elk的架构演变

最新推荐文章于 2022-12-08 09:51:28 发布

新手上路丶大家小心

最新推荐文章于 2022-12-08 09:51:28 发布

阅读量1.8w

点赞数 2

本文链接：https://blog.csdn.net/weixin_43999932/article/details/106836786

版权

第一章: filbeat模块module
作用:
可以将特定的服务的普通日志转成json格式

1.查看filbeat模块路径
rpm -qc filebeat 

2.配置模块
filebeat添加模块相关参数
=============================
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: true
  reload.period: 10s
=============================

3.查看并激活模块
filebeat modules list
filebeat modules enable nginx
filebeat modules list

4.配置filebeat的nginx模块
[root@db-01 ~]# cat /etc/filebeat/modules.d/nginx.yml 
- module: nginx
  access:
    enabled: true
    var.paths: ["/var/log/nginx/bbs.log"]

  error:
    enabled: true
    var.paths: ["/var/log/nginx/error.log"]

5.配置filebeat根据日志类型做判断
[root@db-01 ~]# cat /etc/filebeat/filebeat.yml 
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: true
  reload.period: 10s

output.elasticsearch:
  hosts: ["10.0.0.51:9200"]
  indices:
    - index: "nginx_bbs_access-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        fileset.name: "access"
    - index: "nginx_error-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        fileset.name: "error"

setup.template.name: "nginx"
setup.template.pattern: "nginx_*"
setup.template.enabled: false
setup.template.overwrite: true

6.配置nginx日志为正常日志
nginx -t
systemctl restart nginx
> /var/log/nginx/bbs.log 
tail -1 /var/log/nginx/bbs.log 	

7.安装es插件
cd /usr/share/elasticsearch/
./bin/elasticsearch-plugin install file:///data/soft/ingest-geoip-6.6.0.zip
./bin/elasticsearch-plugin install file:///data/soft/ingest-user-agent-6.6.0.zip

8.重启es
systemctl restart elasticsearch
删除以前的旧索引

9.重启filebeat
systemctl restart filebeat

10.kibana添加索引
注意:
error添加的时候选择 read_timestamp

11.查看日志是否被解析成了json格式


报错1:
[root@db-01 ~]# filebeat modules list
Error in modules manager: modules management requires 'filebeat.config.modules.path' setting

报错2:
2019-09-11T09:04:40.562+0800	ERROR	pipeline/output.go:100	Failed to connect to backoff(elasticsearch(http://10.0.0.51:9200)): Connection marked as failed because the onConnect callback failed: Error loading pipeline for fileset nginx/access: This module requires the following Elasticsearch plugins: ingest-user-agent, ingest-geoip. You can install them by running the following commands on all the Elasticsearch nodes:
    sudo bin/elasticsearch-plugin install ingest-user-agent
    sudo bin/elasticsearch-plugin install ingest-geoip

第二章: filebeat使用模块收集mysql日志

yum -y install mariadb mariadb-server
1.配置mysql错误日志和慢日志路径
编辑my.cnf
log-error=/var/lib/mysql/error.log
slow_query_log=ON
slow_query_log_file=/var/lib/mysql/slow.log
long_query_time=3

2.重启mysql并制造慢日志
systemctl restart mysql 
慢日志制造语句
select sleep(2) user,host from mysql.user ;

3.确认慢日志和错误日志确实有生成

4.激活filebeat的mysql模块
filebeat modules enable mysql

5.配置mysql的模块
- module: mysql
  error:
    enabled: true
    var.paths: ["/var/lib/mysql/error.log"]

  slowlog:
    enabled: true 
    var.paths: ["/var/lib/mysql/slow.log"]
	
6.配置filebeat根据日志类型做判断
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: true
  reload.period: 10s

output.elasticsearch:
  hosts: ["10.0.0.114:9200"]
  indices:
    - index: "nginx_access-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        fileset.module: "nginx"
        fileset.name: "access"
    - index: "nginx_error-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        fileset.module: "nginx"
        fileset.name: "error"
		
    - index: "mysql_slowlog-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        fileset.module: "mysql"
        fileset.name: "slowlog"
    - index: "mysql_error-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        fileset.module: "mysql"
        fileset.name: "error"

setup.template.name: "nginx"
setup.template.pattern: "nginx_*"
setup.template.enabled: false
setup.template.overwrite: true

7.重启filebeat
systemctl restart filebeat

第三章: 使用input的docker类型收集docker日志

0.docker安装命令
rm -fr /etc/yum.repos.d/local.repo
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.repo
sed -i 's#download.docker.com#mirrors.tuna.tsinghua.edu.cn/docker-ce#g' /etc/yum.repos.d/docker-ce.repo
yum install docker-ce -y

1.启动2个nginx容器
docker run -d -p 80:80 nginx
docker run -d -p 8080:80 nginx

2.修改filebeat配置文件
filebeat.inputs:
- type: docker
  containers.ids: 
    - '*'

output.elasticsearch:
  hosts: ["10.0.0.114:9200"]
  indices:
    - index: "docker_access-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        stream: "stdout"
    - index: "docker_error-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        stream: "stderr"

setup.template.name: "docker"
setup.template.pattern: "docker-*"
setup.template.enabled: false
setup.template.overwrite: true

3.重启filebeat 
systemctl restart filebeat

4.访问nginx制造日志
curl 127.0.0.1/11111111111111111111
curl 127.0.0.1:8080/22222222222222222222
  
5.es-head和kibana查看

第四章: 收集docker日志可以早下班版
场景:
容器1: nginx
容器2: mysql

理想中的情况:
docker_nginx-6.6.0-2019.09
docker_mysql-6.6.0-2019.09

前提条件:
存在可以唯一区分容器业务类型的key
docker-compose安装报错解决地址https://www.cnblogs.com/eddie1127/p/12003358.html
容器编排: docker-compose

1.安装docker-compose 
yum install -y python2-pip 
pip install -i https://pypi.tuna.tsinghua.edu.cn/simple pip -U
pip config set global.index-url https://pypi.tuna.tsinghua.edu.cn/simple
pip install docker-compose

2.编写docker-compose文件
[root@db-02 ~]# cat docker-compose.yml 
version: '3'
services:
  nginx:
    image: nginx:latest
    labels:
      service: nginx
    logging:
      options:
        labels: "service"
    ports:
      - "80:80"
  db:
    image: nginx:latest
    labels:
      service: db 
    logging:
      options:
        labels: "service"
    ports:
      - "8080:80"

3.删除以前的容器!谨慎操作!
docker rm -f  $(docker ps -a -q)

4.使用docker-compose启动docker容器
docker-compose up -d 


5.配置filebeat配置文件
filebeat.inputs:
- type: log
  enabled: true 
  paths:
    - /var/lib/docker/containers/*/*-json.log
  json.keys_under_root: true
  json.overwrite_keys: true

output.elasticsearch:
  hosts: ["10.0.0.114:9200"]
  indices:
    - index: "docker_nginx_access-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        attrs.service: "nginx"  
        stream: "stdout"
    - index: "docker_nginx_error-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        attrs.service: "nginx"  
        stream: "stderr"
    - index: "docker_db_access-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        attrs.service: "db"  
        stream: "stdout"
    - index: "docker_db_error-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        attrs.service: "db"  
        stream: "stderr"

setup.template.name: "docker"
setup.template.pattern: "docker_*"
setup.template.enabled: false
setup.template.overwrite: true

6.重启filebeat
systemctl restar filebeat

7.访问nginx制造日志
curl 127.0.0.1/nginxxxxxxxxx
curl 127.0.0.1:8080/dbbbbbbbbbbbbbbbbb

8.es-head和kibana查看

第五章: 收集docker日志涨薪版

0.创建容器日志目录
mkdir /opt/{nginx,mysql}

1.将容器的日志目录挂载到宿主机
docker ps 
docker cp /etc/nginx/nginx.conf 容器ID:/etc/nginx/nginx.conf
docker commit 容器ID nginx:v3
docker rm -f  $(docker ps -a -q)
docker run -d -p 80:80 -v /opt/nginx:/var/log/nginx nginx:v3
docker run -d -p 8080:80 -v /opt/mysql:/var/log/nginx nginx:v3

2.修改filebeat配置文件
filebeat.inputs:
- type: log
  enabled: true 
  paths:
    - /opt/nginx/access.log
  json.keys_under_root: true
  json.overwrite_keys: true
  tags: ["nginx_access"]

- type: log
  enabled: true 
  paths:
    - /opt/nginx/error.log
  tags: ["nginx_error"]

- type: log
  enabled: true 
  paths:
    - /opt/mysql/access.log
  json.keys_under_root: true
  json.overwrite_keys: true
  tags: ["mysql_access"]

- type: log
  enabled: true 
  paths:
    - /opt/mysql/error.log
  tags: ["mysql_error"]

output.elasticsearch:
  hosts: ["10.0.0.114:9200"]
  indices:
    - index: "docker_nginx_access-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        tags: "nginx_access"
    - index: "docker_nginx_error-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        tags: "nginx_error"
    - index: "docker_db_access-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        tags: "mysql_access"
    - index: "docker_db_error-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        tags: "mysql_error"

setup.template.name: "docker"
setup.template.pattern: "docker_*"
setup.template.enabled: false
setup.template.overwrite: true

3.重启filebeat
systemctl restart filebeat

4.访问nginx制造日志
curl 127.0.0.1/nginxxxxxxxxx
curl 127.0.0.1:8080/dbbbbbbbbbbbbbbbbb

第六章: 使用缓存服务来缓解ES压力

1.安装配置redis
yum install redis -y
systemctl start redis 
redis-cli set k1 v1 
redis-cli get k1 

2.配置filebeat
filebeat.inputs:
- type: log
  enabled: true 
  paths:
    - /var/log/nginx/bbs.access.log
  json.keys_under_root: true
  json.overwrite_keys: true
  tags: ["access"]

- type: log
  enabled: true 
  paths:
    - /var/log/nginx/error.log
  tags: ["error"]

output.redis:
  hosts: ["127.0.0.1"]
  keys:
    - key: "nginx_access"
      when.contains:
        tags: "access"
    - key: "nginx_error"
      when.contains:
        tags: "error"

setup.template.name: "nginx"
setup.template.pattern: "nginx_*"
setup.template.enabled: false
setup.template.overwrite: true

3.确保nginx日志为json格式
>/var/log/nginx/bbs.access.log 
ab -c 10 -n 100 http://10.0.0.114/oooooooooo
tail -1 /var/log/nginx/bbs.access.log 

4.启动filebeat并测试是否能存到redis里
systectl restart filebeat

redis-cli
keys * 
TYPE nginx_access 
LLEN nginx_access 
LRANGE nginx_access 1 2 

5.安装配置logstash
rpm -ivh logstash-6.6.0.rpm

[root@db-01 /data/soft]# cat /etc/logstash/conf.d/redis.conf 
input {
  redis {
    host => "127.0.0.1"
    port => "6379"
    db => "0"
    key => "nginx_access"
    data_type => "list"
  }
  redis {
    host => "127.0.0.1"
    port => "6379"
    db => "0"
    key => "nginx_error"
    data_type => "list"
  }
}

filter {
  mutate {
    convert => ["upstream_time", "float"]
    convert => ["request_time", "float"]
  }
}

output {
   stdout {}
   if "access" in [tags] {
      elasticsearch {
        hosts => "http://localhost:9200"
        manage_template => false
        index => "nginx_access-%{+yyyy.MM}"
      }
    }
    if "error" in [tags] {
      elasticsearch {
        hosts => "http://localhost:9200"
        manage_template => false
        index => "nginx_error-%{+yyyy.MM}"
      }
    }
}

6.启动Logstash
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/redis.conf

7.检查redis里是否被取走了
redis-cli
LLEN nginx_access 

8.es-head和kibana查看

第七章: 存入redis优化方案

1.优化filebeat,将所有的日志存入一个key中
filebeat.inputs:
- type: log
  enabled: true 
  paths:
    - /var/log/nginx/bbs.access.log
  json.keys_under_root: true
  json.overwrite_keys: true
  tags: ["access"]

- type: log
  enabled: true 
  paths:
    - /var/log/nginx/error.log
  tags: ["error"]

output.redis:
  hosts: ["127.0.0.1"]
  key: "all"

setup.template.name: "nginx"
setup.template.pattern: "nginx_*"
setup.template.enabled: false
setup.template.overwrite: true

2.logstash从一个key里读取,根据tag标签判断 
input {
  redis {
    host => "127.0.0.1"
    port => "6379"
    db => "0"
    key => "all"
    data_type => "list"
  }
}

filter {
  mutate {
    convert => ["upstream_time", "float"]
    convert => ["request_time", "float"]
  }
}

output {
   stdout {}
   if "access" in [tags] {
      elasticsearch {
        hosts => "http://localhost:9200"
        manage_template => false
        index => "nginx_access-%{+yyyy.MM}"
      }
    }
    if "error" in [tags] {
      elasticsearch {
        hosts => "http://localhost:9200"
        manage_template => false
        index => "nginx_error-%{+yyyy.MM}"
      }
    }
}

新手上路丶大家小心

关注

2
点赞
踩
2

收藏

觉得还不错? 一键收藏
0
评论
elk的架构演变

第一章: filbeat模块module作用:可以将特定的服务的普通日志转成json格式1.查看filbeat模块路径rpm -qc filebeat 2.配置模块filebeat添加模块相关参数=============================filebeat.config.modules: path: ${path.config}/modules.d/*.yml reload.enabled: true reload.period: 10s========...
复制链接

扫一扫