企業級日誌收集系統——ELKstack
ELKstack簡介:
ELKstack是Elasticsearch、Logstash、Kibana三個開源軟件的組合而成,造成一款強大的實時日誌收集展現系統。
php
各組件做用以下:css
Logstash:日誌收集工具,能夠從本地磁盤,網絡服務(本身監聽端口,接受用戶日誌),消息隊列中收集各類各樣的日誌,而後進行過濾分析,並將日誌輸出到Elasticsearch中。html
Elasticsearch:日誌分佈式存儲/搜索工具,原生支持集羣功能,能夠將指定時間的日誌生成一個索引,加快日誌查詢和訪問。
java
Kibana:可視化日誌Web展現工具,對Elasticsearch中存儲的日誌進行展現,還能夠生成炫麗的儀表盤。node
使用ELKstack對運維工做的好處:
一、應用程序的日誌大部分都是輸出在服務器的日誌文件中,這些日誌大多數都是開發人員來看,而後開發卻沒有登錄服務器的權限,若是開發人員須要查看日誌就須要到服務器來拿日誌,而後交給開發;試想下,一個公司有10個開發,一個開發天天找運維拿一第二天志,對運維人員來講就是一個不小的工做量,這樣大大影響了運維的工做效率,部署ELKstack以後,開發任意就能夠直接登錄到Kibana中進行日誌的查看,就不須要經過運維查看日誌,這樣就減輕了運維的工做。
linux
二、日誌種類多,且分散在不一樣的位置難以查找:如LAMP/LNMP網站出現訪問故障,這個時候可能就須要經過查詢日誌來進行分析故障緣由,若是須要查看apache的錯誤日誌,就須要登錄到Apache服務器查看,若是查看數據庫錯誤日誌就須要登錄到數據庫查詢,試想一下,若是是一個集羣環境幾十臺主機呢?這時若是部署了ELKstack就能夠登錄到Kibana頁面進行查看日誌,查看不一樣類型的日誌只須要電動鼠標切換一下索引便可。nginx
ELKstack實驗架構圖:
redis消息隊列做用說明:
git
一、防止Logstash和ES沒法正常通訊,從而丟失日誌。
web
二、防止日誌量過大致使ES沒法承受大量寫操做從而丟失日誌。
redis
三、應用程序(php,java)在輸出日誌時,能夠直接輸出到消息隊列,從而完成日誌收集。
補充:若是redis使用的消息隊列出現擴展瓶頸,可使用更增強大的kafka,flume來代替。
實驗環境說明:
[root@es1 ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) [root@es1 ~]# uname -rm 3.10.0-327.el7.x86_64 x86_64
使用軟件說明:
一、jdk-8u92 官方rpm包
二、Elasticsearch 2.3.3 官方rpm包
三、Logstash 2.3.2 官方rpm包
四、Kibana 4.5.1 官方rpm包
五、Redis 3.2.1 remi rpm 包
六、nginx 1.10.0-1 官方rpm包
部署順序說明:
一、Elasticsearch集羣配置
二、Logstash客戶端配置(直接寫入數據到ES集羣,寫入系統messages日誌)
三、Redis消息隊列配置(Logstash寫入數據到消息隊列)
四、Kibana部署
五、nginx負載均衡Kibana請求
六、手機nginx日誌
七、Kibana報表功能說明
配置注意事項:
一、時間必須同步
二、關閉防火牆,selinux
三、出了問題,檢查日誌
Elasticsearch集羣安裝配置
一、配置Java環境
[root@es1 ~]# yum -y install jdk1.8.0_92 [root@es1 ~]# java -version java version "1.8.0_92" Java(TM) SE Runtime Environment (build 1.8.0_92-b14) Java HotSpot(TM) 64-Bit Server VM (build 25.92-b14, mixed mode)
二、安裝Elasticsearch,由於我這裏yum源已經建立好,因此能夠直接安裝
官方文檔:https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html
官方下載地址:https://www.elastic.co/downloads/elasticsearch
[root@es1 ~]# yum -y install elasticstarch [root@es1 ~]# rpm -ql elasticsearch /etc/elasticsearch /etc/elasticsearch/elasticsearch.yml #主配置文件 /etc/elasticsearch/logging.yml /etc/elasticsearch/scripts /etc/init.d/elasticsearch /etc/sysconfig/elasticsearch /usr/lib/sysctl.d /usr/lib/sysctl.d/elasticsearch.conf /usr/lib/systemd/system/elasticsearch.service #啓動腳本 /usr/lib/tmpfiles.d /usr/lib/tmpfiles.d/elasticsearch.conf
三、修改配置文件,這裏的一些路徑看我的習慣
[root@es1 ~]# vim /etc/elasticsearch/elasticsearch.yml 17 cluster.name: "linux-ES" 23 node.name: es1.bjwf.com 33 path.data: /elk/data 37 path.logs: /elk/logs 43 bootstrap.mlockall: true 54 network.host: 0.0.0.0 58 http.port: 9200 68 discovery.zen.ping.unicast.hosts: ["192.168.130.221", "192.168.130.222"]
四、建立相關目錄並賦予權限
[root@es1 ~]# mkdir -pv /elk/{data,logs}
[root@es1 ~]# chown -R elasticsearch.elasticsearch /elk
[root@es1 ~]# ll /elk
drwxr-xr-x. 2 elasticsearch elasticsearch 6 Jun 28 03:51 data
drwxr-xr-x. 2 elasticsearch elasticsearch 6 Jun 28 03:51 logs
五、啓動ES,並檢查是否監聽9200和9300端口
[root@es1 ~]# systemctl start elasticsearch.service [root@es1 ~]# netstat -tnlp|egrep "9200|9300" tcp6 0 0 :::9200 :::* LISTEN 17535/java tcp6 0 0 :::9300 :::* LISTEN 17535/java
六、安裝另外一臺機器,步驟與第一臺同樣
[root@es2 ~]# vim /etc/elasticsearch/elasticsearch.yml 23 node.name: es2.bjwf.com #主要修改主機名
七、查看兩個節點的狀態
配置集羣管理插件(head、kopf等)
官方提供了一個ES集羣管理插件,能夠很是直觀的查看ES的集羣狀態和索引數據信息
[root@es1 ~]# /usr/share/elasticsearch/bin/plugin install mobz/elasticsearch-head [root@es1 ~]# /usr/share/elasticsearch/bin/plugin install lmenezes/elasticsearch-kopf
訪問插件:
http://192.168.130.222:9200/_plugin/head/
http://192.168.130.222:9200/_plugin/kopf/
上面已經把ES集羣配置完成了,下面就能夠配置Logstash向ES集羣中寫入數據了
Logstash部署
一、配置Java環境,安裝logstash
[root@logstash1 ~]# yum -y install jdk1.8.0_92 [root@logstash1 ~]# yum -y install logstash
二、經過配置文件驗證Logstash的輸入和輸出
[root@logstash1 ~]# vim /etc/logstash/conf.d/stdout.conf
input {
stdin {}
}
output {
stdout {
codec => "rubydebug"
}
}
三、定義輸出到Elasticsearch
[root@logstash1 ~]# vim /etc/logstash/conf.d/logstash.conf
input {
stdin {}
}
output {
input {
stdin {}
}
output {
elasticsearch {
hosts => ["192.168.130.221:9200","192.168.130.222:9200"]
index => "test"
}
}
[root@logstash1 ~]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf
Settings: Default pipeline workers: 4
Pipeline main started
hello!
你好
這個時候說明,Logstash接好Elasticsearch是能夠正常工做的,下面介紹如何收集系統日誌
四、Logstash收集系統日誌
修改Logstash配置文件以下所示內容,並啓動Logstash服務就能夠在head中正常看到messages的日誌已經寫入到了ES中,而且建立了索引
[root@logstash1 ~]# vim /etc/logstash/conf.d/logstash.conf
input {
file {
type => "messagelog"
path => "/var/log/messages"
start_position => "beginning"
}
}
output {
file {
path => "/tmp/123.txt"
}
elasticsearch {
hosts => ["192.168.130.221:9200","192.168.130.222:9200"]
index => "system-messages-%{+yyyy.MM.dd}"
}
}
#檢查配置文件語法:
/etc/init.d/logstash configtest
/opt/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --configtest
#更改啓動Logstash用戶:
# vim /etc/init.d/logstash
LS_USER=root
LS_GROUP=root
#經過配置文件啓動
[root@logstash1 ~]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf &
收集成功如圖所示,自動生成了system-messages的索引
Kibana部署
說明:我這裏是在兩個ES節點部署kibana而且使用nginx實現負載均衡,若是沒有特殊須要,能夠只部署單臺節點
一、安裝Kibana,每一個ES節點部署一個 [root@es1 ~]# yum -y install kibana 二、配置Kibana,只須要指定ES地址其餘配置保持默認便可 [root@es1 ~]# vim /opt/kibana/config/kibana.yml 15 elasticsearch.url: "http://192.168.130.221:9200" [root@es1 ~]# systemctl start kibana.service [root@es1 ~]# netstat -tnlp|grep 5601 #Kibana監聽端口 tcp 0 0 0.0.0.0:5601 0.0.0.0:* LISTEN 17880/node
查看效果,這個圖是盜版的。。我作的這,忘記截圖了
建立完成後
filebeat部署收集日誌
一、安裝nginx並將日誌轉換爲json
[root@logstash1 ~]# yum -y install nginx
[root@logstash1 ~]# vim /etc/nginx/nginx.conf
log_format access1 '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"size":$body_bytes_sent,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamhost":"$upstream_addr",'
'"http_host":"$host",'
'"url":"$uri",'
'"domain":"$host",'
'"xff":"$http_x_forwarded_for",'
'"referer":"$http_referer",'
'"status":"$status"}';
access_log /var/log/nginx/access.log access1;
#保存配置文件,啓動服務
[root@logstash1 ~]# systemctl start nginx
#驗證nginx日誌轉json
[root@logstash1 ~]# tail /var/log/nginx/log/host.access.log
{"@timestamp":"2016-06-27T05:28:47-04:00",'"host":"192.168.130.223",''
"clientip":"192.168.120.222",''"size":15,''"responsetime":0.000,''"upstreamtime":"-",'
'"upstreamhost":"-",''"http_host":"192.168.130.223",''"url":"/index.html",''"domain":
"192.168.130.223",''"xff":"-",''"referer":"-",''"status":"200"}'
二、安裝tomcat並將日誌轉換爲json
[root@logstash1 ~]# tar xf apache-tomcat-8.0.36.tar.gz -C /usr/local
[root@logstash1 ~]# cd /usr/local
[root@logstash1 local]# ln -sv apache-tomcat-8.0.36/ tomcat
[root@logstash1 ~]# vim /usr/local/tomcat/conf/server.xml
<Contest path="" docBase="/web"/>
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="{"clientip":"%h","ClientUser"
:"%l","authenticated":"%u","
AccessTime":"%t","method":"
%r","status":"%s","SendBytes"
:"%b","Query?string":"%q","partner
":"%{Referer}i",
"AgentVersion":"%{User-Agent}i"}"/>
#啓動服務驗證日誌
[root@logstash1 ~]# /usr/local/tomcat/bin/startup.sh
[root@logstash1 ~]# tail /usr/local/tomcat/logs/localhost_access_log.2016-06-28.txt
{"clientip":"192.168.120.8","ClientUser":"-","authenticated":"-","AccessTime":
"[28/Jun/2016:23:31:31 -0400]","method":"GET /bg-button.png HTTP/1.1","status"
:"200","SendBytes":"713","Query?string":"","partner":"http://192.168.130.223:8080/tomcat.css",
"AgentVersion":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0)Gecko/20100101 Firefox/47.0"}
三、web安裝filebeat並配置filebeat收集nginx和tomcat日誌發送給logstash
#官方文檔 https://www.elastic.co/guide/en/beats/filebeat/current/index.html
#下載地址 https://www.elastic.co/downloads/beats/filebeat
#安裝 [root@logstash1 ~]# yum -y install filebeat
#做用:在web端實時收集日誌並傳遞給Logstash
#爲何不用logstash在web端收集?
依賴java環境,一旦java出問題,可能會影響到web服務
系統資源佔用率高
配置比較複雜,支持匹配過濾
Filebeat挺好的,專一日誌手機,語法簡單
##配置filebeat從兩個文件收集日誌傳給Logstash
filebeat:
prospectors:
-
paths:
- /var/log/messages #收集系統日誌
input_type: log
document_type: nginx1-system-message
-
paths:
- /var/log/nginx/log/host.access.log #nginx訪問日誌
input_type: log
document_type: nginx1-nginx-log
-
paths:
- /usr/local/tomcat/logs/localhost_access_log.*.txt #tomcat訪問日誌
input_type: log
document_type: nginx1-tomcat-log
# registry_file: /var/lib/filebeat/registry #這一條不知道怎麼回事,出錯了
output:
logstash: #將收集到的文件輸出到Logstash
hosts: ["192.168.130.223:5044"]
path: "/tmp"
filename: filebeat.txt
shipper:
logging:
to_files: true
files:
path: /tmp/mybeat
#配置logstash從filebeat接受nginx日誌
[root@logstash1 ~]# vim /etc/logstash/conf.d/nginx-to-redis.conf
input {
beats {
port => 5044
codec => "json" #編碼格式爲json
}
}
output {
if [type] == "nginx1-system-message" {
redis {
data_type => "list"
key => "nginx1-system-message" #寫入到redis的key名稱
host => "192.168.130.225" #redis服務器地址
port => "6379"
db => "0"
}
}
if [type] == "nginx1-nginx-log" {
redis {
data_type => "list"
key => "nginx1-nginx-log"
host => "192.168.130.225"
port => "6379"
db => "0"
}
}
if [type] == "nginx1-tomcat-log" {
redis {
data_type => "list"
key => "nginx1-tomcat-log"
host => "192.168.130.225"
port => "6379"
db => "0"
}
}
file {
path => "/tmp/nginx-%{+yyyy-MM-dd}messages.gz" #測試日誌輸出
}
}
#這塊必須注意符號的問題,符號若是不對,有可能發生錯誤
#啓動Logstash和filebeat
[root@logstash1 ~]# /etc/init.d/logstash start
[root@logstash1 ~]# netstat -tnlp|grep 5044 #查看是否正常運行
tcp6 0 0 :::5044 :::* LISTEN 18255/java
[root@logstash1 ~]# /etc/init.d/filebeat start
#查看本地輸出日誌
[root@logstash1 ~]# tail /tmp/nginx-2016-06-29messages.gz
{"message":"Jun 29 01:40:04 logstash1 systemd: Unit filebeat.service entered failed state.",
"tags":["_jsonparsefailure","beats_input_codec_json_applied"],"@version":"1","@timestamp":
"2016-06-29T05:50:54.697Z","offset":323938,"type":"nginx1-system-message","input_type":"log",
"source":"/var/log/messages","count":1,"fields":null,"beat":{"hostname":"logstash1.bjwf.com",
"name":"logstash1.bjwf.com"},"host":"logstash1.bjwf.com"}
四、安裝配置redis
[root@redis ~]# yum -y install redis
[root@redis ~]# vim /etc/redis.conf
bind 0.0.0.0 #監聽本機全部地址
daemonize yes #在後臺運行
appendonly yes #開啓aof
[root@redis ~]# systemctl start redis.service
#這裏須要訪問nginx和tomcat生成一些日誌
[root@redis ~]# netstat -tnlp|grep 6379
tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN 17630/redis-server
#鏈接redis查看生成的日誌是否存在
[root@redis ~]# redis-cli -h 192.168.130.225
192.168.130.225:6379> KEYS *
1) "nginx1-tomcat-log"
2) "nginx1-system-message"
3) "nginx1-nginx-log"
五、在另一臺logstash上收集nginx的日誌
[root@logstash2 ~]# yum -y install logstash
[root@logstash2 ~]# vim /etc/logstash/conf.d/redis-to-elast.conf
input {
redis {
host => "192.168.130.225"
port => "6379"
db => "0"
key => "nginx1-system-message"
data_type => "list"
codec => "json"
}
redis {
host => "192.168.130.225"
port => "6379"
db => "0"
key => "nginx1-nginx-log"
data_type => "list"
codec => "json"
}
redis {
host => "192.168.130.225"
port => "6379"
db => "0"
key => "nginx1-tomcat-log"
data_type => "list"
codec => "json"
}
}
filter {
if [type] == "nginx1-nginx-log" or [type] == "nginx1-tomcat-log" {
geoip {
source => "clientip"
target => "geoip"
# database => "/etc/logstash/GeoLiteCity.dat"
add_field => [ "[geoip][coordinaters]","%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinaters]","%{[geoip][latitude]}" ]
}
mutate {
convert => [ "geoip][coordinates]","float"]
}
}
}
output {
if [type] == "nginx1-system-message" {
elasticsearch {
hosts => ["192.168.130.221:9200","192.168.130.222:9200"]
index => "nginx1-system-message-%{+yyyy.MM.dd}"
manage_template => true
fulsh_size => 2000
idle_flush_time => 10 }
}
if [type] == "nginx1-nginx-log" {
elasticsearch {
hosts => ["192.168.130.221:9200","192.168.130.222:9200"]
index => "logstash1-nginx1-nginx-log-%{+yyyy.MM.dd}"
manage_template => true
fulsh_size => 2000
idle_flush_time => 10 }
}
if [type] == "nginx1-tomcat-log" {
elasticsearch {
hosts => ["192.168.130.221:9200","192.168.130.222:9200"]
index => "logstash-nginx1-tomcat-log-%{+yyyy.MM.dd}"
manage_template => true
fulsh_size => 2000
idle_flush_time => 10 }
}
file {
path => "/tmp/log-%{+yyyy-MM-dd}messages.gz"
gzip => "true"
}
}
[root@logstash2 ~]# /etc/init.d/logstash configtest
Configuration OK
[root@logstash2 ~]# /etc/init.d/logstash start
#驗證數據寫入
#Elasticsearch的數據目錄,能夠肯定已經寫入
[root@es1 0]# du -sh /elk/data/linux-ES/nodes/0/indices/*
148K /elk/data/linux-ES/nodes/0/indices/logstash1-nginx1-nginx-log-2016.06.29
180K /elk/data/linux-ES/nodes/0/indices/logstash-nginx1-tomcat-log-2016.06.29
208K /elk/data/linux-ES/nodes/0/indices/nginx1-system-message-2016.06.29
576K /elk/data/linux-ES/nodes/0/indices/system-messages-2016.06.28
580K /elk/data/linux-ES/nodes/0/indices/system-messages-2016.06.29
108K /elk/data/linux-ES/nodes/0/indices/test
配置nginx進行反向代理
[root@nginx ~]# vim /etc/nginx/nginx.conf
upstream kibana { #定義後端主機組
server 192.168.130.221:5601 weight=1 max_fails=2 fail_timeout=2;
server 192.168.130.221:5602 weight=1 max_fails=2 fail_timeout=2;
}
server {
listen 80;
server_name 192.168.130.226;
location / { #定義反向代理,將訪問本身的請求,都轉發到kibana服務器
proxy_pass http://kibana/;
index index.html index.htm;
}
}
[root@nginx ~]# systemctl start nginx.service #啓動服務
#查看Elasticsearch和Kibana輸出結果
#到這裏基本上結束了。之後在補充
相關文章
- 1. 企業級日誌收集系統——ELKstack
- 2. 企業日誌分析之linux系統history收集展示
- 3. 企業日誌分析之Linux系統message收集展示
- 4. 企業日誌分析之linux系統history收集展現
- 5. 企業日誌分析之linux系統message收集展示
- 6. 企業日誌分析之linux系統message收集展現
- 7. rsyslog 收集系統日誌
- 8. Flume---日誌收集系統
- 9. 日誌收集系統
- 10. ELK 日誌收集系統
- 更多相關文章...
- • 操作系統(OS)平臺 統計 - 瀏覽器信息
- • 系統定義的TypeHandler - MyBatis教程
- • Docker容器實戰(七) - 容器眼光下的文件系統
- • ☆技術問答集錦(13)Java Instrument原理
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
