elk 学习笔记

最新推荐文章于 2022-03-09 19:43:06 发布

lepton126

最新推荐文章于 2022-03-09 19:43:06 发布

阅读量479

点赞数

分类专栏：分布式系统文章标签： elasticsearch kibana beats logstash

本文链接：https://blog.csdn.net/lepton126/article/details/79753563

版权

分布式系统专栏收录该内容

32 篇文章 0 订阅

订阅专栏

学习笔记，零散，主要是操作过程

elasticsearch logstash kafka kibana

1、73,74,75,75
scp clusteruser@192.168.104.73:/home/clusteruser/opt/jdk-8u151-linux-x64.tar.gz /home/clusteruser/opt
$ pwd
/home/clusteruser/opt
tar -zxvf jdk-8u151-linux-x64.tar.gz
su
Password:
#vi /etc/profile
在末尾加入
##################
TZ='Asia/Shanghai'; export TZ
##################
TZ='Asia/Shanghai'; export TZ
###################################################
export JAVA_HOME=/home/clusteruser/opt/jdk1.8.0_151
export JRE_HOME=${JAVA_HOME}/jre
export CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/lib
export PATH=$JAVA_HOME/bin:$PATH
###################################################

opt]# . /etc/profile
使配置生效

# exit
2、安装kafka 74号机上运行
[user@node0x74 opt]$ su
Password:
[root@node0x74 opt]# yum install wget
opt]$wget http://mirrors.hust.edu.cn/apache/kafka/1.0.1/kafka_2.12-1.0.1.tgz
opt]$ tar zxvf kafka_2.12-1.0.1.tgz
opt]$ su
Password:
su: Authentication failure
[user@node0x74 opt]$ su
Password:

[root@node0x74 opt]# ln -s /home/clusteruser/opt/kafka_2.12-1.0.1 /usr/local/kafka
# exit

在74号机上安装zookeeper
opt]$ scp clusteruser@192.168.104.35:/home/clusteruser/opt/zookeeper-3.4.9.tar.gz /home/clusteruser/opt
conf]$ cp zoo_sample.cfg

conf]$ vi zoo.cfg
dataDir=/home/clusteruser/opt/zookeeper-3.4.9/data
server.4=clusternode0x74:2888:3888

zookeeper-3.4.9]$ cd data
data]$ echo 4 > /home/clusteruser/opt/zookeeper-3.4.9/data/myid

[user@node0x74 opt]$ ./zookeeper-3.4.9/bin/zkServer.sh start
ZooKeeper JMX enabled by default
Using config: /home/clusteruser/opt/zookeeper-3.4.9/bin/../conf/zoo.cfg
Starting zookeeper ... STARTED
[user@node0x74 opt]$ ./zookeeper-3.4.9/bin/zkServer.sh status
ZooKeeper JMX enabled by default
Using config: /home/clusteruser/opt/zookeeper-3.4.9/bin/../conf/zoo.cfg
Mode: standalone

cd /usr/local/kafka/config
[user@node0x74 config]$ cp server.properties server.properties.bak
[user@node0x74 config]$ vi server.properties

#broker.id=0
broker.id=clusternode0x74
host.name=clusternode0x74

/etc/hosts中有 192.168.104.74 clusternode0x74

[clusteruser@clusternode0x74 bin]$ ./kafka-server-start.sh ../config/server.properties
[2018-03-27 01:26:32,808] FATAL (kafka.Kafka$)
org.apache.kafka.common.config.ConfigException: Invalid value clusternode0x74 for configuration broker.id: Not a number of type INT
at org.apache.kafka.common.config.ConfigDef.parseType(ConfigDef.java:713)
at org.apache.kafka.common.config.ConfigDef.parseValue(ConfigDef.java:460)
at org.apache.kafka.common.config.ConfigDef.parse(ConfigDef.java:453)
at org.apache.kafka.common.config.AbstractConfig.<init>(AbstractConfig.java:62)
at kafka.server.KafkaConfig.<init>(KafkaConfig.scala:897)
at kafka.server.KafkaConfig$.fromProps(KafkaConfig.scala:881)
at kafka.server.KafkaConfig$.fromProps(KafkaConfig.scala:878)
at kafka.server.KafkaServerStartable$.fromProps(KafkaServerStartable.scala:28)
at kafka.Kafka$.main(Kafka.scala:82)
at kafka.Kafka.main(Kafka.scala)
[user@node0x74 bin]$ vi ../config/server.properties
broker.id=74
[user@node0x74 bin]$ ./kafka-server-start.sh ../config/server.properties
有一警告
[2018-03-27 01:29:36,289] WARN No meta.properties file under dir /tmp/kafka-logs/meta.properties (kafka.server.BrokerMetadataCheckpoint)

3、.安装Elasticsearch 在75号机运行
[ruser@node0x75 opt]$ scp clusteruser@clusternode0x71:/home/clusteruser/opt/elasticsearch-1.7.3.tar.gz .
[user@node0x75 opt]$ su
Password:
[root@node0x75 opt]# ln -s /home/clusteruser/opt/elasticsearch-1.7.3 /usr/local/es
[root@node0x75 opt]# exit
exit
[user@node0x75 opt]$ ls /usr/local/es -al
lrwxrwxrwx. 1 root root 41 Mar 27 04:13 /usr/local/es -> /home/clusteruser/opt/elasticsearch-1.7.3
[user@node0x75 opt]$

[user@node0x75 es]$ cd config
[user@node0x75 config]$ ls
elasticsearch.yml logging.yml
[user@node0x75 config]$ cp elasticsearch.yml elasticsearch.yml.bak

[user@node0x75 config]$ vi elasticsearch.yml
#add my code
cluster.name: elasticsearch
node.name: "clusternode0x75"
discovery.zen.minimum_master_nodes: 1
discovery.zen.ping.timeout: 40s
discovery.zen.ping.multicast.enabled: false
network.bind_host: 192.168.104.75
network.publish_host: 192.168.104.75
network.host: 192.168.104.75
discovery.zen.ping.unicast.hosts: ["192.168.104.75","192.168.104.76"]
#end my code"

同理在76号机
#add my code
cluster.name: elasticsearch
node.name: "clusternode0x76"
discovery.zen.minimum_master_nodes: 2
discovery.zen.ping.timeout: 40s
discovery.zen.ping.multicast.enabled: false
network.bind_host: 192.168.104.76
network.publish_host: 192.168.104.76
network.host: 192.168.104.76
discovery.zen.ping.unicast.hosts: ["192.168.104.75","192.168.104.76"]
#end my code

ELK是三个开源软件的缩写，分别表示：Elasticsearch , Logstash, Kibana , 它们都是开源软件。新增了一个FileBeat，它是一个轻量级的日志收集处理工具(Agent)，Filebeat占用资源少，适合于在各个服务器上搜集日志后传输给Logstash，官方也推荐此工具。

Elasticsearch是个开源分布式搜索引擎，提供搜集、分析、存储数据三大功能。它的特点有：分布式，零配置，自动发现，索引自动分片，索引副本机制，restful风格接口，多数据源，自动搜索负载等。

Logstash 主要是用来日志的搜集、分析、过滤日志的工具，支持大量的数据获取方式。一般工作方式为c/s架构，client端安装在需要收集日志的主机上，server端负责将收到的各节点日志进行过滤、修改等操作在一并发往elasticsearch上去。

Kibana 也是一个开源和免费的工具，Kibana可以为 Logstash 和 ElasticSearch 提供的日志分析友好的 Web 界面，可以帮助汇总、分析和搜索重要数据日志。

Filebeat隶属于Beats。目前Beats包含四种工具：

Packetbeat（搜集网络流量数据）
Topbeat（搜集系统、进程和文件系统级别的 CPU 和内存使用情况等数据）
Filebeat（搜集文件数据）
Winlogbeat（搜集 Windows 事件日志数据）
1、安装servicewrapper
我们在服务器环境下可以使用elasticsearch-servicewrapper这个ES插件。下载地址是：https://github.com/elastic/elasticsearch-servicewrapper
下载完成后，将下来的项目的service目录拷贝到elasticsearch的bin目录中，并且设置service目录下的elasticsearch文件的权限：

chmod a+x elasticsearch

从github上下载 elasticsearch-servicewrapper-master.zip
[user@node0x71 opt]$ unzip elasticsearch-servicewrapper-master.zip
Archive: elasticsearch-servicewrapper-master.zip
a27c25768e8ad982165340e1599b5dcb561b76f4

[user@node0x71 elasticsearch-servicewrapper-master]$ cp -r ./service/ /home/clusteruser/opt/elasticsearch-node1/bin
[user@node0x71 bin]$ ls
elasticsearch elasticsearch.in.bat elasticsearch-service-mgr.exe elasticsearch-service-x86.exe plugin.bat service.bat
elasticsearch.bat elasticsearch.in.sh elasticsearch-service-x64.exe plugin service
编辑 /etc/profile,加入elasticsearch的环境变量
##################
TZ='Asia/Shanghai'; export TZ
##################
TZ='Asia/Shanghai'; export TZ
###################################################
export JAVA_HOME=/home/clusteruser/opt/jdk1.8.0_151
export JRE_HOME=${JAVA_HOME}/jre
export CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/lib
export PATH=$JAVA_HOME/bin:$PATH
###################################################
export MYSQL_HOME="/usr/local/mysql"
export PATH="$PATH:$MYSQL_HOME/bin"
####################################################
export ES_HOME="/home/clusteruser/opt/elasticsearch"
export PATH=$ES_HOME:$PATH
####################################################
分别在71、72、73号机器设置了ES_HOME环境变量
[user@node0x72 bin]$ scp -r clusteruser@clusternode0x71:/home/clusteruser/opt/elasticsearch/bin/service .

2、安装监控管理插件
[user@node0x71 opt]$ ./elasticsearch/bin/plugin -i elasticsearch/marvel/latest/
-> Installing elasticsearch/marvel/latest/...
Trying http://download.elasticsearch.org/elasticsearch/marvel/marvel-latest.zip...
Downloading ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................DONE
Installed elasticsearch/marvel/latest/ into /home/clusteruser/opt/elasticsearch/plugins/marvel
在72，73号机是进行同样的操作
[user@node0x73 bin]$ ./elasticsearch -d
[user@node0x73 bin]$ /home/clusteruser/opt/elasticsearch/bin/plugin -i elasticsearch/marvel/latest/
-> Installing elasticsearch/marvel/latest/...
Trying http://download.elasticsearch.org/elasticsearch/marvel/marvel-latest.zip...
Downloading ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................DONE
Installed elasticsearch/marvel/latest/ into /home/clusteruser/opt/elasticsearch/plugins/marvel

3、
简单来讲他具体的工作流程就是 logstash agent 监控并过滤日志，将过滤后的日志内容发给redis(这里的redis只处理队列不做存储)，logstash index将日志收集在一起交给
全文搜索服务ElasticSearch 可以用ElasticSearch进行自定义搜索通过Kibana 来结合自定义搜索进行页面展示，

[root@node0x71 opt]# yum install rubygems

[root@node0x71 opt]# /usr/bin/gem install bundler

#############################################################################################################################################################
4、imooc elk
[user@node0x71 opt]$ tar -zxvf elasticsearch-5.6.4.tar.gz
[user@node0x71 opt]$ ./bin/elasticsearch
报错 unable to install syscall filter:
unable to install syscall filter:
java.lang.UnsupportedOperationException: seccomp unavailable: CONFIG_SECCOMP not compiled into kernel, CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are needed
at org.elasticsearch.bootstrap.SystemCallFilter.linuxImpl(SystemCallFilter.java:342) ~[elasticsearch-5.6.4.jar:5.6.4]
at org.elasticsearch.bootstrap.SystemCallFilter.init(SystemCallFilter.java:617) ~[elasticsearch-5.6.4.jar:5.6.4]
at org.elasticsearch.bootstrap.JNANatives.tryInstallSystemCallFilter(JNANatives.java:258) [elasticsearch-5.6.4.jar:5.6.4]
at org.elasticsearch.bootstrap.Natives.tryInstallSystemCallFilter(Natives.java:113) [elasticsearch-5.6.4.jar:5.6.4]
at org.elasticsearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:111) [elasticsearch-5.6.4.jar:5.6.4]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:195) [elasticsearch-5.6.4.jar:5.6.4]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:342) [elasticsearch-5.6.4.jar:5.6.4]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:132) [elasticsearch-5.6.4.jar:5.6.4]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:123) [elasticsearch-5.6.4.jar:5.6.4]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:70) [elasticsearch-5.6.4.jar:5.6.4]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:134) [elasticsearch-5.6.4.jar:5.6.4]
at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-5.6.4.jar:5.6.4]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91) [elasticsearch-5.6.4.jar:5.6.4]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84) [elasticsearch-5.6.4.jar:5.6.4]

修改配置安装目录下的

vi ./config/elasticsearch.yml

bootstrap.system_call_filter为false，注意要在Memory下面:

bootstrap.memory_lock: false
bootstrap.system_call_filter: false

cluster.name 集群名称，以此作为是否同一集群的判断条件
node.name 节点名称，以此作为集群中不同节点的区分条件
network.host/http.port 网络地址和端口，用于http 和 transport服务使用
path.data 数据存储地址
path.log 日志存储地址

Development 与 Producion 两种模式 ,判断依据是以transport的地址是否绑定在localhost为判断标准 ,注意localhost 的配置

参数修改的第二种方式
bin/elasticsearch -Ehttp.port=19200

快速在本地启动elasticsearch集群的方式
bin/elasticsearch
bin/elasticsearch -Ehttp.prot=8200 -Epath.data=node2
bin/elasticsearch -Ehttp.port=7200 -Epath.data=node3

没有能够组成集群
下载释放kibana
./bin/kibana
kibana.yml配置说明
server.host/server.port 访问kibana用的地址和端口
elasticsearch.url 待访问 elasticsearch的地址

kibana 主要功能
Discover 数据搜索
Visualize 图表制作
Dashboard 仪表盘
Timelion 时序数据的高级可视化分析
DevTools 开发者工具
Management 配置

Elasticsearch常用术语
Document 文档数据
Index 索引
Type 索引中的数据类型
Field 字段，文档属性
Query DSL 查询语法

Elasticsearch CRUD操作
Create 创建文档
Read 读取文档
Update 更新文档
Delete 删除文档

Kibana DevTools
#################################################################

Linux 默认打开文件数linux 默认打开文件数为1024个，通过ulimit -a 可以查看open files,修改这个限制可以使用ulimt -SHn 65536,永久生效需要进行下面设置：

1. /etc/pam.d/login 添加pam_limits.so (有时候系统默认添加),首先要通过find / -name pam_limits.so 查找文件的具体的位置

session required /lib/security/pam_limits.so

2. /etc/security/limits.conf 添加

www - nofile 1006154

www 是一个用户，如果是想所有用户生效的话换成 * ，设置的数值与硬件配置有关，别设置太大了。

* soft nofile 65536

* hard nofile 65536

3. 修改 /etc/rc.local 添加

echo 8061540 > /proc/sys/fs/file-max

##################################################################
https://www.cnblogs.com/woxpp/p/6061073.html
ERROR: [3] bootstrap checks failed
[1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536] /etc/security/limits.conf
[2]: max number of threads [1024] for user [clusteruser] is too low, increase to at least [2048] /etc/security/limits.d/90-nproc.conf
[3]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144] /etc/sysctl.conf

vi /etc/security/limits.conf

添加如下内容:
* soft nofile 65536
* hard nofile 131072
* soft nproc 2048
* hard nproc 4096

bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks

在为ElasticSearch指定服务提供地址后，启动ES，提示如下错误：

bound or publishing to a non-loopback or non-link-local address
……
java.lang.RuntimeException: bootstrap checks failed

解决办法，修改文件的打开上限与用户进程的上限

# 注意，一定要切换root/sudo用户，否则没有执行权限
# 修改最大文件数，也可以更大，如999999
ulimit -n 65536
# 修改最大进程数，非必要条件
ulimit -u 65536

再次启动ES，通过了bootstrap检查，一切正常。
唯一需要注意的是，现在利用localhost、127.0.0.1则无法访问到ES的查询服务。

ERROR: [2] bootstrap checks failed
[1]: max number of threads [1024] for user [clusteruser] is too low, increase to at least [2048]
[2]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
[root@clusternode0x71 config]# vi /etc/sysctl.conf
#sysctl -w vm.max_map_count=262144

或者修改 /etc/sysctl.conf 文件，添加 “vm.max_map_count”设置

ERROR: [1] bootstrap checks failed
[1]: max number of threads [1024] for user [clusteruser] is too low, increase to at least [2048]
# vi /etc/security/limits.d/90-nproc.conf
更改为2048

kibana.yml

#add my config
server.host: "192.168.104.71"
server.name: "clusternode0x71"
elasticsearch.url: "http://192.168.104.71:9200"
#end my cofig

Elasticsearch Query 两种方法
Query String
Query DSL
########################################################################################################
Beats Lightweight Data Shipper
Filebeat 日志文件
Metricbeat 度量数据
Packetbeat 网络数据
Winlogbeat Windows数据
Heartbeat 健康检查
Filebeat
处理流程 Input->Filter->Output
分别有 Prospector 和 Harvester 两个角色 , 根据配置文件，在目录下一个log记录文件启动一个Harvest
输出对象可以是 Elasticsearch Logstash Kafaka Redis

Filebeat 配置文件，也使用 yaml 语法
filebeat.prospectors:
-input_type:log
paths:
-/var/log/apache/httpd-*.log
-input_type:log
paths:
-/var/log/messages
-/var/log/*.log
input_type 有两个类型 log stdin

Filebeat Output 所支持的输出对象
Console
Elasticsearch
Logstash
Kafka
Redis
File
配置举例
output.elasticsearch:
hosts: ["http://localhost:9200"]
username: "admin"
password: "passwd"
output.console:
pretty: true
Filebeat 可以对输入内容进行简单的处理
Input 时处理
Include_lines
exclude_lines
exclude_files
Output前处理 -- Processor
drop_event
drop_fields
Decode_json_fields
Include_fields

配置举例
processors:
-drop_event:
when:
regexp:
messages:"^DBG:"
processors:
-decode_json_fields:
fields: ["inner"]
{"outer":"value","inner":\"data\":\"value\"} 处理后得到一个正常的json {"outer":"value","inner":"data":"value"}

Filebear+Elasticsearch Ingest Node
由于Filebeat缺乏数据转换的能力，所以在Elasticsearch5.x 增加了一个数据类型
Elasticsearch Ingest Node
新增的node类型
在数据写入前对数据进行处理转换
使用 pipeline api

Filebeat Module
数据在输入Elasticsearch前要对输入端和输出端进行配置，FilebeatModule 就是对常见的需求的配置进行封装，达到开箱即用
nginx
apache
mysql
封装内容
filebeat.yml 配置
ingest node pipeline 配置
Kibana dashboard 配置
比如要对nginx的日志进行处理，只要指定下nginx日志的路径就可以了，是实际操作的有力参考
下面是从stdin输入，从console输出的nginx 日志 filebeat 配置内容
-input_type: stdin
output.console:
pretty: true

命令运行方式如下：
head -n 2 ~/nginx_logs/nginx.log|./filebeat -e -c nginx.yml
#############################################################################################
Packetbeat
实时抓取网络包
自动解析应用层协议
ICMP(V4 AND V6)
DNS
HTTP
MYSQL
REDIS
Wireshark

Packetbeat 解析 http 协议
解析 elasticsearch http 请求
packetbeat.interfaces.device:lo0 指定网卡
packetbeat.protocol.http: ports: [9200] 抓取http协议的数据，指定是使用9200端口的数据
send_request: true 指定要抓取body，缺省是false
include_body_for:["application/json","x-www-form-urlencoded"] 指定两种格式的数据要记录下来
output.console:
pretty:true 输出到标准控制台

[user@node0x71 packetbeat-5.6.6-linux-x86_64]$ cat es1.yml
packetbeat.interfaces.device: eth0
packetbeat.protocols.http:
ports: [9200]
send_request: true
include_body_for: ["application/json","x-www-form-urlencoded"]
output.console:
pretty: true
命令运行格式
sudo ./patcketbeat -e -c es.yml -strict.perms=false
抓取数据需要root权限，strict.perms 是否检查配置文件的权限,设定false是不用检查

########################################################################################################

Logstash
Data Shipper 很显然，它不是轻量级，比beats占用更多的资源，功能也更强大
ETL
Extract
Ttansform
Load
官方的定义:Logstash is an open source,server-side data processing pipeline that ingests data from a multitude of sources simultaneously,transforms it,and then sends it to your favorite “stash”
Input->Filter->Output
Input
file
redis
beats
kafka
Filter
grok
mutate
drop
date
Output
stdout
elasticsearch
redis
kafka
Logstash 的配置
input{file{path => "/tmp/abc.log"}}
output{stdout{codec => rubydebug}}
Filter的配置
Grok 基于正则表达式提供了丰富可重用的模式(pattern) 基于此可以将非结构化数据作结构化处理
Date 将字符串类型的时间字段转换为时间戳类型，方便后续数据处理
Mutate 增、删、改、替换等字段的相关处理
Grok 举例
比如一条web记录
55.3.244.1 GET /index.html 15824 0.0.43
%{IP:client}%{WORD:method}%{URIPATHPARAM:request}%{NUMBER:bytes}%{NUMBER:duration}
{
"client" : "55.3.244.1",
"method" : "GET",
"request" : "/index.html",
"bytes" : 15824,
"duration" : 0.043
}
下面是针对nginx的日志记录配置的logstash配置文件
[user@node0x71 logstash-5.6.8]$ vim nginx_logstash.conf
input {
stdin { }
}
filter {
grok {
match => {
"message" => '%{IPORHOST:remote_ip} - %{DATA:user_name} \[%HTTPDATE:time\] "%{WORD:request_action}
%{DATA:request} HTTP/%{NUMBER:http_version}" %{NUMBER:response} %{NUMBER:bytes} "%{DATA:referrer}" "%{DA
TA:anent}" '
}
}
date {
match => [ "time","dd/MMM/YYYY:HH:mm:ss Z" ]
locale => en
}
geoip {
source => "remote_ip"
target => "geoip"
}
useragent {
source => "agent"
target => "user_agent"
}
}
output {
stdout {
codec => rubydebug
}
}

命令运行方式
head -2 ~/nginx_logs/nginx.log|bin/logstash -f nginx_logstash.conf
##################################################################################################
实战
收集Elasticsearch 集群的查询语句
分析查询语句的常用语句、响应时长等
预案
应用 Packetbeat+Logstash 完成数据收集工作
使用 Kibana+ElasticSearch 完成数据分析工作
实施
Production Cluster
Elasticsearch http://192.168.104.71:9200
Kibana http://192.168.104.71:5601
Monitoring Cluster
Elasticsearch http://192.168.104.71:8200
bin/elasticsearch -Ecluster.name=sniff_search -Ehttp.port=8200 -Epath.data=sniff
Kibana http://192.168.104.71:8601
bin/kibana -e http://192.168.104.71:8200 -p 8601
Production 与 Monitoring 不能是一个集群，否则会进入抓包死循环

logstash 方案，其配置文件内容如下：
input{ beats{ port => 5044 }}
filter {
if "search" in [request]{
grok { match => {"request" => ".*\n\{(?<query_body>.*)"}}
grok { match => {"path" => "\/(?<index>.*)\/_search"}}
if [index] {} else { mutate { add_field => { "index" => "All"}}}
mutate {update => {"query_body" => "{%{query_body}"}}}
}
output{
if "search" in [request]{
elasticsearch{ hosts => "127.0.0.1:8200"}
}
}

packetbeat 方案，其配置文件如下：
packetbear.interfaces.device: eth0
packetbeat.protocols.http: ports:[9200]
send_request:true
include_body_for:["application/json","x-www-form-urlencoded"]
output.logstash:hosts:["192.168.104.71:5044"]

实战 Elasticsearch

在72号机上执行 5.6.4/下的elasticsearch
[1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536]
[2]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]

[root@node0x72 bin]# ulimit -n 65536
[root@node0x72 bin]# ulimit -u 65536
退出root,退出clusteruser,重新连接
再次运行 5.6.4/bin/elasticsearch
[1]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144] 报错
[root@node0x72 clusteruser]# sysctl -w vm.max_map_count=262144

查阅和搜索官方文档 https://www.elastic.co/learn
正确地提问 https://elasticsearch.cn/
关注Elastic日报 https://elasticsearch.cn/explore/category-18