一、elk简介
开源实时日志分析ELK平台能够完美的解决我们上述的问题,ELK由ElasticSearch、Logstash和Kiabana三个开源工具组成:
- ElasticSearch是一个基于Lucene的开源分布式搜索服务器。它的特点有:分布式,零配置,自动发现,索引自动分片,索引副本机制,restful风格接口,多数据源,自动搜索负载等。它提供了一个分布式多用户能力的全文搜索引擎,基于RESTful web接口。Elasticsearch是用Java开发的,并作为Apache许可条款下的开放源码发布,是第二流行的企业搜索引擎。设计用于云计算中,能够达到实时搜索,稳定,可靠,快速,安装使用方便。
在elasticsearch中,所有节点的数据是均等的。
- Logstash是一个完全开源的工具,他可以对你的日志进行收集、过滤、分析,并将其存储供以后使用(如,搜索),您可以使用它。说到搜索,logstash带有一个web界面,搜索和展示所有日志。
- Kibana 是一个基于浏览器页面的Elasticsearch前端展示工具,也是一个开源和免费的工具,它Kibana可以为 Logstash 和 ElasticSearch 提供的日志分析友好的 Web 界面,可以帮助您汇总、分析和搜索重要数据日志。
部署环境:
CentOS7.2 版本号1611,elasticsearch5.2.2,logstash5.2.2,kibana5.2.2.虚拟机内存要大于2G。关闭防火墙和SELinux。
1.java环境
[root
@elk-node1 ~]
[root
@elk-node1 ~]
openjdk version
"1.8.0_121"
OpenJDK Runtime Environment (build
1.8.
0_121-b13)
OpenJDK 64-
Bit Server VM (build
25.121-b13,mixed mode)
2.elasticsearch安装
1. 导入elasticsearch PGP key
[root
@elk-node1 ~]# rpm --
import https:
2.配置yum源和修改hosts文件
[root@elk-node1 ~]
[elasticsearch-5.x]
name=Elasticsearch repository for5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
[root@elk-node1 ~]
[root@elk-node1 ~]
3.安装elasticsearch及修改配置文件
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
[root
@elk-node1 ~]# yum install elasticsearch -y
[root
@elk-node1 ~]# systemctl daemon-reload
[root
@elk-node1 ~]# systemctl enable elasticsearch.service
[root
@elk-node1 ~]# grep -v ^# /etc/elasticsearch/elasticsearch.yml
cluster.name: elk
node.name: elk-node-
1
path.data: /
var/lib/elasticsearch
path.logs: /
var/log/elasticsearch
network.host:
0.0.0.0
http.port:
9200
discovery.zen.ping.unicast.hosts: [
"192.168.217.131",
"192.168.217.132"]
discovery.zen.minimum_master_nodes:
2
http.cors.enabled:
true
http.cors.allow-origin:
"*"
4.配置head插件
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
[root
@elk-node1 ~]
[root
@elk-node1 ~]
[root
@elk-node1 ~]
[root
@elk-node1 ~]
[root
@elk-node1 ~]
v6
.9.5
[root
@elk-node1 ~]
3.10.10
[root
@elk-node1 ~]
[root
@elk-node1 ~]
[root
@elk-node1 ~]
[root
@elk-node1 elasticsearch]
[root
@elk-node1 elasticsearch]
[root
@elk-node1 elasticsearch]
[root
@elk-node1 elasticsearch]
[root
@elk-node1 elasticsearch-head]
[root
@elk-node1 elasticsearch-head]
[root
@elk-node1 _site]
[root
@elk-node1 _site]
init:
function(parent) {
this._super();
this.prefs = services.Preferences.instance();
this.base_uri =
this.config.base_uri ||
this.prefs.get(
"app-base_uri") ||
"http://192.168.217.131:9200";
//修改
4328行
[root
@elk-node1 _site]
[root
@elk-node1 elasticsearch-head]
[root
@elk-node1 elasticsearch-head]
connect: {
server: {
options: {
hostname:
"0.0.0.0",
//添加这一行
port:
9100,
base:
'.',
keepalive:
true
}
}
}
[root
@elk-node1 elasticsearch-head]
[root
@elk-node1 elasticsearch-head]
[root
@elk-node1 elasticsearch-head]
5.打开浏览器,进行验证
访问http://192.168.217.131:9200/进行验证
访问http://192.168.217.131:9100/进行验证
没安装logstash和kibana时,划红线部分是空白。
3.安装logstash
1.yum安装
[root
@elk-node1 ~]
[root
@elk-node1 ~]
[root
@elk-node1 logstash]
path.
data: /
var/lib/logstash
path.
config: /etc/logstash/conf.d
path.
logs: /
var/log/logstash
2.pipeline文件
根据默认配置,pipeline实例文件默认应放置于/etc/logstash/conf.d目录,此时目录下无实例文件,可根据实际情况新建实例,以处理本机messages信息为例,如下:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
[root
@elk-node1 logstash]
[root
@elk-node1 conf.d]
input {
file {
path
=> "/var/log/messages"
}
}
output {
elasticsearch {
hosts
=> [
"192.168.217.131:9200",
"192.168.217.132:9200"]
index
=> "messages-%{+YYYY.MM.dd}"
}
stdout {
}
}
[root
@elk-node1 conf.d]
[root
@elk-node1 logstash]
[root
@elk-node1 logstash]
3.启动验证
1)启动测试
[root@elk-node1 logstash]
# cd /usr/share/logstash/
[root@elk-node1 logstash]
# bin/logstash -e 'input { stdin { } } output { stdout {} }'
WARNING: Could
not find logstash.yml which
is typically located
in $LS_HOME/config
or /etc/logstash. You can specify the path
using --path.settings. Continuing
using the defaults
Could
not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties.
Using default config which logs
to console
logstash可以启动,但此种验证方式会有告警,可以提示方式处理,在“$LS_HOME”下建立“config”目录,并将”/etc/logstash/”下的文件建软链接到“config”目录,再次执行即可,如下:
[root
@elk-node1 logstash]
[root
@elk-node1 logstash]
[root
@elk-node1 logstash]
[root
@elk-node1 logstash]
2)启动logstash并验证
[root
@elk-node1 ~]
systemctl start logstash
[root
@elk-node1 ~]
Created
symlink from /etc/systemd/
system/multi-user.target.wants/logstash.service to /etc/systemd/
system/logstash.service.
[root
@elk-node1 ~]
//查看
9600端口
4.验证
访问http://192.168.217.131:9100/
4.安装kibana
1.yum安装kibana
[root
@elk-node1 ~]
[root
@elk-node1 ~]
[root
@elk-node1 kibana]
server.
port: 5601
server.
host: "0.0.0.0"
elasticsearch.
url: "http://192.168.217.131:9200"
[root
@elk-node1 kibana]
[root
@elk-node1 kibana]
tcp
0 0 0.
0.
0.
0:5601 0.
0.
0.
0:* LISTEN 4335/node
2.浏览器访问验证
访问http://192.168.217.131:5601/
在红线部分添加messages-*,然后点击discover,如果不能显示图形,请把时间选择一小时或更长。
elk,就简单介绍到这里,有什么问题欢迎提出来。