CentOS7.5安装ELK6.6.0+FileBeat
ELK简介
ELK 是 ElasticSearch、 LogStash、 Kibana 三个开源软件的首字母缩写,现在还包括 Filebeats,根据 Google Trend 的信息显示,ELK Stack 已经成为目前最流行的集中式日志解决方案。
- Logstash: 数据收集引擎。它支持动态的从各种数据源搜集数据,并对数据进行过滤、分析、丰富、统一格式等操作,然后存储到用户指定的位置;
- Elasticsearch: 一个开源的分布式搜索引擎,负责数据的存储、检索和分析;
- Kibana: 数据分析和可视化平台。通常与 Elasticsearch 配合使用,对其中数据进行搜索、分析和以统计图表的方式展示;
- Filebeat: ELK 协议栈的新成员,一个轻量级开源日志文件数据搜集器。在需要采集日志数据的 server 上安装 Filebeat,并指定日志目录或日志文件后,Filebeat 就能读取数据,迅速发送到 Logstash 进行解析,亦或直接发送到 Elasticsearch 进行集中式存储和分析。
基于 Filebeat 的 ELK 集群架构
官方文档:https://www.elastic.co/guide/index.html
Filebeat:https://www.elastic.co/guide/en/beats/filebeat/6.6/index.html
Logstash:https://www.elastic.co/guide/en/logstash/6.6/index.html
Elasticsearch:https://www.elastic.co/guide/cn/elasticsearch/guide/current/index.html
Kibana:https://www.elastic.co/guide/cn/kibana/current/index.html
elasticsearch中文社区:https://elasticsearch.cn/
环境信息
CentOS 7.5 64位操作系统
JAVA JDK 1.8
filebeat-6.6.0-linux-x86_64.tar.gz
logstash-6.6.0.tar.gz
elasticsearch-6.6.0.rpm
kibana-6.6.0-linux-x86_64.tar.gz
1安装JDK
ELK要求JDK版本至少1.8.
从oracle网站下载jdk-8u201-linux-x64.tar.gz。
或者通过下面命令下载
wget http://download.oracle.com/otn-pub/java/jdk/8u201-b14/jdk-8u201-linux-x64.tar.gz
下载完毕后,使用解压到安装目录:/usr/local/
mkdir /usr/local/java
tar –zxvf jdk-8u201-linux-x64.tar.gz –C /usr/local/java #将JDK解压到安装目录
配置环境变量
vi /etc/profile
在文件末尾添加如下内容:
# New environment setting added by xyg for java on 2019-2-21 21:37:00
export JAVA_HOME=/usr/local/java/jdk1.8.0_201
export PATH=${JAVA_HOME}/bin:${PATH}
export JRE_HOME=${JAVA_HOME}/jre
export CLASSPATH=.:$JAVA_HOME/lib/tools.jar:$JAVA_HOME/lib/dt.jar:$CLASSPATH
然后:wq保存文件
使环境变量生效
source /etc/profile
验证JDK安装是否成功
java -version
显示如下表示安装成功
java version "1.8.0_201"
Java(TM) SE Runtime Environment (build 1.8.0_201-b09)
Java HotSpot(TM) 64-Bit Server VM (build 25.201-b09, mixed mode)
2 安装ELK软件
创建目录/usr/local/work,将刚刚要安装三个文件全部解压到这个目录下
mkdir /usr/local/work
tar -zxvf filebeat-6.6.0-linux-x86_64.tar.gz
tar -zxvf logstash-6.6.0.tar.gz
tar -zxvf elasticsearch-6.6.0.tar.gz
tar -zxvf kibana-6.6.0-linux-x86_64.tar.gz
清理原压缩文件
rm filebeat-6.6.0-linux-x86_64.tar.gz
rm logstash-6.6.0.tar.gz
rm elasticsearch-6.6.0.tar.gz
rm kibana-6.6.0-linux-x86_64.tar.gz
ELK的安装不能使用root用户安装,因此我们创建elk帐户,密码:123456,并切换到elk帐户下执行安装命令
groupadd elk
useradd -g elk elk
passwd elk
chown -R elk:elk /usr/local/work #更改/usr/local/work目录的所有者:组为elk:elk
su elk #切换帐户
2.1 配置和启动Logstash
基本测试命令
/usr/local/work/logstash-6.6.0/bin/logstash -e 'input { stdin { } } output { stdout {} }'
结果如下:
[elk@cent1-pc logstash-6.6.0]$ /usr/local/work/logstash-6.6.0/bin/logstash -e 'input{stdin{}} output{stdout{}}'
Sending Logstash logs to /usr/local/work/logstash-6.6.0/logs which is now configured via log4j2.properties
[2019-02-26T12:55:29,030][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-02-26T12:55:29,088][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.6.0"}
[2019-02-26T12:55:35,709][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2019-02-26T12:55:35,879][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x64e16eef run>"}
The stdin plugin is now waiting for input:
[2019-02-26T12:55:35,972][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2019-02-26T12:55:36,212][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
Hello World!
{
"@timestamp" => 2019-02-26T04:59:12.265Z,
"message" => "Hello World!",
"@version" => "1",
"host" => "cent1-pc"
}
我们可以看到,我们输入什么内容logstash按照某种格式输出,其中-e参数参数允许Logstash直接通过命令行接受设置。这点尤其快速的帮助我们反复的测试配置是否正确而不用写配置文件。使用CTRL-C命令可以退出之前运行的Logstash。
使用-e参数在命令行中指定配置是很常用的方式,不过如果需要配置更多设置则需要很长的内容。这种情况,我们首先创建一个简单的配置文件,并且指定logstash使用这个配置文件。例如:在logstash安装目录下创建一个“基本配置”测试文件simple.conf,文件内容如下:
input { stdin { } }
output {
stdout { codec=> rubydebug }
}
Logstash使用input和output定义收集日志时的输入和输出的相关配置,本例中input定义了一个叫"stdin"的input,output定义一个叫"stdout"的output。无论我们输入什么字符,Logstash都会按照某种格式来返回我们输入的字符,其中output被定义为"stdout"并使用了codec参数来指定logstash输出格式。
使用logstash的-f参数来读取配置文件,执行如下开始进行测试:
测试命令:
./bin/logstash -f ./config/simple.conf
测试结果:
[elk@cent1-pc logstash-6.6.0]$ ./bin/logstash -f ./config/simple.conf
Sending Logstash logs to /usr/local/work/logstash-6.6.0/logs which is now configured via log4j2.properties
[2019-02-26T21:29:39,827][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-02-26T21:29:39,841][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.6.0"}
[2019-02-26T21:29:45,341][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2019-02-26T21:29:45,572][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x56bc4a8b run>"}
The stdin plugin is now waiting for input:
[2019-02-26T21:29:45,652][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2019-02-26T21:29:45,887][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
hello world
{
"host" => "cent1-pc",
"@version" => "1",
"message" => "hello world",
"@timestamp" => 2019-02-26T13:29:54.806Z
}
ELK中的Logstash的配置文件如下:
添加配置文件
cd /usr/local/work/logstash-6.6.0/config
vi log4j_to_elk.config
文件内容:
# For detail structure of this file
# Set: https://www.elastic.co/guide/en/logstash/current/configuration-file-structure.html
input {
# For detail config for log4j as input,
# See: https://www.elastic.co/guide/en/logstash/current/plugins-inputs-log4j.html
log4j {
mode => "server"
host => "0.0.0.0"
port => 4567
}
}
filter {
#Only matched data are send to output.
}
output {
# For detail config for elasticsearch as output,
# See: https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html
elasticsearch {
action => "index" #The operation on ES
hosts => "127.0.0.1:9200" #ElasticSearch host, can be array.
index => "applog" #The index to write data to.
}
}
启动Logstash
cd ..
./bin/logstash -f ./config/log4j_to_elk.conf --config.reload.automatic
–config.reload.automatic 选项启用自动配置重新加载,以便每次修改配置文件时不必停止并重新启动Logstash。
2.2 启动Elasticsearch
Elasticsearch 中的 Index 是一组具有相似特征的文档集合,类似于关系数据库模型中的数据库实例,Index 中可以指定 Type 区分不同的文档,类似于数据库实例中的关系表,Document 是存储的基本单位,都是 JSON 格式,类似于关系表中行级对象。我们处理后的 JSON 文档格式的日志都要在 Elasticsearch 中做索引,相应的 Logstash 有 Elasticsearch output 插件,对于用户是透明的。
2.2.1报错处理
报错内容
max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536]
max number of threads [1024] for user [hadoop] is too low, increase to at least [2048]
max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
解决方案
su root #切换到root用户
ulimit -Hn #查看硬限制
vim /etc/security/limits.conf #添加下面设置 hadoop是用户
es soft nofile 65536
es hard nofile 65536
退出用户重新登录,使配置生效
重新 ulimit -Hn 查看硬限制 会发现数值有4096改成65535
vim /etc/security/limits.d/90-nproc.conf
找到如下内容:
soft nproc 1024
修改为
soft nproc 2048
vi /etc/sysctl.conf
添加下面配置:
vm.max_map_count=655360
并执行命令:
sysctl -p
2.2.2 基本配置
cd /usr/local/work/elasticsearch-6.6.0
vi config/elasticsearch.yml
cluster.name: es-cluster #修改Cluster,定义集群名称
node.name: node-1 #修改Node,定义节点名称
#elasticSearch数据持久化
path.data: /data/es/data
path.logs: /data/es/logs
network.host: 129.26.0.2 #服务器IP地址
http.port: 9200 #网络访问端口号
#修改Memory,定义是否锁定内存,一般都设置为false
bootstrap.memory_lock: false
bootstrap.system_call_filter: false
修改以上配置之后就可以启动了。
bin/elasticsearch -d #后台启动elasticsearch
tail -f /usr/local/work/elasticsearch-6.6.0/logs/elasticsearch.log #查看启动日志
curl 127.0.0.1:9200 #检查服务响应
netstat -anp |grep :9200 #确认elasticsearch的9200端口已监听,说明elasticsearch已成功运行
正常的服务响应如下,则说明Elasticsearch启动成功
[elk@cent1-pc bin]$ curl 127.0.0.1:9200
获得如下结果
{
"name" : "sL2TN7f",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "m2Pk8XXEQrmEnT44lUevFw",
"version" : {
"number" : "6.6.0",
"build_flavor" : "default",
"build_type" : "tar",
"build_hash" : "a9861f4",
"build_date" : "2019-01-24T11:27:09.439740Z",
"build_snapshot" : false,
"lucene_version" : "7.6.0",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
接下来我们在logstash安装目录下创建一个用于测试logstash使用elasticsearch作为logstash的后端的测试文件logstash-es-simple.conf,该文件中定义了stdout和elasticsearch作为output,这样的“多重输出”即保证输出结果显示到屏幕上,同时也输出到elastisearch中。
vi logstash-elk-simple.conf
文件内容:
input { stdin { } }
output {
elasticsearch {hosts => "localhost" }
stdout { codec=> rubydebug }
}
执行如下命令
/usr/local/logstash-1.5.2/bin/logstash -f logstash-elk-simple.conf
返回结果
......
Logstash startup completed
hello logstash
{
"message" => "hello logstash",
"@version" => "1",
"@timestamp" => "2015-07-15T18:12:00.450Z",
"host" => "noc.vfast.com"
}
可以使用curl命令发送请求来查看ES是否接收到了数据:
curl 'http://localhost:9200/_search?pretty'
返回结果
{
"_index" : "logstash-2019.02.26",
"_type" : "doc",
"_id" : "6lc8KmkB3C-uCrAQhyc2",
"_score" : 1.0,
"_source" : {
"message" : "hello logstash",
"@timestamp" : "2019-02-26T14:36:43.413Z",
"host" : "cent1-pc",
"@version" : "1"
}
}
2.3 启动Kibana
cd /usr/local/work/kibana-6.6.0-linux-x86_64
vi ./config/kibana.yml
修改以下几项
server.port:5601
server.host: "服务器IP"
server.name: "kibana"
elasticsearch.hosts: "http://elasticsearch服务IP:9200"
kibana.index: ".kibana"
启动Kibana
./bin/kibana
当数据存储在 Elasticsearch 端之后就可以在 Kibana 上清楚的展示了。首先在浏览器上打开 Kibana 页面。如果使用了 Nginx,就使用 Nginx 配置的 URL;否则就是http://yourhostname:5601。
创建日志索引
点击Discover页面
步骤1:index pattern中填写logstash-*,点击Next step;
步骤2:Time Filter filed name: 选择@timestamp;点击Create index pattern
2.4 配置和启动Filebeats
进入目录编辑 filebeat.yml 找到对应的配置项,
cd /usr/local/work/filebeat-6.6.0-linux-x86_64
vi ./config/filebeat.yml
配置修改
示例1
- type: log
# Change to true to enable this prospector configuration.
enabled: True
# Paths that should be crawled and fetched. Glob based paths.
# 读取 Nginx 的日志
paths:
- /var/log/*.log
-
#------------------------------Elasticsearch output----------------------------
output.elasticsearch:
#Array or hosts to connect to.
hosts:["localhsot:9200"]
#----------------------------- Logstash output --------------------------------
#输出到本机的 LogStash
output.logstash:
# The Logstash hosts
hosts: ["localhost:5044"]
示例2
filebeat.prospectors:
- type: log
paths:
- /tmp/test1.log
tags: ["test1"]
document_type: test1
- type: log
paths:
- /tmp/test2.log
tags: ["test2"]
document_type: test2
output.elasticsearch:
hosts: ["127.0.0.1:9200"]
index: "test-filebeat"
配置说明:
一个-表示一个filebeat.prospector,这里设置了2个。日志发送到elasticsearch,索引index 是test-filebeat。
filebeat.prospectors:
type 日志类型,默认log
input_type 输入类型,默认log
paths 采集的日志,可以使用通配符。支持多个
tags 自定义标签,是个数组。自定义
document_type 自定义字段,用于Logsatsh区分来源,在Logsatsh里用变量type表示
启动Filebeat
./filebeat -e -c filebeat.yml -d “publish”