一、下载
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.17.4-x86_64.rpm
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.17.4-x86_64.rpm
wget https://artifacts.elastic.co/downloads/logstash/logstash-7.17.4-x86_64.rpm
rpm包wget https://artifacts.elastic.co/downloads/enterprise-search/enterprise-search-7.17.4.rpm
或者wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.17.4-linux-x86_64.tar.gz
二、安装配置elasticsearch
2.1 安装jdk环境
● 下载安装包
○ 登陆官网下载(需要oracle账号)
■ https://www.oracle.com/java/technologies/downloads/#java8
解压并配置环境变量
tar xf jdk-8u311-linux-x64.tar.gz
mv jdk1.8.0_311 /usr/local/jdk
cat >> /etc/profile <<EOF
JAVA_HOME=/usr/local/jdk
PATH=$JAVA_HOME/bin:$PATH
CLASSPATH=$JAVA_HOME/jre/lib/ext:$JAVA_HOME/lib/tools.jar
export PATH JAVA_HOME CLASSPATH
EOF
source /etc/profile
● 验证jdk
java -version
2.2 配置系统参数
● 设置内核参数
echo "vm.max_map_count=655360" >> /etc/sysctl.conf
● 执行以下命令确保配置生效。
sysctl -p
● 设置资源参数
○ # vi /etc/security/limits.conf
* soft nofile 65536
* hard nofile 131072
* soft nproc 65536
* hard nproc 131072
设置es启动用户资源参数
echo "elastic soft nproc 65536" >> /etc/security/limits.d/20-nproc.conf
2.3 解压elasticsearch到指定目录
tar xf elasticsearch-7.17.4-linux-x86_64.tar.gz -C /usr/local/
mkdir -p /data/es/{data,logs}
chown -R elastic.elastic /usr/local/elasticsearch-7.17.4
chown -R elastic.elastic /data/es
su - elastic
cat >> /usr/local/elasticsearch-7.17.4/config/elasticsearch.yml <<EOF
cluster.name: application
node.name: node-1
path.data: /data/es/data
path.logs: /data/es/logs
network.host: 0.0.0.0
http.port: 9200
cluster.initial_master_nodes: ["node-1"]
plugin.mandatory: ingest-attachment
xpack.security.enabled: 'true'
xpack.security.transport.ssl.enabled: 'true'
EOF
2.4 设置密码
/usr/local/elasticsearch-7.17.4/bin/elasticsearch-setup-passwords interactive
2.5 后台启动
/usr/local/elasticsearch-7.17.4/bin/elasticsearch -d
2.6 查看日志验证
三、日志格式
3.1 日志格式1
[2022-07-14 10:03:30.310] [http-nio-8080-exec-2] [ERROR] (com.zz.framework.exception.handler.GlobalExceptionHandler:83) - 数据校验异常,异常字段
3.1.1 logstash配置
cat > /etc/logstash/conf.d/app-java.conf << EOF
input {
beats {
port => 5044
}
}
filter {
grok {
match => [
"message", "\[%{DATA:logtime}\] "
]
break_on_match => false
}
date {
match=> ["logtime","yyyy-MM-dd HH:mm:ss.SSS"]
target=>"@timestamp"
}
}
output {
if "APPname1" in [tags] {
elasticsearch {
hosts => ["elasticsearch集群ip:9200"]
index => "java-APPname-%{+YYYY-MM-dd}"
user => "elastic"
password => "123456"
}
}else if "APPname2" in [tags] {
elasticsearch {
hosts => ["elasticsearch集群ip:9200"]
index => "java-APPname-%{+YYYY-MM-dd}"
user => "elastic"
password => "123456"
}
}else {
elasticsearch {
hosts => ["elasticsearch集群ip:9200"]
index => "java-%{+YYYY-MM-dd}"
user => "elastic"
password => "123456"
}
}
}
EOF
systemctl start logstash
3.1.2 filebeat配置
multiline.pattern: '^\<|^[[:space:]]|^[[:space:]]+(at|\.{3})\b|^Caused by:'
#正则,自己定义,一个表示可以匹配多种模式使用or 命令也就是“|”
multiline.pattern: '^\['
#正则,自己定义,一个表示可以匹配多种模式使用or 命令也就是“|”
multiline.negate: false
#默认是false,匹配pattern的行合并到上一行;
multiline.negate: true
#不匹配pattern的行合并到上一行
multiline.match: after
#合并到上一行的末尾或开头
rpm -ivh filebeat-7.17.4-x86_64.rpm
cp /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.bak
cat > /etc/filebeat/filebeat.yml << EOF
filebeat.inputs:
- type: log
enabled: true
paths:
- /tmp/APPname1.log
tags: ["APPname1"]
fields:
env: test
app: APPname
multiline.pattern: '^\['
multiline.negate: true
multiline.match: "after"
- type: log
enabled: true
paths:
- /tmp/APPname2.log
tags: ["APPname2"]
fields:
env: stg
app: APPname
multiline.pattern: '^\['
multiline.negate: true
multiline.match: "after"
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: true
output.logstash:
hosts: ["logstashIP1:5044","logstashIP2:5044","logstashIP3:5044"]
EOF
systemctl start filebeat
3.2 日志格式2
elfk采集json格式的java日志
背景:经与开发沟通,改造java日志为json格式,并添加相应字段 app、env、timestamp等方便采集
最终日志格式为
{"timestamp":"2022-09-09T01:58:00,151Z","logfilepath":"logs/java-Appname1-2022-09-09.log","app":"APPname1","version":"v1.3.0","env":"test","host":"APPname1-56fb8bf9b9-nmbpz","level":"INFO","pid":"7","thread":"Thread-8","class":"com.zz.mp.user.service.impl.BarcodeServiceImpl","method":"generateBarcode","line":"100","message":"完成释放生成Barcode任务锁","statck_trace":""}
3.2.1 logstash配置
input {
beats {
port => 5044
}
}
output {
if "APPname1" in [tags] {
elasticsearch {
hosts => ["192.168.11.41:9200"]
index => "APPname1-%{+YYYY-MM-dd}"
user => "elastic"
password => "123456"
}
}else if "APPname2" in [tags] {
elasticsearch {
hosts => ["192.168.11.41:9200"]
index => "%{[app]}-%{+YYYY-MM-dd}"
user => "elastic"
password => "123456"
}
}
}
3.2.2 filebeat配置
- type: log
paths:
- /app/*/*/java-*.log
exclude_files: ["_filebeat", ".gz$"]
json.keys_under_root: true
json.overwrite_keys: true
tags:
APPname2
3.3 日志格式3
filebeat收集空白开始或者…或者Caused by开始的都为一段
Exception in thread "main" java.lang.NullPointerException
at com.example.myproject.Book.getTitle(Book.java:16)
at com.example.myproject.Author.getBookTitles(Author.java:25)
at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
3.3.1 filebeat配置文件
filebeat.inputs:
- type: log
enabled: true
paths:
- /tmp/APPname1.log
tags: ["APPname1"]
fields:
env: stg
app: APPname1
multiline.pattern: '^[[:space:]]+(at|\.{3})[[:space:]]+\b|^Caused by:'
multiline.negate: false
multiline.match: after
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: true
output.logstash:
hosts: ["logstashIP1:5044","logstashIP2:5044","logstashIP3:5044"]
3.4 日志格式4
[01595c5af15841af822b3caca90ff57e][INFO][2023-07-12 14:39:05 445][server.service.Y4ECSService]-[RTG补发可驶离:AIV车辆是否在RTG的范围内=null]
3.4.1 logstash配置
input {
beats {
port => 5044
}
}
filter {
grok {
match => [
"message","\[%{DATA:traceId}\]\[%{DATA:loglevel}\]\[%{DATA:logtime}\]"
]
break_on_match => false
}
date {
match => ["logtime","yyyy-MM-dd HH:mm:ss SSS"]
target => "@timestamp"
}
mutate {
remove_field => ["@version","logtime","traceId","loglevel"]
}
}
output {
if "aiv" in [tags] {
elasticsearch {
hosts => ["http://10.140.20.198:9200","http://10.140.20.199:9200"]
index => "aiv2-%{+YYYY.MM.dd}"
}
}else if "qc" in [tags] {
elasticsearch {
hosts => ["http://10.140.20.198:9200","http://10.140.20.199:9200"]
index => "qc2-%{+YYYY.MM.dd}"
}
}else if "rtg" in [tags] {
elasticsearch {
hosts => ["http://10.140.20.198:9200","http://10.140.20.199:9200"]
index => "rtg2-%{+YYYY.MM.dd}"
}
}else {
file{
path => "/tmp/*/*.log"
}
}
}
3.4.2 filebeat配置
filebeat.inputs:
- type: log
enabled: true
paths:
- /***/logs/web.log
tags:
aiv
multiline.pattern: '^\['
multiline.negate: true
multiline.match: "after"
setup.ilm.enabled: false
setup.template.name: "rtg"
setup.template.pattern: "rtg-*"
output.logstash:
hosts: ["1logstashIP:5044"]
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 3
setup.kibana:
processors:
- drop_fields:
fields: ["ecs","agent","log","input","@metadata","stream"]
3.4.3 windows的filebeat配置
filebeat.inputs:
- type: log
enabled: true
paths:
- E:\**\logs\web.log
encoding: GB2312
tags:
rtg
multiline.pattern: '^\[' #匹配的正则 不是以[ 格式开头的将合并到上一行
multiline.negate: true #多行匹配模式后配置的模式是否取反,默认false
multiline.match: after #定义多行内容被添加到模式匹配行之后还是之前,默认无,可以被设置为after或者before
setup.ilm.enabled: false
setup.template.name: "qc"
setup.template.pattern: "qc-*"
output.logstash:
hosts: ["logstashIP:5044"]
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
processors:
- drop_fields:
fields: ["ecs","agent","log","input","@metadata"]
3.5 日志格式5
2023-08-11 07:02:43.008 c.j.s.b.StartRealBolt Thread-39-RealDataReportMqttBoltreal_data/report/H410-executor[153, 153] [DEBUG] StartRealBolt end,vehicleNo:H410,curTime:1691737362919
2023-08-11 07:02:43.008 c.j.s.b.StartRealBolt Thread-39-RealDataReportMqttBoltreal_data/report/H410-executor[153, 153] [INFO] SRB-VO:H410,s:default,a:12,b:43,c:0,d:34,e:6,eR0:5,eR1:0,f:1,fR:0,g:0
2023-08-11 07:02:43.015 c.j.s.b.StartRealBolt Thread-33-RealDataReportMqttBoltreal_data/report/H359-executor[105, 105] [INFO] StartRealBolt_begin:H359
3.5.1 filebeat配置
filebeat.inputs:
- type: log
enabled: true
paths:
- /data/storm/logs/workers-artifacts/*/*/*.log
tags:
storm
#multiline.pattern: '^\['
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: "after"
setup.ilm.enabled: false
setup.template.name: "logstash-log"
setup.template.pattern: "logstash-log-*"
output.logstash:
hosts: ["10.140.20.31:5044"]
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 3
setup.kibana:
processors:
- drop_fields:
fields: ["ecs","agent","log","input","@metadata","stream"]
3.5.2 logstash配置
input {
beats {
port => 5044
}
}
filter {
if "storm" in [tags] {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:logdate}" }
break_on_match => false
}
date {
match => ["logdate","yyyy-MM-dd HH:mm:ss.SSS"]
target => "@timestamp"
}
mutate {
remove_field => ["@version"]
}
}
if "aiv" in [tags] {
grok {
match => [
"message","\[%{DATA:traceId}\]\[%{DATA:loglevel}\]\[%{DATA:logtime}\]"
]
break_on_match => false
}
date {
match => ["logtime","yyyy-MM-dd HH:mm:ss SSS"]
target => "@timestamp"
}
mutate {
remove_field => ["@version","logtime","traceId","loglevel"]
}
}
}
output {
if "aiv" in [tags] {
elasticsearch {
hosts => ["http://10.140.20.198:9200","http://10.140.20.199:9200"]
index => "aiv2-%{+YYYY.MM.dd}"
}
}else if "storm" in [tags] {
elasticsearch {
hosts => ["http://10.140.20.198:9200","http://10.140.20.199:9200"]
index => "storm-%{+YYYY.MM.dd}"
}
}else {
file{
path => "/tmp/*/*.log"
}
}
}
四、filebeat排错
如果你发现没有启动成功,可以执行 cd /usr/bin,在这个目录下执行./filebeat -c /etc/filebeat/filebeat.yml -e,这样会提示具体的错误信息
filebeat删除元数据,重新读取数据创建索引(解决)
背景:filebeat搜集同一文件,修改filebeat中自定义tag和logstash中定义的索引名称,重启后不生效,es中未创还能对应的索引
解决办法
mv /var/lib/filebeat/registry/filebeat/log.json /tmp
systemctl restart filebeat
查看对应索引是否创建
curl -u elastic:123456 -XGET 'http://localhost:9200/_cat/indices?v&pretty'
五、安装配置kibana,并启动
rpm -ivh kibana-7.17.4-x86_64.rpm
cp /etc/kibana/kibana.yml /etc/kibana/kibana.yml.bak
sed -i 's/#elasticsearch.username: "kibana_system"/elasticsearch.username: "kibana"/g' /etc/kibana/kibana.yml
sed -i 's/#elasticsearch.password: "pass"/elasticsearch.password: "123456"/g' /etc/kibana/kibana.yml
systemctl start kibana
防火墙开放5601端口