一、elasticsearch安装
1、下载elasticsearch
https://www.elastic.co/cn/downloads/past-releases/elasticsearch-7-7-0
2、修改配置文件
/usr/local/elk/elasticsearch-7.7.0/config/elasticsearch.yml
network.host: 192.168.42.103 ----对应本机Ip
node.name: node-1
cluster.initial_master_nodes: ["node-1"]
3、启动
先创建一个elasticsearch用户,用这个用户启动,不能用root
adduser elasticsearch
passwd elasticsearch
chown -R elasticsearch /usr/local/elasticsearch
su elasticsearch
#修改 jvm.options
-Xms512m
-Xmx512m
cd bin
./elasticsearch
报错:
[1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65535]
[2]: max number of threads [3805] for user [elasticsearch] is too low, increase to at least [4096]
[3]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
[1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65535]
vi /etc/security/limits.conf 添加下面配置,添加后要重启
* soft nofile 65536
* hard nofile 65536
//* 代表所有用户, 可以指定elasticsearch用户,如果指定的是elasticsearch用户,那么验证时,先切到elasticsearch用户再执行下面验证命令
重启系统验证:
[elasticsearch@localhost root]$ ulimit -Hn
65536
[elasticsearch@localhost root]$ ulimit -Sn
65536
[elasticsearch@localhost root]$
[2]: max number of threads [3805] for user [elasticsearch] is too low, increase to at least [4096]
vi /etc/security/limits.conf 添加下面配置, 同上, 也需要重启
* soft nproc 4096
* hard nproc 4096
验证:
[elasticsearch@localhost root]$ ulimit -Hu
4096
[elasticsearch@localhost root]$ ulimit -Su
4096
[3]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
修改/etc/sysctl.conf文件,增加配置vm.max_map_count=262144
vi /etc/sysctl.conf
sysctl -p
4、访问
如果还不能访问,关闭防火墙:systemctl stop firewalld.service
http://192.168.42.103:9200/
二、kibana安装
1、下载
https://www.elastic.co/cn/downloads/past-releases/kibana-7-7-0
2、修改配置文件
vi /usr/local/elk/kibana-7.7.0-linux-x86_64/config/kibana.yml
#server.host: "192.168.42.103"
elasticsearch.hosts: ["http://192.168.42.103:9200"]
3、启动
cd bin
./kibana
提示:
Kibana should not be run as root. Use --allow-root to continue.
kibana也不能用root启动,所以
chown -R elasticsearch kibana-7.7.0-linux-x86_64
su elasticsearch
./kibana
4、访问
http://192.168.42.103:5601
三、logstash安装
1、下载
https://www.elastic.co/cn/downloads/past-releases/logstash-7-7-0
2、创建配置文件
同样用elasticsearch
input {
file {
path => "/usr/local/elasticsearch-7.7.0/logs/elasticsearch.log"
start_position => "beginning"
codec => multiline {
pattern => "^\["
negate => true
what =>"previous"
}
}
}
output{
elasticsearch {
hosts => ["http://192.168.42.109:9200"]
index => "es-log-%{+YYYY.MM.dd}"
}
stdout{}
}
验证语法:
cd bin
./logstash -f ../config/conf/es_log.conf -t
如下,表示成功:
Sending Logstash logs to /usr/local/logstash-7.7.0/logs which is now configured via log4j2.properties
[2020-09-10T00:01:50,868][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2020-09-10T00:01:53,207][INFO ][org.reflections.Reflections] Reflections took 72 ms to scan 1 urls, producing 21 keys and 41 values
Configuration OK
[2020-09-10T00:01:56,051][INFO ][logstash.runner ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash
3、启动
./logstash -f ../config/conf/es_log.conf
4、验证
http://192.168.42.109:9200/_cat/indices?v
可以看到索引已经创建
找开kibana查询:
GET es-log-2020.09.10/_search
{
"query": {
"match_all": {}
}
}
输入到es的日志格式如下:
{
"_index" : "es-log-2020.09.10",
"_type" : "_doc",
"_id" : "-YjUdnQByadAa3SH9Fs7",
"_score" : 1.0,
"_source" : {
"path" : "/usr/local/elasticsearch-7.7.0/logs/elasticsearch.log",
"message" : "[2020-09-10T00:04:56,757][INFO ][o.e.c.m.MetaDataIndexTemplateService] [node-1] adding template [logstash] for index patterns [logstash-*]",
"@version" : "1",
"host" : "localhost.localdomain",
"@timestamp" : "2020-09-10T07:05:00.399Z"
}
}
5、用grok过滤器
上面日志全都写到一个message字段,可以用grok将日志 过滤分析后 拆分成不同段 写到es不同属性中。
分析一下上面elasticsearch中的message字段:
"message" : "[2020-09-10T00:04:56,757][INFO ][o.e.c.m.MetaDataIndexTemplateService] [node-1] adding template [logstash] for index patterns [logstash-*]"
上面的日志格式为:
[时间戳][日志级别][输出信息的类名][节点名]具体的日志信息
可以考虑使用过滤器插件对文本进行分析后再存 入 es。
6、新创建一个es_log_grok.conf
input {
file {
path => "/usr/local/elasticsearch-7.7.0/logs/elasticsearch.log"
start_position => "beginning"
codec => multiline {
pattern => "^\["
negate => true
what =>"previous"
}
}
}
filter{
grok{
match=>{
message=>"\[%{TIMESTAMP_ISO8601:time}\]\[%{LOGLEVEL:level}%{SPACE}\]\[%{NOTSPACE:loggerclass}%{SPACE}\]%{SPACE}\[%{DATA:nodename}\]%{SPACE} %{GREEDYDATA:msg}"
}
}
}
output{
stdout{}
}
启动:
./logstash -f ../config/conf/es_log_grok.conf
可以在命令行看到日志被分割了,如下:
{
"loggerclass" => "o.e.m.j.JvmGcMonitorService",
"@timestamp" => 2020-09-10T08:21:52.935Z,
"path" => "/usr/local/elasticsearch-7.7.0/logs/elasticsearch.log",
"host" => "localhost.localdomain",
"message" => "[2020-09-10T01:09:08,167][INFO ][o.e.m.j.JvmGcMonitorService] [node-1] [gc][8806] overhead, spent [490ms] collecting in the last [1s]",
"level" => "INFO",
"msg" => "[gc][8806] overhead, spent [490ms] collecting in the last [1s]",
"@version" => "1",
"time" => "2020-09-10T01:09:08,167",
"nodename" => "node-1"
}
用来的output 直接输出到elasticsearch是不是行的,需要创建一个elasticsearch的索引mapper模版如下:
{
"template":"es-log-text-%{+YYYY.MM.dd}",
"settings":{
"index.refresh_interval":"1s"
},
"mappings":{
"properties":{
"time":{
"type":"date"
},
"level":{
"type":"keyword"
},
"loggerclass":{
"type":"keyword"
},
"nodename":{
"type":"keyword"
},
"msg":{
"type":"text"
},
"message":{
"type":"text"
}
}
}
}
修改原来的es_log_grok.conf,在output中添加,指定模版名字和位置。
elasticsearch {
hosts => ["http://192.168.42.109:9200"]
index => "es-log-%{+YYYY.MM.dd}"
template_name => "es_template*"
template => "/usr/local/logstash-7.7.0/config/conf"
}
启动,结果如下: 日志格式已经被拆分
{
"@timestamp" => 2020-09-10T08:58:25.392Z,
"nodename" => "node-1",
"msg" => "[gc][11638] overhead, spent [1s] collecting in the last [1.6s]",
"time" => "2020-09-10T01:56:39,876",
"level" => "WARN",
"message" => "[2020-09-10T01:56:39,876][WARN ][o.e.m.j.JvmGcMonitorService] [node-1] [gc][11638] overhead, spent [1s] collecting in the last [1.6s]",
"@version" => "1",
"path" => "/usr/local/elasticsearch-7.7.0/logs/elasticsearch.log",
"loggerclass" => "o.e.m.j.JvmGcMonitorService",
"host" => "localhost.localdomain"
}