一、簡介
1.ELK介紹
ELK Stack 是 Elasticsearch、Logstash、Kibana 三個開源軟件的組合。在實時數據檢索和分析場合,三者通常是配合共用,而且又都先後歸於 Elastic.co 公司名下,故有此簡稱。
ELK Stack 在最近兩年迅速崛起,成爲機器數據分析,或者說實時日誌處理領域,開源界的第一選擇。
ELK由三個組建構成:
Elasticsearch,負責數據的索引和存儲
Logstash ,負責日誌的採集和格式化
Kibana,負責前端統計的展示
大致的架構如下:
二、logstansh安裝
1.同步時間
[root@ELK-16 ~]# yum install -y ntpdate [root@ELK-16 ~]# echo '*/5 * * * * * /usr/sbin/ntpdate us.pool.ntp.org' >> /var/spool/cron/root
2.JDK安裝
[root@ELK-16 ~]# yum install -y java-1.8.0 [root@ELK-16 ~]# java -version openjdk version "1.8.0_101" OpenJDK Runtime Environment (build 1.8.0_101-b13) OpenJDK 64-Bit Server VM (build 25.101-b13, mixed mode)
3.logstansh安裝
[root@ELK-16 ~]# wget https://download.elastic.co/logstash/logstash/logstash-2.3.4.tar.gz [root@ELK-16 ~]# tar xf logstash-2.3.4.tar.gz [root@ELK-16 ~]# mv logstash-2.3.4 /usr/local/ [root@ELK-16 ~]# echo "PATH=$PATH:/usr/local/logstash-2.3.4/bin" >> /etc/profile [root@ELK-16 ~]# source /etc/profile
4.新建 logstansh配置文件目錄
[root@ELK-16 ~]# mkdir /usr/local/logstash-2.3.4/conf
5.測試logstansh
[root@ELK-16 ~]# logstash -e "input {stdin{}} output {stdout{}}" Settings: Default pipeline workers: 4 Pipeline main started
三、Redis安裝
1.redis安裝 [root@ELK-16 ~]# wget http://download.redis.io/releases/redis-2.8.20.tar.gz [root@ELK-16 ~]# yum install tcl gcc gcc-c++ -y [root@ELK-16 ~]# tar xf redis-2.8.20.tar.gz [root@ELK-16 ~]# mv redis-2.8.20 /usr/local/ [root@ELK-16 ~]# cd /usr/local/redis-2.8.20/ [root@ELK-16 redis-2.8.20]# make MALLOC=libc [root@ELK-16 redis-2.8.20]# make install [root@ELK-16 redis-2.8.20]# cd utils/ [root@ELK-16 utils]# ./install_server.sh #選項默認,一直回車
2.查看redis的監控端口
[root@ELK-16 utils]# netstat -tnlup | grep redis tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN 3015/redis-server * tcp 0 0 :::6379 :::* LISTEN 3015/redis-server *
3.測試redis是否緩存數據
a.新建logstansh配置文件如下
[root@ELK-16 ~]# cat /usr/local/logstash-2.3.4/conf/output_redis.conf input { stdin { } } #手動輸入數據 output { stdout { codec => rubydebug } #頁面debug信息 redis { host => '127.0.0.1' data_type => 'list' key => 'redis' } }
4.啓動logstansh
[root@ELK-16 ~]#logstash -f /usr/local/logstash-2.3.4/conf/output_redis.conf --verbose
5.查看redis中是否有數據
[root@ELK-16 ~]# cd /usr/local/redis-2.8.20/src/ [root@ELK-16 src]# ls adlist.c crc64.o lzfP.h rdb.o rio.o t_hash.o adlist.h db.c Makefile redisassert.h scripting.c t_list.c adlist.o db.o Makefile.dep redis-benchmark scripting.o t_list.o
四、elasticsearch安裝
1.elasticsearch安裝
[root@ELK-16 ~]# wget https://download.elastic.co/elasticsearch/release/org/elasticsearch/distribution/zip/elasticsearch/2.3.4/elasticsearch-2.3.4.zip [root@ELK-16 ~]# unzip elasticsearch-2.3.4.zip [root@ELK-16 ~]# mv elasticsearch-2.3.4 /usr/local/
修改elasticsearch配置文件
[root@ELK-16 ~]# vim /usr/local/elasticsearch-2.3.4/config/elasticsearch.yml 把下面參數的註釋去掉並改成服務器IP。這裏只做簡單安裝,優化及集羣后面再介紹 network.host: 192.168.16.177
2.elasticsearch啓動
[root@ELK-16 ~]# useradd elk [root@ELK-16 ~]# su elk [elk@ELK-16 ~]$ chown -R elk.root /usr/local/elasticsearch-2.3.4/ [elk@ELK-16 ~]$ /usr/local/elasticsearch-2.3.4/bin/elasticsearch -d
查看是否啓動
[elk@ELK-16 local]$ netstat -tnlup | grep java (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 ::ffff:192.168.16.177:9200 :::* LISTEN 2192/java tcp 0 0 ::ffff:192.168.16.177:9300 :::* LISTEN 2192/java
3、測試logstansh和elasticsearch是否能結合使用
新建logstansh配置文件elasticsearch.conf
[root@ELK-16 conf]# cat /usr/local/logstash-2.3.4/conf/elasticsearch.conf input { stdin {} } #手動輸入 output { elasticsearch { hosts => "192.168.16.177" } stdout { codec=> rubydebug } #頁面debug信息 }
啓動elasticsearch.conf配置文件
[root@ELK-16 ~]#logstash -f /usr/local/logstash-2.3.4/conf/elasticsearch.conf --verbose
查看elasticsearch是否獲取到了"hello elasticsearch"
[root@ELK-16 ~]# curl http://192.168.16.177:9200/_search?pretty { "took" : 1, "timed_out" : false, "_shards" : { "total" : 0, "successful" : 0, "failed" : 0 }, "hits" : { "total" : 0, "max_score" : 0.0, "hits" : [ ] } }
4、安裝elasticsearch插件
elasticsearch有很多插件:http://www.searchtech.pro/elasticsearch-plugins
elasticsearch-head插件安裝,若無法下載請至github下載,解壓至/usr/local/elasticsearch-2.3.4/plugins/head目錄中
[root@ELKServer lang-expression]# cd /usr/local/elasticsearch-2.3.4/bin/ [root@ELKServer bin]# ./plugin install mobz/elasticsearch-head
[root@ELK-16 ~]# wget https://www.elastic.co/downloads/past-releases/kibana-4-5-2 [root@ELK-16 ~]# tar xf kibana-4.5.2-linux-x64.tar.gz [root@ELK-16 ~]# mv kibana-4.5.2-linux-x64 /usr/local/ [root@ELK-16 ~]# vim /usr/local/kibana-4.5.2-linux-x64/config/kibana.yml 修改kibana配置文件,把下面這行改成elasticsearc的訪問路徑 elasticsearch.url: "http://192.168.16.177:9200"
[root@ELK-16 ~]#sh /usr/local/kibana-4.5.2-linux-x64/bin/kibana &
六、配置客戶端傳輸日誌到ELK(本機測試)
1.server端的logstash.conf的配置
vim /usr/local/logstash-2.3.4/conf/redis_elasticserach.conf input { redis { host => '192.168.16.177' data_type => 'list' port => "6379" key => 'logstash:syslog_log' type => 'redis-input' } } output { elasticsearch { hosts => "192.168.16.177" index => "logstash-%{+YYYY.MM.dd}" } }
2.client端的logstash.conf的配置
vim /usr/local/logstash-2.3.4/conf/logstash_redis.conf input { file { path => "/var/log/messages" start_position => beginning sincedb_write_interval => 0 add_field => {"Host"=>"192.168.16.177"} type => "SYSLOG_LOG" } } output { redis { host => "192.168.16.177:6379" data_type => "list" key => "logstash:syslog_log" } }
七、啓動ELK各項服務
logstash -f /usr/local/logstash-2.3.4/conf/logstash_redis.conf & logstash -f /usr/local/logstash-2.3.4/conf/redis_elasticserach.conf & /usr/local/elasticsearch-2.3.4/bin/elasticsearch -d #elk用戶啓動 /usr/local/kibana-4.5.2-linux-x64/bin/kibana &
八、查看
http://192.168.16.177:9200/_plugin/head/ 點擊數據瀏覽
http://192.168.16.177:5601/ 點擊Discover
九、配置客戶端傳輸日誌到ELK
1.server端創建證書
[root@ELK-16 ~]# cd /etc/pki/tls/ [root@ELK-16 tls]# openssl req -subj '/CN=www.elk.com/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt [root@ELK-16 tls]# scp certs/logstash-forwarder.crt 192.168.16.188:/etc/pki/tls/certs/ #在將logstash-forwarder.crt拷貝到client端
2.創建server端logstash.conf配置
echo "192.168.16.177 www.elk.com" >> /etc/hosts vim /usr/local/logstash-2.3.4/conf/logstash.conf input { file { type => "syslog" path => [ "/var/log/pacloud/pacloud.log" ] } lumberjack { port => 5000 type => "logs" ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt" ssl_key => "/etc/pki/tls/private/logstash-forwarder.key" } } output { stdout { codec=> rubydebug } elasticsearch {hosts => "192.168.16.177:9200" } }
3.客戶端安裝
[root@easycloud16 ~]# wget https://download.elastic.co/logstash-forwarder/binaries/logstash-forwarder-0.4.0-1.x86_64.rpm [root@easycloud16 ~]# yum localinstall -y logstash-forwarder-0.4.0-1.x86_64.rpm
#注意兩個配置文件:
配置文件 /etc/logstash-forwarder.conf
日誌目錄 /var/log/logstash-forwarder
[root@easycloud16 ~]# cp /etc/logstash-forwarder.conf /etc/logstash-forwarder.conf.bak [root@easycloud16 ~]# echo "192.168.16.177 www.elk.com" >> /etc/hosts [root@easycloud16 ~]# > /etc/logstash-forwarder.conf [root@easycloud16 ~]# vim /etc/logstash-forwarder.conf { "network": { "servers": [ "www.elk.com:5000" ], "ssl ca": "/etc/pki/tls/certs/logstash-forwarder.crt", "timeout": 15 }, "files": [ { "paths": [ "/var/log/pacloud/pacloud.log" ], "fields": { "type": "syslog" } }, { "paths": [ "其他路徑的文件" ], "fields": { "type": "pacloud" } } ] }
注意:
一定要寫域名,不能寫server端的IP,因爲寫IP不能通過證書的認知
"ssl ca" 一定要正確寫明路徑
5.啓動測試
服務端啓動
logstash -f /usr/local/logstash-2.3.4/conf/logstash.conf & /usr/local/elasticsearch-2.3.4/bin/elasticsearch -d #elk用戶啓動 /usr/local/kibana-4.5.2-linux-x64/bin/kibana&