patterns/grok-patterns
#後臺啓動logstash
nohup ./logstash -f ../config/logstash-beats.conf > nohup.log &
#加壓kibana
cd /opt/elk/
tar -xvf kibana-6.2.4-linux-x86_64.tar.gz
mv kibana-6.2.4-linux-x86_64 kibana
cd kibana/config
vim kibana.yml
server.port: 5601
server.host: "192.168.198.92"
elasticsearch.url: "http://192.168.198.92:9200"
kibana.index: ".kibana"
cd /opt/elk/kinana/bin
#後臺啓動kibana
nohup /opt/elk/kibana/kibana > nohup.log &
#解壓 filebeats
cd /opt/elk/
tar -xvf filebeat-6.2.4-linux-x86_64.tar.gz
mv filebeat-6.2.4-linux-x86_64 filebeat
cd filebeat
vim filebeat.yml
#filebeat.prospectors:
#- input_type: log
# paths:
# - /var/log/nginx/access.log
# document_type: nginx_access
# multiline.pattern: '^\['
# multiline.pattern: '^\sINFO|^\sERROR|^\sDEBUG|^\sWARN' ##將日誌info,error,debug,warn開頭的做爲一行(用於java日誌多行合併,也能夠用時間爲開頭)
# multiline.negate: true
# multiline.match: after
# exclude_lines: ['^DEBUG']
# include_lines: ["^ERROR", "^WARN","^INFO"]
#----------------------------- Logstash output --------------------------------
#output.logstash:
# # The Logstash hosts
# hosts: ["192.168.198.92:5044"]
#==================================================
#filebeat.prospectors:
#- input_type: log
# paths: /var/log/secure
# include_lines: [".*Failed.*",".*Accepted.*"]
#output.logstash:
# hosts: ["192.168.198.92:5044"]
#===========================================================
filebeat.prospectors:
- input_type: log
paths:
- /var/log/nginx/access.log
tags: ["nginx-accesslog"]
document_type: nginx_access
output.logstash:
hosts: ["192.168.198.92:5044"]
tail_files:若是設置爲true,Filebeat從文件尾開始監控文件新增內容,把新增的每一行文件做爲一個事件依次發送,而不是從文件開始處從新發送全部內容。
#後臺啓動filebeat
nohup ./filebeat -c filebeat.yml > nohup.log &
使用nginx訪問kibana
#安裝nginx
yum install nginx -y
vim /etc/nginx/nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 19200;
server_name apm.zmkhua.com;
#root /usr/share/nginx/html;
# Load configuration files for the default server block.
#include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://192.168.198.92:9200/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
listen 15601;
server_name apm.zmkhua.com;
#root /usr/share/nginx/html;
# Load configuration files for the default server block.
#include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://192.168.198.92:5601/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html; location = /50x.html { } } systemctl start nginx ##訪問時 192.168.198.92:15601 curl -XDELETE '192.168.198.92:9200/logstash-finance_tomcat-47_log-2018.05.11?pretty' 刪除索引 client_inactivity_timeout => 120 client_inactivity_timeout => 300