ELK日志分析系统
ELK日志分析系统
ELK系统简介
Elasticsearch + Logstash + Kibana
Elasticsearch 提供一个分布式存储日志、多用户能力的全文搜索引擎
Logstash 强大的数据处理工具,收集日志文件,转换日志格式后递交给Elasticsearch存储
Kibana 搜索、查看存储在Elasticsearch索引中的数据,对数据进行分析
日志系统的重要性就不用多说了,为了日志的安全已经能够高效的使用日志文件,就有了ELK日志分析系统
搭建ELK日志分析系统
下面来部署一套简单的ELK日志分析系统
案例环境:配置ELK日志分析系统`
配置和安装ELK日志分析系统,安装集群方式,2个elasticsearch节点,并监控apache服务器日志
主机 操作系统 主机名 IP地址 主要软件
服务器 Centos7.4 node1 192.168.100.11 Elasticsearch
服务器 Centos7.4 node2 192.168.100.12 Elasticsearch
服务器 Centos7.4 apache 192.168.100.13 Logstash Apache
服务器 Centos7.4 localhost 192.168.100.21 kibana
所有主机的防火墙和核心防护都要关闭
安装elasticsearch
安装环境
登录192. 168. 100. 11 更改主机名配置域名解析查看Java环境
[root@node1~ ]# hostnamect1 set-hostname node1
[root@node1~ ]# vim /etc/hosts
192.168.100.11 node1
192.168.100.12 node2
[root@node1 ~]# yum -y install java #安装java环境
[root@node1 ~]# java -version
openjdk version "1.8.0_131"
OpenJDK Runtime Environment (build 1.8.0_131-b12)
OpenJDK 64-Bit Server VM (build 25.131-b12, mixed mode)
安装elasticsearch服务
[root@node1 ~]# rpm -ivh elasticsearch-5.5.0.rpm
[root@node1 ~]# systemctl daemon-reload
[root@node1 ~]# systemctl enable elasticsearch
修改主配置文件
[root@node1 ~]# vim /etc/elasticsearch/elasticsearch.yml
17 cluster.name: my-elk-cluster #集群名
23 node.name: node1 #节点名
33 path.data: /data/elk_data #这个数据存放目录需要手动创建
37 path.logs: /var/log/elasticsearch #这个日志文件目录安装服务时自动创建
43 bootstrap.memory_lock: false #不在启动时锁定内存
55 network.host: 0.0.0.0 #提供服务绑定的IP地址
59 http.port: 9200 #端口号
68 discovery.zen.ping.unicast.hosts: ["node1", "node2"] #集群通过单播实现
[root@node1 ~]# mkdir -p /data/elk_data #创建数据存放目录
[root@node1 ~]# chown elasticsearch:elasticsearch /data/elk_data/ #授权
[root@node1 ~]# systemctl start elasticsearch
[root@node1 ~]# netstat -anutp | grep 9200
tcp6 0 0 :::9200 :::* LISTEN 12169/java
可以浏览器打开192.168.100.11:9200,可以看到以下内容,说明elasticsearch服务搭建成功
{
"name" : "node1",
"cluster_name" : "my-elk-cluster",
"cluster_uuid" : "qnHFz7H2RDmGCDTHbsqo2A",
"version" : {
"number" : "5.5.0",
"build_hash" : "260387d",
"build_date" : "2017-06-30T23:16:05.735Z",
"build_snapshot" : false,
"lucene_version" : "6.6.0"
},
"tagline" : "You Know, for Search"
}
node2服务器192.168.100.12和node1一模一样,除了主配置文件的节点名称为node2。这里就不作详述了
集群检查健康情况 浏览器访问192.168.100.11:9200/_cluster/health?pretty
{
"cluster_name" : "my-elk-cluster",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 2,
"number_of_data_nodes" : 2,
"active_primary_shards" : 0,
"active_shards" : 0,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
集群检查状态信息 l浏览器访问192.168.100.11:9200/_cluster/state?pretty
{
"cluster_name" : "my-elk-cluster",
"version" : 3,
"state_uuid" : "14zkulwhTh2n04sNf2P8Ow",
"master_node" : "f3bfy94QRceRE_sE0-uH_w",
"blocks" : { },
"nodes" : {
"f3bfy94QRceRE_sE0-uH_w" : {
"name" : "node2",
"ephemeral_id" : "oHsXMh3jS9CkNI9G06D7Rw",
"transport_address" : "192.168.100.12:9300",
"attributes" : { }
},
"m2IF48yFTI-GReoXI56pLA" : {
"name" : "node1",
"ephemeral_id" : "0EDTNy0qShO-coA6Ydg57A",
"transport_address" : "192.168.100.11:9300",
"attributes" : { }
}
},
"metadata" : {
"cluster_uuid" : "qnHFz7H2RDmGCDTHbsqo2A",
"templates" : { },
"indices" : { },
"index-graveyard" : {
"tombstones" : [ ]
}
},
"routing_table" : {
"indices" : { }
},
"routing_nodes" : {
"unassigned" : [ ],
"nodes" : {
"f3bfy94QRceRE_sE0-uH_w" : [ ],
"m2IF48yFTI-GReoXI56pLA" : [ ]
}
}
}
安装elasticsearch-head
这种查看及其不方便,我们可以安装elasticsearch-head插件来管理集群
node1
[root@node1 ~]# yum -y install gcc gcc-c++ make
安装node组件
[root@node1 ~]# tar -zxvf node-v8.2.1.tar.gz
[root@node1 ~]# cd node-v8.2.1
[root@node1 node-v8.2.1]# ./configure
[root@node1 node-v8.2.1]# make -j3 && make install #-j3 通过多线程加块make速度
安装phantomjs
[root@node1 ~]# tar -jxvf phantomjs-2.1.1-linux-x86_64.tar.bz2 -C /usr/local/src/
[root@node1 ~]# cd /usr/local/src/bin
[root@node1 bin]# cp phantomjs /usr/local/bin/ #命令优化,能直接敲不用输绝对路径
安装elasticsearch-head
[root@node1 ~]# tar -zxvf elasticsearch-head.tar.gz -C /usr/local/src/
[root@node1 ~]# cd /usr/local/src/elasticsearch-head/
[root@node1 elasticsearch-head]# npm install #这里需要npm安装
[root@node1 ~]# vim /etc/elasticsearch/elasticsearch.yml
http.cors.enabled: true #开启跨域访问支持,默认为false
http.cors.allow-origin: "*" #跨域访问允许的域名地址
[root@node1 ~]# systemctl restart elasticsearch
[root@node1 ~]# netstat -anutp | grep 9200
[root@node1 ~]# cd /usr/local/src/elasticsearch-head/
[root@node1 elasticsearch-head]# npm run start &
[root@node2 ~]# cd /usr/local/src/elasticsearch-head/
[root@node2 elasticsearch-head]# npm run start & #在哪台上开启,就可以访问哪台主机的9100端口
[1] 66994
[root@node2 elasticsearch-head]#
> elasticsearch-head@0.0.0 start /usr/local/src/elasticsearch-head
> grunt server
Running "connect:server" (connect) task
Waiting forever...
Started connect web server on http://localhost:9100
浏览器访问192.168.100.11:9100 #node2也可以一样被访问
最上面一排显示 Elasticsearch http://localhost:9200 连接 群集健康值:未连接
将http://localhost:9200 改为http://192.168.100.11:9200 后,点击“连接”,就可以连接上了
登录node1主机 手动创建索引index-demo,类型为test
[root@node1 ~]# curl -XPUT 'localhost:9200/index-demo/test/1?pretty&pretty' -H 'content-Type: application/json' -d '{"user":"zhangsan","mesg":"hello world"}'
{
"_index" : "index-demo",
"_type" : "test",
"_id" : "1",
"_version" : 1,
"result" : "created",
"_shards" : {
"total" : 2,
"successful" : 2,
"failed" : 0
},
"created" : true
}
在浏览器里刷新一下,即可看到索引index-demo,默认被分成5片,并且每片都有一个副本.
也可以在页面创建索引
安装logstash
主机192.168.100.13安装logstash,并做一些日志收集输出到elasticsearch
[root@promote ~]# hostnamectl set-hostname apache
[root@promote ~]# su
[root@apache ~]# yum -y install httpd
[root@apache ~]# yum -y install java
安装logstash
[root@apache ~]# rpm -ivh logstash-5.5.1.rpm
[root@apache ~]# systemctl start logstash
[root@apache ~]# systemctl enable logstash
Created symlink from /etc/systemd/system/multi-user.target.wants/logstash.service to /etc/systemd/system/logstash.service.
[root@apache ~]# ln -s /usr/share/logstash/bin/logstash /usr/local/bin/
logstash (Apache) 与elasticsearch (node)功能是否正常,做对接测试###
Logstash这个命令测试
字段描述解释:
-f通过这 个选项可以指定logstash的配置文件,根据配置文件配置logstash
-e后面跟着字符串 该字符串可以被当做logstash的配置 (如果是” ”, 则默认 使用stdin做为输入、 stdout作为输出)
: 测试配置文件是否正确,然后退出
[root@apache ~]# logstash -e 'input { stdin{} } output { stdout{} }'
...
20:04:25.430 [Api Webserver] INFO logstash.agent - Successfully started Logstash API endpoint {:port=>9600}
www.baidu.com #手动输入
2020-10-29T12:04:38.400Z apache www.baidu.com #返回
[root@apache ~]# logstash -e 'input { stdin{} } output { stdout{ codec=>rubydebug } }'
...
20:06:39.797 [Api Webserver] INFO logstash.agent - Successfully started Logstash API endpoint {:port=>9600}
www.kgc.com
{
"@timestamp" => 2020-10-29T12:06:48.143Z,
"@version" => "1",
"host" => "apache",
"message" => "www.kgc.com"
}
[root@apache ~]# logstash -e 'input { stdin{} } output { elasticsearch { hosts=>["192.168.100.11:9200"] } }'
...
20:09:11.953 [Api Webserver] INFO logstash.agent - Successfully started Logstash API endpoint {:port=>9600}
www.baidu.com
www.sina.com
访问浏览器192.168.100.11:9100 刷新索引发现多了logstash-2020.10.29.在浏览数据里面刷新也能看到baidu与sina,数据已经能通过logstash发送到elasticsearch了
配置logstash
logstash配置文件主要由三部分组成:input output filter(根据需要)
[root@apache ~]# vim /etc/logstash/conf.d/system.conf
input { #日志输入
file {
path => "/var/log/messages" #日志文件路径
type => "system" #类型,可自定义,在创建索引时要对应
start_position => "beginning"
}
}
output { #日志输出
elasticsearch {
hosts => ["192.168.100.11:9200"] #elasticsearch的主机及端口号
index => "system-%{+YYYY.MM.dd}" #索引名称
}
}
刷新192.168.100.11:9100,查看索引信息,多出system-2020.10.29
实验到这,已经实现logstash收集日志信息传递给elasticsearch,elasticsearch存储
安装kibana
现在能查看日志信息了,但并查看并不直观
现在在找一台主机192.168.100.21安装kibana,来辅助我们进行日志分析统计
[root@localhost ~]# rpm -ivh kibana-5.5.1-x86_64.rpm
[root@localhost ~]# cd /etc/kibana/
[root@localhost kibana]# cp kibana.yml kibana.yml.bak
[root@localhost kibana]# vim kibana.yml
2 server.port: 5601 #端口号
7 server.host: "0.0.0.0" #对所有地址都可用
21 elasticsearch.url: "http://192.168.100.11:9200" #elasticsearch的url地址
30 kibana.index: ".kibana"
[root@localhost kibana]# systemctl enable kibana
Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /etc/systemd/system/kibana.service.
[root@localhost kibana]# systemctl start kibana
[root@localhost kibana]# netstat -anutp | grep 5601
tcp 0 0 0.0.0.0:5601 0.0.0.0:* LISTEN 18751/node
浏览器访问192.168.100.21:5601
首次登陆创建一个索引 名字:system-* #这个是对接的系统日志
点击下面的create 按钮
在最左上角Discover按钮,会发现system-* 的信息
下面来对接apache日志的信息 apache服务器
[root@apache ~]# cd /etc/logstash/conf.d/
[root@apache conf.d]# ls
system.conf
[root@apache conf.d]# vim apache_log.conf
input {
file {
path => "/etc/httpd/logs/access_log" #apache日志路径
type => "access"
start_position => "beginning"
}
file {
path => "/etc/httpd/logs/error_log"
type => "error"
start_position => "beginning"
}
}
output {
if [type] == "access" {
elasticsearch {
hosts => ["192.168.100.11:9200"]
index => "access-%{+YYYY.MM.dd}"
}
}
if [type] == "error" {
elasticsearch {
hosts => ["192.168.100.11:9200"]
index => "error-%{+YYYY.MM.dd}"
}
}
}
[root@apache conf.d]# cd /etc/httpd/logs/
[root@apache logs]# ls
[root@apache logs]# systemctl start httpd
[root@apache logs]# ls
access_log error_log
[root@apache conf.d]# /usr/share/logstash/bin/logstash -f apache_log.conf #注意当前工作目录/etc/logstash/conf.d/
...
21:20:27.400 [Api Webserver] INFO logstash.agent - Successfully started Logstash API endpoint {:port=>9601}
浏览器访问192.168.100.21:5601
首次登陆创建一个索引 名字:error-* #这个是对接的apache错误日志
点击下面的create 按钮
在最左上角Discover按钮,会发现error-* 的信息
浏览器访问apache网页产生access日志,在kibana上也能创建access-*索引,也能查看其相关信息
560
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
