场景:公司的业务组件太多,又经常报错,看日志的话需要登录后台查看,而且是集群模式,还得登录好几台服务器查看,非常不方便,所以尝试性的搭建了一套elk用来采集日志以及查看日志
初步规划是es和kibana和logstash都部署在一台服务器上,然后其他安装了业务组件的机器部署filebeat,filebeat采集的日志统一到logstash,logstash不做任务处理写入es,通过kibana来检索。
ip根据个人真实情况来定,我用的主机ip是172.16.21.100
linux系统centos7.5
elk系列tar包,用的版本是7.5
elasticsearch-7.5.2-linux-x86_64.tar.gz
filebeat-7.5.2-linux-x86_64.tar.gz
kibana-7.5.2-linux-x86_64.tar.gz
logstash-7.5.2.tar.gz
系统配置
vim /etc/security/limits.conf
* soft nofile 65536
* hard nofile 65536
vim /etc/sysctl.conf
vm.max_map_count=655360
es配置
vim /opt/elasticsearch-7.5.2/config/jvm.options
修改项,其他默认
-Xms1g
-Xmx1g
vim /opt/elasticsearch-7.5.2/config/elasticsearch.yml
修改项,其他默认
cluster.name: allcam-elk-cluster
node.name: node-1
path.data: /opt/data/elasticsearch/
path.logs: /opt/data/elasticsearch/logs
bootstrap.memory_lock: false
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["172.16.21.100"]
cluster.initial_master_nodes: ["node-1"]
###如果需要设置登录密码
#http.cors.enabled: true
#http.cors.allow-origin: "*"
#http.cors.allow-headers: Authorization
#xpack.security.enabled: true
#xpack.security.transport.ssl.enabled: true
设置登录密码(不需要的话可以忽略)
./elasticsearch-setup-passwords interactive
然后输入自己设置的密码
kibana配置
opt/kibana-7.5.2-linux-x86_64/config/kibana.yml
修改项,其他默认
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://172.16.21.100:9200"]
kibana.index: ".kibana"
###如果需要设置登录密码
#elasticsearch.username: "kibana"
#elasticsearch.password: "123456"
logstash配置
/opt/logstash-7.5.2/config/logstash.conf
(这个else if应该有优雅简单的写法,后期组件有很多,现在这种写法就显得比较愚笨)
input{
beats{
host => "0.0.0.0"
port => 5044
}
}
output {
if [filetype] == "log_mss" {
elasticsearch {
hosts => ["http://172.16.21.100:9200"]
index => "allcam-mss-%{+YYYY.MM.dd}"
}
}
else if [filetype] == "log_system"{
elasticsearch {
hosts => ["http://172.16.21.100:9200"]
index => "allcam-system-%{+YYYY.MM.dd}"
}
}
else if [filetype] == "log_css"{
elasticsearch {
hosts => ["http://172.16.21.100:9200"]
index => "allcam-css-%{+YYYY.MM.dd}"
}
}
else if [filetype] == "log_oms"{
elasticsearch {
hosts => ["http://172.16.21.100:9200"]
index => "allcam-oms-%{+YYYY.MM.dd}"
}
}
}
###如果需要设置密码
vim logstash.conf
vim logstash.yml
filebeat1配置
vim /opt/filebeat-7.5.2-linux-x86_64/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
backoff: "1s"
tail_files: false
paths:
- /home/mss/logs/mss.log
fields:
filetype: log_mss
fields_under_root: true
- type: log
enabled: true
backoff: "1s"
tail_files: false
paths:
- /var/log/messages
fields:
filetype: log_system
fields_under_root: true
output.logstash:
enabled: true
hosts: ["172.16.21.100:5044"]
filebeat2配置
vim /opt/filebeat-7.5.2-linux-x86_64/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
backoff: "1s"
tail_files: false
paths:
- /home/css/logs/Surveillance.log
fields:
filetype: log_css
fields_under_root: true
- type: log
enabled: true
backoff: "1s"
tail_files: false
paths:
- /home/oms/logs/OMS.log
fields:
filetype: log_oms
fields_under_root: true
output.logstash:
enabled: true
hosts: ["172.16.21.100:5044"]
启动顺序和命令:
es: ./elasticsearch -d(注意启动es不能使用root用户,需要创建一个启动用户)
kibana: nohup ./kibana & (kibana用户启动)
logstash: nohup ./logstash -f ../config/logstash.conf &
filebeat: nohup ./filebeat -e -c filebeat.yml &
效果展示
参考:
https://blog.csdn.net/wsdc0521/article/details/106308441