ELK introduce

Document Control

Authorhtml

Versionjava

Timenode

Commentlinux

Hao.Yu@telit.comnginx

V0.1web

Feb 26th, 2019正則表達式

First commitapache

 






ELK Infrastructure architecture

image

Installation Elasticsearch on Linux


Goto download pagebootstrap

https://www.elastic.co/downloads/elasticsearch#ga-release 服務器

image

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.6.1.rpm

image

Make sure you have jdk 1.8

image

If not please install jdk 1.8 first

yum install -y java


image

Verify java has been installed successful

image


install the elastics rpm

image


start and check the services

service elasticsearch start

service elasticsearch status -l

image

make sure port 9200 / 9300 is up and running

netstat -ntlp

image

setup auto restart

systemctl enable elasticsearch

image


Configuration Elasticsearch

vi /etc/elasticsearch/elasticsearch.yml


image

image

update with hostname and port

cat /etc/elasticsearch/elasticsearch.yml | grep -v ^#

path.data: /var/lib/elasticsearch

path.logs: /var/log/elasticsearch

network.host: 10.143.40.130

http.port: 9200


restart the services after yml file has been update



telnet port from other host to make sure port is up

image

Configuration Elasticsearch option

https://www.elastic.co/guide/en/elasticsearch/reference/7.x/settings.html

 

elasticsearchconfig文件夾裏面有兩個配置文 件:elasticsearch.ymllogging.yml,第一個是es的基本配置文件,第二個是日誌配置文件,es也是使用log4j來記錄日 志的,因此logging.yml裏的設置按普通log4j配置文件來設置就好了。下面主要講解下elasticsearch.yml這個文件中可配置的 東西。

cluster.name: elasticsearch
配置es的集羣名稱,默認是elasticsearches會自動發如今同一網段下的es,若是在同一網段下有多個集羣,就能夠用這個屬性來區分不一樣的集羣。

node.name: "Franz Kafka"
節點名,默認隨機指定一個name列表中名字,該列表在esjar包中config文件夾裏name.txt文件中,其中有不少做者添加的有趣名字。

node.master: true
指定該節點是否有資格被選舉成爲node,默認是truees是默認集羣中的第一臺機器爲master,若是這臺機掛了就會從新選舉master

node.data: true
指定該節點是否存儲索引數據,默認爲true

index.number_of_shards: 5
設置默認索引分片個數,默認爲5片。

index.number_of_replicas: 1
設置默認索引副本個數,默認爲1個副本。

path.conf: /path/to/conf
設置配置文件的存儲路徑,默認是es根目錄下的config文件夾。

path.data: /path/to/data
設置索引數據的存儲路徑,默認是es根目錄下的data文件夾,能夠設置多個存儲路徑,用逗號隔開,例:
path.data: /path/to/data1,/path/to/data2

path.work: /path/to/work
設置臨時文件的存儲路徑,默認是es根目錄下的work文件夾。

path.logs: /path/to/logs
設置日誌文件的存儲路徑,默認是es根目錄下的logs文件夾

path.plugins: /path/to/plugins
設置插件的存放路徑,默認是es根目錄下的plugins文件夾

bootstrap.mlockall: true
設置爲true來鎖住內存。由於當jvm開始swappinges的效率 會下降,因此要保證它不swap,能夠把ES_MIN_MEMES_MAX_MEM兩個環境變量設置成同一個值,而且保證機器有足夠的內存分配給es 同時也要容許elasticsearch的進程能夠鎖住內存,linux下能夠經過`ulimit -l unlimited`命令。

network.bind_host: 192.168.0.1
設置綁定的ip地址,能夠是ipv4ipv6的,默認爲0.0.0.0


network.publish_host: 192.168.0.1
設置其它節點和該節點交互的ip地址,若是不設置它會自動判斷,值必須是個真實的ip地址。

network.host: 192.168.0.1
這個參數是用來同時設置bind_hostpublish_host上面兩個參數。

transport.tcp.port: 9300
設置節點間交互的tcp端口,默認是9300

transport.tcp.compress: true
設置是否壓縮tcp傳輸時的數據,默認爲false,不壓縮。

http.port: 9200
設置對外服務的http端口,默認爲9200

http.max_content_length: 100mb
設置內容的最大容量,默認100mb

http.enabled: false
是否使用http協議對外提供服務,默認爲true,開啓。

gateway.type: local
gateway
的類型,默認爲local即爲本地文件系統,能夠設置爲本地文件系統,分佈式文件系統,hadoopHDFS,和amazons3服務器,其它文件系統的設置方法下次再詳細說。

gateway.recover_after_nodes: 1
設置集羣中N個節點啓動時進行數據恢復,默認爲1

gateway.recover_after_time: 5m
設置初始化數據恢復進程的超時時間,默認是5分鐘。

gateway.expected_nodes: 2
設置這個集羣中節點的數量,默認爲2,一旦這N個節點啓動,就會當即進行數據恢復。

cluster.routing.allocation.node_initial_primaries_recoveries: 4
初始化數據恢復時,併發恢復線程的個數,默認爲4

cluster.routing.allocation.node_concurrent_recoveries: 2
添加刪除節點或負載均衡時併發恢復線程的個數,默認爲4

indices.recovery.max_size_per_sec: 0
設置數據恢復時限制的帶寬,如入100mb,默認爲0,即無限制。

indices.recovery.concurrent_streams: 5
設置這個參數來限制從其它分片恢復數據時最大同時打開併發流的個數,默認爲5

discovery.zen.minimum_master_nodes: 1
設置這個參數來保證集羣中的節點能夠知道其它N個有master資格的節點。默認爲1,對於大的集羣來講,能夠設置大一點的值(2-4

discovery.zen.ping.timeout: 3s
設置集羣中自動發現其它節點時ping鏈接超時時間,默認爲3秒,對於比較差的網絡環境能夠高點的值來防止自動發現時出錯。

discovery.zen.ping.multicast.enabled: false
設置是否打開多播發現節點,默認是true

discovery.zen.ping.unicast.hosts: ["host1", "host2:port", "host3[portX-portY]"]
設置集羣中master節點的初始列表,能夠經過這些節點來自動發現新加入集羣的節點。

下面是一些查詢時的慢日誌參數設置
index.search.slowlog.level: TRACE
index.search.slowlog.threshold.query.warn: 10s
index.search.slowlog.threshold.query.info: 5s
index.search.slowlog.threshold.query.debug: 2s
index.search.slowlog.threshold.query.trace: 500ms

index.search.slowlog.threshold.fetch.warn: 1s
index.search.slowlog.threshold.fetch.info: 800ms
index.search.slowlog.threshold.fetch.debug:500ms
index.search.slowlog.threshold.fetch.trace: 200ms



Installation Kibana

goto https://www.elastic.co/downloads/kibana

image

found the rpm link


image

wget https://artifacts.elastic.co/downloads/kibana/kibana-6.6.1-x86_64.rpm


image


rpm -ivh kibana-6.6.1-x86_64.rpm

image


make sure port 5601 is up and running

image


netstat -ntlp | grep 5601


Configuration Kibana

vi /etc/kibana/kibana.yml

image



update hostname and port

cat /etc/kibana/kibana.yml | grep -v ^#

 

image


define kibana hostname / port & elastics host url

server.port: 5601

server.host: "10.143.40.131"

elasticsearch.hosts: ["http://10.143.40.130:9200"]


telnet 10.143.40.131 5601 to make sure port and services is up

image


goto http://10.143.40.131:5601 you can see the kibana web console



Configuration Kibana option

https://www.elastic.co/guide/en/kibana/current/settings.html




Add Data to Kibana

let’s try to add nginx logging data

follow the instructor from Kibana

image


image

image


goto elastics server and install plug

sudo /usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-geoip

image


sudo /usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-user-agent

image

image



download and install filebeat

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.6.1-x86_64.rpm

sudo rpm -ivh filebeat-6.6.1-x86_64.rpm

image


edit filebeat yml file and define in & out configuration

image


vi /etc/filebeat/filebeat.yml

enable apache2 module

sudo filebeat modules enable apache2

image


start filebeat

sudo filebeat setup

sudo service filebeat start

image


make sure log has been output

tail -f /var/log/filebeat/filebeat

image


check kibana got log from filebeat

http://10.143.40.140:9200/filebeat-*/_count


image



check log in kibana UI


image


create index patern

image

image



discover you data


image

image



Installation Logstash

goto https://www.elastic.co/downloads/logstash

image

image



wget https://artifacts.elastic.co/downloads/logstash/logstash-6.6.1.rpm

image


rpm -ivh logstash-6.6.1.rpm

image


test your Logstash installation

cd /usr/share/logstash/

bin/logstash -e 'input { stdin { } } output { stdout {} }'

image


type something and press enter , logstash shows you services is up and running .


Configuration Logstash

cat /etc/logstash/logstash-sample.conf

input {

    # 從文件讀取日誌信息

    file {

        path => "/var/log/httpd/access_log"

        type => "error"//type是給結果增長一個type屬性,值爲"error"的條目

        start_position => "beginning"//從開始位置開始讀取

        # 使用 multiline 插件,傳說中的多行合併

        codec => multiline {

            # 經過正則表達式匹配,具體配置根據自身實際狀況而定

            pattern => "^\d"

            negate => true

            what => "previous"

        }

    }

}

 

#可配置多種處理規則,他是有順序,因此通用的配置寫下面

# filter {

#    grok {

#       match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" }

     }

# }

 

output {

    # 輸出到 elasticsearch

    elasticsearch {

        hosts => ["10.143.40.130:9200"]

        index => "error-%{+YYYY.MM.dd}"//索引名稱

    }

}

 

 

Running logstash with specify conf file

/usr/share/logstash/bin/logstash -f /etc/logstash/logstash.conf

image


Configuration Logstash option

https://www.elastic.co/guide/en/logstash/current/configuration.html


























Reference Link

elasticsearch

https://www.elastic.co/guide/en/elasticsearch/reference/7.x/rpm.html

kibana

https://www.elastic.co/guide/en/kibana/current/rpm.html

Logstash

https://www.elastic.co/guide/en/logstash/current/index.html

相關文章
相關標籤/搜索