介绍
“ELK”是三个开源项目的首字母缩写,这三个项目分别是:Elasticsearch、Logstash 和 Kibana。Elasticsearch 是一个搜索和分析引擎。Logstash 是服务器端数据处理管道,能够同时从多个来源采集数据,转换数据,然后将数据发送到诸如 Elasticsearch 等“存储库”中。Kibana 则可以让用户在 Elasticsearch 中使用图形和图表对数据进行可视化。
安装
- ELK服务器:codeus-log 172.17.202.147
- nginx代理:codeus-zabbix 172.17.202.149
codeus-log需要安装:
- rsyslog
- logstash 7.3.0
- elasticsearch 7.3.0
- kibana 7.3.0
- jdk 1.8
java服务器需要安装(日志被收集端)
- filebeat
rsyslog用于收集所有主机日志,包括nginx日志
- rsyslog服务端配置(codeus-log)
- egrep -v '^#|^$' /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imklog # reads kernel messages (the same are read from journald)
$ModLoad immark # provides --MARK-- message capability
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 55140
$template RemoteLogs,"/data/log/%FROMHOST-IP%/%PROGRAMNAME%.log" *
*.* ?RemoteLogs
& ~
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
- rsyslog客户端配置
- egrep -v '^#|^$' /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
module(load="imfile" PollingInterval="5")
$InputFileName /tmp/logs/app.log
$InputFileTag nova-info:
$InputFileStateFile state-nova-info
$InputRunFileMonitor
*.* @@172.17.202.147:55140
jdk二进制安装
- tar -zxvf jdk-8u211-linux-x64.tar.gz -C /usr/local/
- mv /usr/local/jdk1.8.0_211/ /usr/local/jdk
- vim /etc/profile
JAVA_HOME=/usr/local/jdk
PATH=$JAVA_HOME/bin:$PATH
export JAVA_HOME PATH
logstash通过rpm方式安装
- rpm -ivh logstash-7.3.0.rpm
- 安装插件 /data/logstash/bin/logstash-plugin install logstash-filter-multiline
- vim /usr/share/logstash/app.conf
input {
beats {
port => "5044"
}
}
filter {
mutate {
rename => { "[host][name]" => "host" }
}
multiline {
pattern => "^201.*-.*-.*"
negate => true
what => "previous"
}
}
filter {
mutate {
rename => { "[host][name]" => "host" }
}
if [type] == "codeus-app02-accesslog" {
grok {
match => ["message","%{JAVA_DATE:date} %{JAVA_TIME:time} %{JAVA_PORT:port} %{JAVA_LOGLEVEL:loglevel} %{JAVA_LOGTYPE:logtype} %{JAVA_NUMBER:number} %{JAVA_NULL:null} %{JAVA_DATE_TIME:date_time} %{JAVA_USERID:userID} %{JAVA_USERIP:userIP} %{JAVA_BREXPO:brexpo} %{JAVA_CONNECT:connect}"]
}
}
}
filter {
mutate {
rename => { "[host][name]" => "host" }
}
if [type] == "codeus-app02-website-accesslog" {
grok {
match => ["message","%{JAVA_DATE:date} %{JAVA_TIME:time} %{JAVA_PORT:port} %{JAVA_LOGLEVEL:loglevel} %{JAVA_LOGTYPE:logtype} %{JAVA_NUMBER:number} %{JAVA_NULL:null} %{JAVA_DATE_TIME:date_time} %{JAVA_USERID:userID} %{JAVA_USERIP:userIP} %{JAVA_BREXPO:brexpo} %{JAVA_CONNECT:connect}"]
}
}
}
filter {
mutate {
rename => { "[host][name]" => "host" }
}
if [type] == "codeus-app01-accesslog" {
grok {
match => ["message","%{JAVA_DATE:date} %{JAVA_TIME:time} %{JAVA_PORT:port} %{JAVA_LOGLEVEL:loglevel} %{JAVA_LOGTYPE:logtype} %{JAVA_NUMBER:number} %{JAVA_NULL:null} %{JAVA_DATE_TIME:date_time} %{JAVA_USERID:userID} %{JAVA_USERIP:userIP} %{JAVA_BREXPO:brexpo} %{JAVA_CONNECT:connect}"]
}
}
}
filter {
mutate {
rename => { "[host][name]" => "host" }
}
if [type] == "codeus-app01-website-accesslog" {
grok {
match => ["message","%{JAVA_DATE:date} %{JAVA_TIME:time} %{JAVA_PORT:port} %{JAVA_LOGLEVEL:loglevel} %{JAVA_LOGTYPE:logtype} %{JAVA_NUMBER:number} %{JAVA_NULL:null} %{JAVA_DATE_TIME:date_time} %{JAVA_USERID:userID} %{JAVA_USERIP:userIP} %{JAVA_BREXPO:brexpo} %{JAVA_CONNECT:connect}"]
}
}
}
output {
# stdout { codec => rubydebug }
elasticsearch {
hosts => "127.0.0.1"
index => "logstash-%{+YYYY.MM.dd}"
}
}
- vim /usr/share/logstash/nginx-log.conf
input {
file {
path => ["/data/log/172.17.222.246/nginx-access.log"]
type => "app02-nginx-access_log"
start_position => "beginning"
}
}
input {
file {
path => ["/data/log/172.17.202.146/nginx-access.log"]
type => "app01-nginx-access_log"
start_position => "beginning"
}
}
input {
file {
path => ["/data/log/172.17.222.246/nginx-error.log"]
type => "app02-nginx-error_log"
start_position => "beginning"
}
}
input {
file {
path => ["/data/log/172.17.202.146/nginx-error.log"]
type => "app01-nginx-error_log"
start_position => "beginning"
}
}
filter {
if [type] == "app02-nginx-access_log" {
grok {
match => ["message","%{DATA:rsyslog_date_time} %{DATA:nginx_system} %{DATA:nginx_type} %{IP:remote_add} %{DATA:remote_user} %{DATA:null} %{DATA:time_local} %{QS:request} %{DATA:status} %{DATA:body_bytes_sent} %{DATA:http_referer} %{QS:http_user_agent} %{DATA:http_x_forwarded_for} %{NUMBER:request_time}"]
}
}
}
filter {
if [type] == "app01-nginx-access_log" {
grok {
match => ["message","%{DATA:rsyslog_date_time} %{DATA:nginx_system} %{DATA:nginx_type} %{IP:remote_add} %{DATA:remote_user} %{DATA:null} %{DATA:time_local} %{QS:request} %{DATA:status} %{DATA:body_bytes_sent} %{DATA:http_referer} %{QS:http_user_agent} %{DATA:http_x_forwarded_for} %{NUMBER:request_time}"]
}
}
}
output {
elasticsearch {
hosts => "127.0.0.1"
index => "logstash-%{+YYYY.MM.dd}"
}
}
elasticsearch通过docker方式安装 docker run -p 9200:9200 -e "http.host=0.0.0.0" -e "transport.host=127.0.0.1" --name elastic -d elasticsearch:7.3.0
docker将存储目录调整到/data/docker_dir
-
vim /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --graph /data/docker_dir
- systemctl disable docker
- systemctl daemon-reload
- systemctl start docker
kibana二进制包方式安装,使用普通用户work
- cd /data
- tar -zxvf kibana-7.3.0-linux-x86_64.tar.gz
- mv kibana-7.3.0-linux-x86_64 kibana
- chown -R work:work kibana
- egrep -v '^#|^$' /data/kibana/config/kibana.yml 配置文件修改为下
server.host: "172.17.202.147"
server.basePath: "/kibana"
elasticsearch.hosts: ["http://localhost:9200"]
xpack.reporting.encryptionKey: "a_random_string"
xpack.security.encryptionKey: "something_at_least_32_characters"
java服务器filebeat
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.6.5-linux-x86_64.tar.gz
tar -zxvf filebeat-5.6.5-linux-x86_64.tar.gz
mv filebeat-5.6.5-linux-x86_64 /usr/local/filebeat
cd /usr/local/filebeat/
mv filebeat.yml filebeat.yml.bak
vim filebeat.yml
filebeat:
prospectors:
-
document_type: codeus-app02-applog
paths:
- /tmp/logs/app.log
input_type: log
-
document_type: codeus-app02-accesslog
paths:
- /tmp/logs/access.log
input_type: log
-
document_type: codeus-app02-website-applog
paths:
- /tmp/logs/website_app.log
input_type: log
-
document_type: codeus-app02-website-accesslog
paths:
- /tmp/logs/website_access.log
input_type: log
output.logstash:
hosts: ["172.17.202.147:5044"]
启动
- logstash
cd /usr/share/logstash
nohup bin/logstash -f nginx-log.conf &
nohup bin/logstash -f app.conf --path.data=/usr/share/logstash/app & 多实例情况下第二个需要指定工作路径
- elasticsearch
docker run -p 9200:9200 -e "http.host=0.0.0.0" -e "transport.host=127.0.0.1" --name elastic -d elasticsearch:7.3.0
- kibana
su - work
cd /data/kibana
./bin/kibana &
- rsyslog
service rsyslog restart
systemctl restart rsyslog
- filebeat
cd /usr/local/filebeat
./filebeat &
nginx配置
cat /etc/nginx/conf.d/kibana.con
server {
listen 35601;
location / {
auth_basic " Basic Authentication ";
auth_basic_user_file "/etc/nginx/.htpasswd";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_pass http://172.17.202.147:5601/;
rewrite ^/kibana/(.*)$ /$1 break;
}
}
filebeat安装及配置
- wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.5.1-linux-x86_64.tar.gz
- tar -zxvf filebeat-6.5.1-linux-x86_64.tar.gz
- mv filebeat-6.5.1-linux-x86_64 /usr/local/filebeat
- cd /usr/local/filebeat
- vim filebeat.yml (收集云编译程序日志为例)
#filebeat.inputs:
filebeat:
prospectors:
-
document_type: cloudcompiler-app03-applog
paths:
- /tmp/logs/cloudcompiler-log/app.log
input_type: log
output.logstash:
hosts: ["172.17.202.147:5044"]
.
/filebeat
&
filebeat使用二进制方式安装发现总是意外退出,后改成rpm方式安装就不会出现这种情况,建议使用rpm方式