【ELK】
为什么需要ELK来监控日志?
- 排除问题需要根据日志来定位问题
- 服务器、项目、日志类型越来越多,日志文件分散在服务器的不同位置,不便于查找
- 图+文的方式能使人更直观地获取分析出来的数据
ELK是什么?
Elasticsearch:分布式数据库,用于搜索、分析和存储数据
Logstash:服务器端数据处理管道,能够同时从多个来源采集、转换数据,然后存储到数据库中
Kibana:数据可视化展示
Beats:轻量型的数据采集平台,从边缘机器采集数据发往logstash或elasticsearch
Filebeat:轻量型日志采集器
Elasticsearch
借用关系型数据库来理解ES中的基本概念
关系型数据库(如mysql) | Elasticsearch |
---|---|
Database | Index(多个文档的集合) |
Table | Type(定义类型,将文档逻辑分组) |
Row(行,记录) | Document(若干文档构建一个Index) |
Column(字段) | Field(ES存储的最小单元) |
除了这些还有:
Shards:将Index进行分片
Replicas:Index的一份或多份副本(分布式的特性)
环境准备:
Node-Name | IP |
---|---|
ES1 | 192.168.100.21 |
ES2 | 192.168.100.22 |
ES3 | 192.168.100.23 |
关闭防火墙,selinux,ntp同步时间
安装jdk1.8.0
yum -y install java-1.8.0-openjdk
下载并安装公共签名密钥:
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
添加es的repo文件
vim /etc/yum.repos.d/elasticsearch.repo
[elasticsearch]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=0
autorefresh=1
type=rpm-md
采用yum方式安装(注意ELK中的组件需要使用相同的版本)
yum install --enablerepo=elasticsearch elasticsearch
在第一个es节点上修改配置文件
# 仅列出了需要修改的部分
[root@vms21 src]$ vim /etc/elasticsearch/elasticsearch.yml
cluster name: elk-cluster # 集群名称
node.name= node-1
path.data: /var/lib/elasticsearch # 可自定义路径
path.logs: /var/log/elasticsearch
network.host: 192.168.100.0.21 # 当前节点的ip,确保集群间节点能够互相通信
http.port: 9200 # 数据操作的端口
# 让es识别集群中有哪些节点,实现他们的的自动发现,组成集群
discovery.seed_hosts: ["192.168.100.21", "192.168.100.22","192.168.100.23"]
cluster.initial_master_nodes: ["ES1", "ES2"] # 指定集群当中初始的主节点
:wq
将配置好的yml文件通过scp到另外两个节点上
并修改 node.name 为自定义的节点名称
和 network.host 为对应节点的 ip
[root@vms21 src]$ scp /etc/elasticsearch/elasticsearch.yml vms22:/etc/elasticsearch
[root@vms21 src]$ scp /etc/elasticsearch/elasticsearch.yml vms23:/etc/elasticsearch
ES不支持使用root用户运行,systemd默认使用的是elasticsearch用户运行服务
因此需要更改几个文件的所有者为elasticsearch
chown -R elasticsearch:elasticsearch /var/lib/elasticsearch/ # 对应es数据存储目录
chown -R elasticsearch:elasticsearch /var/log/elasticsearch/ # 对应es日志目录
chown -R elasticsearch:elasticsearch /etc/elasticsearch/
完成配置后,三个节点都重启服务即可
systemctl restart elasticsearch; systemctl enable elasticsearch
查看集群上节点是否成功创建
[root@vms21 src]$ curl -X GET "192.168.100.21:9200/_cat/nodes?v"
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
192.168.100.23 21 78 2 0.65 0.25 0.19 dilmrt - ES3
192.168.100.22 37 95 0 0.00 0.06 0.11 dilmrt - ES2
192.168.100.21 19 78 1 0.02 0.09 0.14 dilmrt * ES1
通过命令获取集群健康状态(green 为健康)
[root@vms21 src]$ curl -X GET "192.168.100.21:9200/_cat/health?v"
epoch timestamp cluster status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1604749111 11:38:31 elk-cluster green 3 3 0 0 0 0 00 - 100.0%
注意!
若是采用tar.gz包进行安装时,需要修改系统配置文件才能正常启动
以下以elk用户进行启动演示报错及如何修改配置文件
[root@vms66 elasticsearch-7.10.0]$ sudo -u elk bin/elasticsearch
...
[1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65535]
...
# 修改/etc/security/limits.conf
vim /etc/security/limits.conf
* soft nofile 65536
* hard nofile 131072
* soft nproc 2048
* hard nproc 4096
ES的增删改查
RestFul API 格式:
curl -X<verb> '<protocol>://<host>:<port>/<path>?<query_string>' -d 'body'
参数 | 描述 |
---|---|
verb | HTTP方法,如GET、POST、PUT、HEAD、DELETE |
host | ES集群中的任意节点主机名 |
port | ES HTTP服务端口,为9200 |
path | 索引路径 |
query_string | 可选的查询请求参数,如 ?pretty 参数将格式化输出JSON数据 |
-d | 里面放一个GET的JSON格式请求主体 |
body | 自己写的JSON格式请求主体 |
创建索引
[root@vms21 ~]$ curl -X PUT "192.168.100.21:9200/gjk?pretty"
{
"acknowledged" : true,
"shards_acknowledged" : true,
"index" : "gjk"
}
查看所有的索引
[root@vms21 ~]$ curl -X GET "192.168.100.21:9200/_cat/indices?v"
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open gjk Z9cT8a2aTP6yCbP8hhdl2g 1 1 0 0 416b 208b
删除索引
[root@vms21 ~]$ curl -X DELETE "192.168.100.21:9200/gjk"
{
"acknowledged":true
}
添加一个简单的文档到索引当中
[root@vms21 ~]$ curl -X PUT "192.168.100.21:9200/customer/doc/1?pretty" -H 'Content-Type: application/json' -d '{"name": "GJK"}'
{
"_index" : "customer",
"_type" : "doc",
"_id" : "1",
"_version" : 1,
"result" : "created",
"_shards" : {
"total" : 2,
"successful" : 2,
"failed" : 0
},
"_seq_no" : 0,
"_primary_term" : 1
}
修改文档(使用PUT请求的话相当于删除原本的文档并新建一个,建议使用POST请求更温柔)
[root@vms21 ~]$ curl -X POST "192.168.100.21:9200/gjk/doc/222/?pretty" -H 'Content-Type:application/json' -d '{"name":"hello"}'
{
"_index" : "gjk",
"_type" : "doc",
"_id" : "222",
"_version" : 4,
"result" : "updated", # 可以看到此处显示的是updated
"_shards" : {
"total" : 2,
"successful" : 2,
"failed" : 0
},
"_seq_no" : 5,
"_primary_term" : 1
}
也可以通过POST请求增添字段
[root@vms21 ~]$ curl -X POST "192.168.100.21:9200/gjk/doc/222/?pretty" -H 'Content-Type:application/json' -d '{"name":"guoguoguo","age":"21","sex":"male"}'
[root@vms21 ~]$ curl -X GET "192.168.100.21:9200/gjk/doc/222?pretty"
{
"_index" : "gjk",
"_type" : "doc",
"_id" : "222",
"_version" : 5,
"_seq_no" : 6,
"_primary_term" : 1,
"found" : true,
"_source" : {
"name" : "guoguoguo",
"age" : "21",
"sex" : "male"
}
}
查看文档信息
[root@vms21 ~]$ curl -X GET "192.168.100.21:9200/gjk/doc/111?pretty"
{
"_index" : "gjk",
"_type" : "doc",
"_id" : "111",
"_version" : 1,
"_seq_no" : 0,
"_primary_term" : 1,
"found" : true,
"_source" : {
"name" : "GuoJinkun"
}
}
删除文档采用删除对应的id即可
[root@vms21 ~]$ curl -X DELETE "192.168.100.21:9200/gjk/doc/222?pretty"
{
"_index" : "gjk",
"_type" : "doc",
"_id" : "222",
"_version" : 6,
"result" : "deleted",
"_shards" : {
"total" : 2,
"successful" : 2,
"failed" : 0
},
"_seq_no" : 7,
"_primary_term" : 1
}
ES的常用查询
首先根据官网导入示例银行账户数据
每个文档都有以下架构:
{
"account_number": 0,
"balance": 16623,
"firstname": "Bradshaw",
"lastname": "Mckenzie",
"age": 29,
"gender": "F",
"address": "244 Columbus Place",
"employer": "Euron",
"email": "bradshawmckenzie@euron.com",
"city": "Hobucken",
"state": "CO"
}
下载示例数据
wget https://raw.githubusercontent.com/elastic/elasticsearch/master/docs/src/test/resources/accounts.json
将示例数据导入集群中
[root@vms21 ~]$ curl -H "Content-Type: application/json" -XPOST 'localhost:9200/bank/account/_bulk?pretty&refresh' --data-binary "@accounts.json"
[root@vms21 ~]$ curl -X GET "192.168.100.21:9200/_cat/indices?pretty"
green open bank pbOichwpT8O4CuXq9f2v3A 1 1 1000 0 802.6kb 401.2kb
_search 查询
搜索bank索引下的数据信息
其中 ?q=*&sort=account_number:asc 表示获取所有文档且以升序排列
以下两个操作得到的结果相同,更多使用第二种以json格式传入的方式进行查询
[root@vms21 ~]$ curl -X GET -u undefined:$ESPASS "192.168.100.21:9200/bank/_search?q=*&sort=account_number:asc&pretty&pretty"
[root@vms21 ~]$ curl -X GET -u undefined:$ESPASS "192.168.100.21:9200/bank/_search?pretty" -H 'Content-Type: application/json?pretty' -d'
{
"query": { "match_all": {} }, # 查询,匹配全部文档
"sort": [
{ "account_number": "asc" }
]
"from": 1 # 起始位置,默认是0
"size": 3 # 指定输出的数据条数,未指定时,默认是输出10条
# 此处意思为从第2个文档开始输出3条
}
'
match查询
通过 match 可以搜索指定的键值
因此下面命令只会输出地址信息中包含了 “mill” 或 “lane” 的账户信息
[root@vms21 ~]$ curl -X GET -u undefined:$ESPASS "192.168.100.21:9200/bank/_search?pretty" -H 'Content-Type: application/json' -d'
{
"query": { "match": { "address": "mill lane" } }
}
'
bool类型查询
通过几个不同的关键字表达 “与” “或” “非”
如下为,从账户信息中获取地址中包含"mill"或"lane",且年龄为40岁,但不居住在ID的所有账户
[root@vms21 ~]$ curl -X GET -u undefined:$ESPASS "192.168.100.21:9200/bank/_search?pretty" -H 'Content-Type: application/json' -d'
{
"query": {
"bool": {
"should": [ # 或
{ "match": { "address": "mill" } },
{ "match": { "address": "lane" } }
]
"must": [ # 与
{ "match": { "age": "40" } }
],
"must_not": [ # 非
{ "match": { "state": "ID" } }
]
}
}
}
'
range查询
查找余额大于或等于 20000 且小于或等于 30000 的帐户
[root@vms21 ~]$ curl -X GET -u undefined:$ESPASS "192.168.100.21:9200/bank/_search?pretty" -H 'Content-Type: application/json' -d'
{
"query": {
"bool": {
"must": { "match_all": {} },
"filter": {
"range": { # 指定balance范围
"balance": {
"gte": 20000, # 大于20000
"lte": 30000 # 小于30000
}
}
}
}
}
}
'
使用head插件方便操作es查询
下载安装最新版的node
[root@vms21 ~]$ wget https://npm.taobao.org/mirrors/node/latest-v15.x/node-v15.1.0-linux-x64.tar.gz -C /usr/local/
[root@vms21 ~]$ tar -xzvf node-v15.1.0-linux-x64.tar.gz
[root@vms21 ~]$ vim /etc/profile
NODE_HOME=/usr/local/node-v15.1.0-linux-x64
PATH=$NODE_HOME/bin:$PATH
export NODE_HOME PATH
:wq
[root@vms21 ~]$ source /etc/profile
[root@vms21 ~]$ git clone git://github.com/mobz/elasticsearch-head.git
[root@vms21 ~]$ cd elasticsearch-head
[root@vms21 elasticsearch-head]$ npm install
修改一下head工具的配置文件
[root@vms21 elasticsearch-head]$ vim Gruntfile.js
# 通过 /9100 跳转到对应的位置,在该options中加入
hostname: '*' # 监听所有ip
# 配置跨域
[root@vms21 elasticsearch-head]$ vim /etc/elasticsearch/elasticsearch.yml
http.cors.enabled: true
http.cors.allow-origin: "*"
[root@vms21 elasticsearch-head]$ systemctl restart elasticsearch
[root@vms21 elasticsearch-head]$ npm run start # 启动服务
访问 ip:9200 即可访问在es-head上进行操作