ELK介绍
1)ELK分别代表
Elasticsearch: 负责日志检索和储存
Logstash: 负责日志的收集和分析、处理
Kibana: 负责日志的可视化
2)ELK组件在海量日志系统的运维中,可用于解决什么
分布式日志数据集中式查询和管理
系统监控,包含系统硬件和应用各个组件的监控
故障排查-安全信息和事件管理
报表功能
3)主要特点:实时分析,分布式实时文件
单机安装elasticsearch
[root@test ~]# vim /etc/security/limits.conf
* soft nofile 65536
* hard nofile 131072
* soft nproc 2048
* hard nproc 4096
* soft memlock unlimited
* hard memlock unlimited
[root@test ~]# vim /etc/hosts
192.168.1.16 test
[root@test ~]# yum install -y java-1.8.0-openjdk
[root@test ~]# yum -y install elasticsearch-2.3.4.rpm //下载包
[root@test ~]# vim +54 /etc/elasticsearch/elasticsearch.yml
54: network.host: 0.0.0.0
[root@test ~]# systemctl enable --now elasticsearch
[root@test ~]# curl 192.168.1.16:9200
[root@es-0001 ~]# vim /etc/elasticsearch/elasticsearch.yml
{
"name" : "War Eagle",
"cluster_name" : "elasticsearch",
"version" : {
"number" : "2.3.4",
"build_hash" : "e455fd0c13dceca8dbbdbb1665d068ae55dabe3f",
"build_timestamp" : "2016-06-30T11:24:31Z",
"build_snapshot" : false,
"lucene_version" : "5.5.0"
},
"tagline" : "You Know, for Search"
}
集群安装
所有节点执行
[root@es-01 ~]# vim /etc/hosts
192.168.1.11 es-01
192.168.1.12 es-02
192.168.1.13 es-03
192.168.1.14 es-04
192.168.1.15 es-05
[root@es-01 ~]# yum -y install elasticsearch-2.3.4.rpm
[root@es-01 ~]# yum install -y java-1.8.0-openjdk
[root@es-01 ~]# vim /etc/elasticsearch/elasticsearch.yml
17 cluster.name: my-es
23 node.name: es-01 # 本机主机名
54 network.host: 0.0.0.0
68 discovery.zen.ping.unicast.hosts: ["es-01", "es-02", "es-03", "es-04", "es-05"]
[root@es-01 ~]# systemctl enable --now elasticsearch
[root@es-01 ~]# curl http://192.168.1.11:9200/_cluster/health?pretty
{
"cluster_name" : "my-es", //集群名
"status" : "green", //状态
"timed_out" : false,
"number_of_nodes" : 5, //节点数
"number_of_data_nodes" : 5,
"active_primary_shards" : 0,
"active_shards" : 0,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
插件head、bigdesk、kopf安装
kopf插件:是一个ElasticSearch的管理工具,它提供了对ES集群操作的API
bigdesk插件:是elasticsearch的一个集群监控工具,可以通过它来查看es集群的各种状态,
如:cpu、内存使用情况,索引数据、搜索情况,http连接数等
head插件
它展现ES集群的拓扑结构,并且可以通过它来进行索引(Index)和节点(Node)级别的操作
它提供一组针对集群的查询APl,并将结果以json和表格形式返回
它提供一些快捷菜单,用以展现集群的各种状态
plugin install安装 plugin remove删除 plugin list查看
[root@es-01 ~]# ls
elasticsearch-head-master.zip bigdesk-master.zip elasticsearch-2.3.4.rpm elasticsearch-kopf-master.zip
[root@es-01 ~]# /usr/share/elasticsearch/bin/plugin install file:///root/bigdesk-master.zip
...
Installed bigdesk into /usr/share/elasticsearch/plugins/bigdesk
[root@es-01 ~]# /usr/share/elasticsearch/bin/plugin install file:///root/elasticsearch-head-master.zip
[root@es-01 ~]# /usr/share/elasticsearch/bin/plugin install file:///root/elasticsearch-kopf-master.zip
[root@es-01 ~]# /usr/share/elasticsearch/bin/plugin list
Installed plugins in /usr/share/elasticsearch/plugins:
- bigdesk
- head
- kopf
http://192.168.1.11:9200/_plugin/kopf/#!/cluster
http://192.168.1.11:9200/_plugin/head/
http://192.168.1.11:9200/_plugin/bigdesk/#nodes
Elasticsearch基本操作
a)_cat 关键字用来查询集群状态,节点信息等
# 查询支持的关键字
[root@es-01 ~]# curl -XGET http://es-01:9200/_cat/
=^.^=
/_cat/allocation
/_cat/shards
/_cat/shards/{index}
/_cat/master
/_cat/nodes
/_cat/indices
/_cat/indices/{index}
...
# 查具体的信息
[root@es-01 ~]# curl -XGET http://es-01:9200/_cat/master
-0mvjPKwRh--GSqZXzF-Wg 192.168.1.13 192.168.1.13 es-03 //现在的master是es-03
# 显示详细信息 ?v
[root@es-01 ~]# curl -XGET http://es-01:9200/_cat/master?v
id host ip node //多出了表头
-0mvjPKwRh--GSqZXzF-Wg 192.168.1.13 192.168.1.13 es-03
# 显示帮助信息 ?help
[root@es-01 ~]# curl -XGET http://es-01:9200/_cat/master?help
id | | node id
host | h | host name
ip | | ip address
node | n | node name
Elasticsearch 是用http协议访问,http请求由三部分组成 分别是:请求行、消息报头、请求正文
请求行: Method Request-URI HTTP-Version CRLF http
请求方法: 常用方法GET,POST,HEAD -
其他方法 OPTIONS,PUT,DELETE,TRACE 和CONNECT
Elasticsearch使用的请求方法
增–PUT 删–DELETE 改–POST 查–GET 与Elasticsearch交互的数据需使用json格式
b)创建索引 curl -XPUT
指定索引的名称,指定分片数量shards,指定副本数量replicas
创建索引使用 PUT 方法,创建完成以后通过 head 插件验证
[root@es-01 ~]# curl -XPUT http://es-01:9200/tedu -d \
'{
"settings":{
"index":{
"number_of_shards": 5,
"number_of_replicas": 1
}
}
}'
#tedu索引名,-d 后使用json语言
c)增加数据 curl -XPUT
[root@es-01 ~]# curl -XPUT http://es-01:9200/tedu/teacher/1 -d \
'{
"职业": "诗人",
"名字": "李白",
"称号": "诗仙",
"年代": "唐"
}'
{"_index":"tedu","_type":"teacher","_id":"1","_version":1,"_shards":{"total":2,"successful":2,"failed":0},"created":true}
d)修改数据 curl -XPOST
[root@es-01 ~]# curl -XPOST http://es-01:9200/tedu/teacher/1/_update -d \
'{
"doc": {
"年代": "公元701"
}
}'
e)删除数据 curl -XDELETE
# 删除一条
[root@es-01 ~]# curl -XDELETE http://es-01:9200/tedu/teacher/1
# 删除索引
[root@es-01 ~]# curl -XDELETE http://es-01:9200/tedu //概览里没有数据了
Kibana搭建
[root@kibana ~]# cat /etc/hosts
192.168.1.11 es-01
192.168.1.12 es-02
192.168.1.13 es-03
192.168.1.14 es-04
192.168.1.15 es-05
192.168.1.16 kibana
[root@kibana ~]# yum -y install kibana-4.5.2-1.x86_64.rpm
02 server.port: 5601
05 server.host: "0.0.0.0"
15 elasticsearch.url: "http://es-0001:9200"
23 kibana.index: ".kibana" //存放配置信息
26 kibana.defaultAppId: "discover" // 默认首页
[root@kibana ~]# systemctl enable --now kibana
[root@kibana ~]# ss -antup | grep 5601
http://192.168.1.16:5601/status
[root@kibana ~]# yum -y install kibana-6.8.8-x86_64.rpm
[root@kibana ~]# vim /opt/kibana/config/kibana.yml #yml修改后顶格
02 server.port: 5601
07 server.host: "0.0.0.0"
28 elasticsearch.hosts: ["http://es-01:9200","http://es-02:9200"] //防止单点故障
37 kibana.index: ".kibana"
40 kibana.defaultAppId: "home" //默认页
113 i18n.locale: "zh-CN"
导入日志数据实验
[root@kibana ~]# gunzip -d logs.jsonl.gz //实验数据
[root@kibana ~]# curl -XPOST http://192.168.1.11:9200/_bulk --data-binary @logs.jsonl
饼图
搭建Logstash完成ELK集群,实现Web日志实时分析
[root@web ~]#vim /etc/httpd/conf/httpd.conf #日志格式举例
217 CustomLog "logs/access_log" combined 日志格式
196 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
192.168.4.8 - - [21/Mar/2021:16:47:05 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
logstash介绍
logstash一是一个数据采集、加工处理以及传输的工具。特点:所有类型的数据集中处理,不同模式和格式数据的正常化,自定义日志格式的迅速扩展,为自定义数据源轻松添加插件
Logstash工作结构
{数据源}==>input[]==>filter{]==>output{]==>{输出结果}
-input负责收集数据 filter 负责处理数据 output 负责输出数据
官方手册地址
https://www.elastic.co/guide/en/logstash/current/index.html
logstash启动命令
/opt/logstash/bin/logstash -f /etc/logstash/logstash.conf
logstash 里面的类型
布尔值类型: ssl_enable=>true
字节类型: bytes=〉"1MiB"
字符串类型: name=〉"xkops"
数值类型: port=〉22
数组: match=>["datetime","UNlX"]
哈希(键值对):options=>{k=>"v",k2=>"v2"]
注释:#
条件判断
等于:== ,不等于:!= ,小于:< ,大于:〉,小于等于:<=,大于等于:〉=,
匹配正则:=~ 不匹配正则:!~
逻辑判断一包含:in,不包含:not in,与:and,或:or,非与:nand,非或:xor
其他-编码类型:codec=>"json"
logstash安装
[root@logstash ~]# vim /etc/hosts
192.168.1.11 es-01
192.168.1.12 es-02
192.168.1.13 es-03
192.168.1.14 es-04
192.168.1.15 es-05
192.168.1.16 kibana
192.168.1.17 logstash
[root@logstash ~]# yum install -y java-1.8.0-openjdk
[root@logstash ~]# yum -y install logstash-2.3.4-1.noarch.rpm
[root@logstash ~]# touch /etc/logstash/logstash.conf
b)基础配置样例测试验证
logstash-input-stdin和logstash-output-stdout 两个插件
[root@logstash ~]# vim /etc/logstash/logstash.conf
input {
stdin {}
}
filter{ }
output{
stdout{}
}
[root@logstash ~]# /opt/logstash/bin/logstash -f /etc/logstash/logstash.conf #启动命令
Settings: Default pipeline workers: 2 //稍等启动成功
Pipeline main started //启动成功
123456 //输入的信息
2022-03-07T04:09:03.441Z logstash 123456 //输出的信息,无规则,同输入的信息
上面的配置文件使用了 ,logstash对数据的处理依赖插件
安装插件 install一删除插件uninstall一查看插件 list
插件管理命令
安装插件 install,删除插件uninstall,查看插件 list
[root@logstash ~]# /opt/logstash/bin/logstash-plugin list #查看支持的插件
...
logstash-filter-anonymize
logstash-filter-checksum
logstash-filter-clone
logstash-filter-csv
...
c)插件与调试格式
标准输入的数据是json格式编码
input{
stdin { codec => "json"}
}
在调试软件的时候我们经常把数据输出到标准输出由于数据是json格式,为了便于阅读我们一般采用rubydebug 格式来查看数据
input{
stdin{ codec=>"json"}
}
filter{}
output{
stdout { codec=>"rubydebug" }
}
使用json格式字符串测试 {“a”:“1”, “b”:“2”,“c”:“3”}
[root@logstash ~]# vim /etc/logstash/logstash.conf
input {
stdin { codec => "json" }
}
filter{ }
output{
stdout{ codec => "json" }
}
[root@logstash ~]# /opt/logstash/bin/logstash -f /etc/logstash/logstash.conf
Pipeline main started
{"a":"1", "b":"2","c":"3"}
{"a":"1","b":"2","c":"3","@version":"1","@timestamp":"2022-03-07T04:15:39.826Z","host":"logstash"}
[root@logstash ~]# vim /etc/logstash/logstash.conf
input {
stdin { codec => "json" }
}
filter{ }
output{
stdout{ codec => "rubydebug" }
}
[root@logstash ~]# /opt/logstash/bin/logstash -f /etc/logstash/logstash.conf
{"a":"1", "b":"2","c":"3"}
{
"a" => "1",
"b" => "2",
"c" => "3",
"@version" => "1",
"@timestamp" => "2022-03-07T04:18:54.912Z",
"host" => "logstash"
}
input file插件介绍
file插件是我们平常应用非常多的插件,他的主要用途是从本地文件中获取数据,并实时监控文件的变化文件插件语法格式
input {
file{
参数=>“参数值”
}
核心参数
path 要监控的文件路径
path=>["/tmp/a.log","/tmp/b.log"]
start_position 第一次读取文件位置 [beginning|end]
start_position=>"beginning"
sincedb_path 记录读取文件的位置
sincedb_path=>"/var/lib/logstash/sincedb-access"
type 提供一个字符串标记,类似于标签
type=>"testlog"
示例一
[root@logstash ~]# vim /etc/logstash/logstash.conf
input {
stdin { codec => "json" }
file {
path => ["/tmp/a.log","/tmp/b.log"]
}
}
filter{ }
output{
stdout{ codec => "rubydebug" }
}
[root@logstash ~]# /opt/logstash/bin/logstash -f /etc/logstash/logstash.conf
再开一终端验证
[root@logstash ~]echo LOG_$RANDOM >> /tmp/a.log
[root@logstash ~] cat /tmp/a.log
LOG_18301
原来的终端
[root@logstash ~]]# /opt/logstash/bin/logstash -f /etc/logstash/logstash.conf
Settings: Default pipeline workers: 2
Pipeline main started
{
"message" => "LOG_18301",
"@version" => "1",
"@timestamp" => "2022-03-07T04:30:40.322Z",
"path" => "/tmp/a.log",
"host" => "logstash-0001"
}
示例二 type 参数
[root@logstash ~]# vim /etc/logstash/logstash.conf
//用type类型区分日志是apache 还是mysql
input {
file {
path => ["/tmp/a.log"]
type => "apache"
path => ["/tmp/b.log"]
type => "mysql"
}
}
filter{ }
output{
stdout{ codec => "rubydebug" }
}
示例三其他参数
[root@logstash ~]# vim /etc/logstash/logstash.conf
input {
file {
path => ["/tmp/c.log"]
type => "test"
#设置标签
start_position => "beginning"
#会从头读,end丢弃
sincedb_path => "/var/lib/logstash/sincedb"
#书签位置
}
}
filter{ }
output{
stdout{ codec => "rubydebug" }
}
logstash书签文件,记录读取位置用,不会重复读取
[root@logstash ~]# ls /root/.sincedb_*
/root/.sincedb_ab3977c541d1144f701eedeb3af4956a
[root@logstash ~]# cat /root/.sincedb_ab3977c541d1144f701eedeb3af4956a
16777289 0 64768 20
4)filter–grok 插件
解析各种非结构化的日志数据插件,grok使用正则表达式把非结构化的数据结构化在分组匹配,正则表达式需要根据具体数据结构编写,虽然编写困难,但适用性极广,几乎可以应用于各类数据
grok插件
正则表达式分组匹配格式,
调用格式: (?<名字>正则表达式) 命名匹配
调用宏表达式的格式
调用格式:%{宏名称:名字}
grok自带的宏定义在:
/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/grok-patterns
去官网查
https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html
使用了下面的grok,填入
match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" }
[root@logstash ~]# vim /etc/logstash/logstash.conf
input {
file {
path => ["/tmp/c.log"]
start_position => "beginning"
sincedb_path => "/dev/null" #把日志位置指针文件指向/dev/null可以反复读取测试 type => "test"
}
}
filter{
grok {
match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" }
}
}
output{
stdout{ codec => "rubydebug" }
}
最终版
[root@logstash ~]# vim /etc/logstash/logstash.conf
input {
file {
path => ["/tmp/c.log"]
type => "test"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter{
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" } //定义好的宏
}
}
output{
stdout{ codec => "rubydebug" }
}
[root@logstash ~]# /opt/logstash/bin/logstash -f /etc/logstash/logstash.conf
[root@logstash ~]# vim /tmp/c.log //安装apache访问
192.168.1.17 - - [07/Mar/2022:21:27:02 +0800] "GET /info.html HTTP/1.1" 404 207 "-" "curl/7.29.0"
[root@logstash ~]# /opt/logstash/bin/logstash -f /etc/logstash/logstash.conf
Settings: Default pipeline workers: 1
Pipeline main started
{
"message" => "192.168.1.17 - - [07/Mar/2022:21:27:02 +0800] \"GET /info.html HTTP/1.1\" 404 207 \"-\" \"curl/7.29.0\"",
"@version" => "1",
"@timestamp" => "2022-03-07T13:27:58.034Z",
"path" => "/tmp/c.log",
"host" => "logstash",
"type" => "test",
"clientip" => "192.168.1.17",
"ident" => "-",
"auth" => "-",
"timestamp" => "07/Mar/2022:21:27:02 +0800",
"verb" => "GET",
"request" => "/info.html",
"httpversion" => "1.1",
"response" => "404",
"bytes" => "207",
"referrer" => "\"-\"",
"agent" => "\"curl/7.29.0\""
}
output插件
output elasticsearch插件是我们日志分析系统的数据输出插件,他的主要用途是把通过filter处理过的json数据写入到elasticsearch集群中
elasticsearch插件语法格式
output{
elasticsearch {
参数=>“参数值”
}
}
output file插件核心参数
hosts elasticsearch节点的地址,数组格式
hosts=>["es-01:9200","es-02:9200","es-03:9200]
index存储数据索引的名称
index=>"weblog"
index还支持安日期生成索引,其中YYYY表示年,MM表示月份,dd表示日期
index=>"weblog-%{+YYYY.MM.dd)"
测试输出
[root@logstash ~]# vim /etc/logstash/logstash.conf
input {
file {
path => ["/tmp/c.log"]
type => "test"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter{
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}
output{
stdout{ codec => "rubydebug" }
elasticsearch {
hosts => ["es-01:9200", "es-02:9200", "es-03:9200"]
index => "weblog"
}
}
[root@logstash ~]# /opt/logstash/bin/logstash -f /etc/logstash/logstash.conf
beats插件
如何收集日志?
-由于logstash依赖JAVA环境,而且占用资源非常大,因此在每一台web服务器上部署logstash非常不合适
-使用更轻量的 filebeat替代
-filebeat 非常轻量,没有依赖-filebeat 通过网络给logstash 发送数据
logstash如何接收日志?
-如果想接收数据,必须监听网络服务。logstash可以通过beats 插件接收filebeats发送过来的数据
beats 插件配置样例
logstash beats插件
[root@logstash ~]# vim /etc/logstash/logstash.conf
input {
file {
path => ["/tmp/c.log"]
type => "test"
start_position => "beginning"
sincedb_path => "/var/lib/logstash/sincedb"
}
#######################这里制定了beats接口
beats {
port => 5044
}
###################
}
filter{
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}
output{
stdout{ codec => "rubydebug" }
elasticsearch {
hosts => ["es-01:9200", "es-02:9200", "es-03:9200"]
index => "weblog"
}
}
[root@logstash ~]# /opt/logstash/bin/logstash -f /etc/logstash/logstash.conf
再开一终端
[root@logstash ~]# ss -antup | grep 5044 #配置成功
web服务安装filebeat
[root@web ~]# yum install -y filebeat
[root@web ~]# vim /etc/filebeat/filebeat.yml
15: - /var/log/httpd/access_log
72: document_type: apache_log
183: #注释掉该行
188: #注释掉该行
278: logstash:
280: hosts: ["192.168.1.17:5044"]
[root@web ~]# grep -Pv "^\s*(#|$)" /etc/filebeat/filebeat.yml #检查缩进
[root@web ~]# systemctl enable --now filebeat
[root@web ~]# curl http://192.168.1.48:/info.html
[root@logstash ~]# 会获取访问的日志
output{
stdout{ codec => "rubydebug" }
elasticsearch {
hosts => ["es-01:9200", "es-02:9200", "es-03:9200"]
index => "weblog"
}
}
[root@logstash ~]# /opt/logstash/bin/logstash -f /etc/logstash/logstash.conf
再开一终端
[root@logstash ~]# ss -antup | grep 5044 #配置成功
web服务安装filebeat
[root@web ~]# yum install -y filebeat
[root@web ~]# vim /etc/filebeat/filebeat.yml
15: - /var/log/httpd/access_log
72: document_type: apache_log
183: #注释掉该行
188: #注释掉该行
278: logstash:
280: hosts: ["192.168.1.17:5044"]
[root@web ~]# grep -Pv "^\s*(#|$)" /etc/filebeat/filebeat.yml #检查缩进
[root@web ~]# systemctl enable --now filebeat
[root@web ~]# curl http://192.168.1.48:/info.html
[root@logstash ~]# 会获取访问的日志