一、簡介
1.ELK介紹
ELK Stack 是 Elasticsearch、Logstash、Kibana 三個開源軟件的組合。在實時數據檢索和分析場合,三者通常是配合共用,而且又都先後歸於 Elastic.co 公司名下,故有此簡稱。
ELK Stack 在最近兩年迅速崛起,成爲機器數據分析,或者說實時日誌處理領域,開源界的第一選擇。
ELK由三個組建構成:
Elasticsearch,負責數據的索引和存儲
Logstash ,負責日誌的採集和格式化
Kibana,負責前端統計的展示
大致的架構如下:
二、logstansh安裝
1.同步時間
[root@ELK-16 ~]# yum install -y ntpdate [root@ELK-16 ~]# echo '*/5 * * * * * /usr/sbin/ntpdate us.pool.ntp.org' >> /var/spool/cron/root
2.JDK安裝
[root@ELK-16 ~]# yum install -y java-1.8.0 [root@ELK-16 ~]# java -version openjdk version "1.8.0_101" OpenJDK Runtime Environment (build 1.8.0_101-b13) OpenJDK 64-Bit Server VM (build 25.101-b13, mixed mode)
3.logstansh安裝
[root@ELK-16 ~]# wget https://download.elastic.co/logstash/logstash/logstash-2.3.4.tar.gz [root@ELK-16 ~]# tar xf logstash-2.3.4.tar.gz [root@ELK-16 ~]# mv logstash-2.3.4 /usr/local/ [root@ELK-16 ~]# echo "PATH=$PATH:/usr/local/logstash-2.3.4/bin" >> /etc/profile [root@ELK-16 ~]# source /etc/profile
4.新建 logstansh配置文件目錄
[root@ELK-16 ~]# mkdir /usr/local/logstash-2.3.4/conf
5.測試logstansh
[root@ELK-16 ~]# logstash -e "input {stdin{}} output {stdout{}}"
Settings: Default pipeline workers: 4
Pipeline main started三、Redis安裝
1.redis安裝 [root@ELK-16 ~]# wget http://download.redis.io/releases/redis-2.8.20.tar.gz [root@ELK-16 ~]# yum install tcl gcc gcc-c++ -y [root@ELK-16 ~]# tar xf redis-2.8.20.tar.gz [root@ELK-16 ~]# mv redis-2.8.20 /usr/local/ [root@ELK-16 ~]# cd /usr/local/redis-2.8.20/ [root@ELK-16 redis-2.8.20]# make MALLOC=libc [root@ELK-16 redis-2.8.20]# make install [root@ELK-16 redis-2.8.20]# cd utils/ [root@ELK-16 utils]# ./install_server.sh #選項默認,一直回車
2.查看redis的監控端口
[root@ELK-16 utils]# netstat -tnlup | grep redis tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN 3015/redis-server * tcp 0 0 :::6379 :::* LISTEN 3015/redis-server *
3.測試redis是否緩存數據
a.新建logstansh配置文件如下
[root@ELK-16 ~]# cat /usr/local/logstash-2.3.4/conf/output_redis.conf
input { stdin { } } #手動輸入數據
output {
stdout { codec => rubydebug } #頁面debug信息
redis {
host => '127.0.0.1'
data_type => 'list'
key => 'redis'
}
}4.啓動logstansh
[root@ELK-16 ~]#logstash -f /usr/local/logstash-2.3.4/conf/output_redis.conf --verbose
5.查看redis中是否有數據
[root@ELK-16 ~]# cd /usr/local/redis-2.8.20/src/ [root@ELK-16 src]# ls adlist.c crc64.o lzfP.h rdb.o rio.o t_hash.o adlist.h db.c Makefile redisassert.h scripting.c t_list.c adlist.o db.o Makefile.dep redis-benchmark scripting.o t_list.o
四、elasticsearch安裝
1.elasticsearch安裝
[root@ELK-16 ~]# wget https://download.elastic.co/elasticsearch/release/org/elasticsearch/distribution/zip/elasticsearch/2.3.4/elasticsearch-2.3.4.zip [root@ELK-16 ~]# unzip elasticsearch-2.3.4.zip [root@ELK-16 ~]# mv elasticsearch-2.3.4 /usr/local/
修改elasticsearch配置文件
[root@ELK-16 ~]# vim /usr/local/elasticsearch-2.3.4/config/elasticsearch.yml 把下面參數的註釋去掉並改成服務器IP。這裏只做簡單安裝,優化及集羣后面再介紹 network.host: 192.168.16.177
2.elasticsearch啓動
[root@ELK-16 ~]# useradd elk [root@ELK-16 ~]# su elk [elk@ELK-16 ~]$ chown -R elk.root /usr/local/elasticsearch-2.3.4/ [elk@ELK-16 ~]$ /usr/local/elasticsearch-2.3.4/bin/elasticsearch -d
查看是否啓動
[elk@ELK-16 local]$ netstat -tnlup | grep java (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 ::ffff:192.168.16.177:9200 :::* LISTEN 2192/java tcp 0 0 ::ffff:192.168.16.177:9300 :::* LISTEN 2192/java
3、測試logstansh和elasticsearch是否能結合使用
新建logstansh配置文件elasticsearch.conf
[root@ELK-16 conf]# cat /usr/local/logstash-2.3.4/conf/elasticsearch.conf
input { stdin {} } #手動輸入
output {
elasticsearch { hosts => "192.168.16.177" }
stdout { codec=> rubydebug } #頁面debug信息
}啓動elasticsearch.conf配置文件
[root@ELK-16 ~]#logstash -f /usr/local/logstash-2.3.4/conf/elasticsearch.conf --verbose
查看elasticsearch是否獲取到了"hello elasticsearch"
[root@ELK-16 ~]# curl http://192.168.16.177:9200/_search?pretty
{
"took" : 1,
"timed_out" : false,
"_shards" : {
"total" : 0,
"successful" : 0,
"failed" : 0
},
"hits" : {
"total" : 0,
"max_score" : 0.0,
"hits" : [ ]
}
}4、安裝elasticsearch插件
elasticsearch有很多插件:http://www.searchtech.pro/elasticsearch-plugins
elasticsearch-head插件安裝,若無法下載請至github下載,解壓至/usr/local/elasticsearch-2.3.4/plugins/head目錄中
[root@ELKServer lang-expression]# cd /usr/local/elasticsearch-2.3.4/bin/ [root@ELKServer bin]# ./plugin install mobz/elasticsearch-head
[root@ELK-16 ~]# wget https://www.elastic.co/downloads/past-releases/kibana-4-5-2 [root@ELK-16 ~]# tar xf kibana-4.5.2-linux-x64.tar.gz [root@ELK-16 ~]# mv kibana-4.5.2-linux-x64 /usr/local/ [root@ELK-16 ~]# vim /usr/local/kibana-4.5.2-linux-x64/config/kibana.yml 修改kibana配置文件,把下面這行改成elasticsearc的訪問路徑 elasticsearch.url: "http://192.168.16.177:9200"
[root@ELK-16 ~]#sh /usr/local/kibana-4.5.2-linux-x64/bin/kibana &
六、配置客戶端傳輸日誌到ELK(本機測試)
1.server端的logstash.conf的配置
vim /usr/local/logstash-2.3.4/conf/redis_elasticserach.conf
input {
redis {
host => '192.168.16.177'
data_type => 'list'
port => "6379"
key => 'logstash:syslog_log'
type => 'redis-input'
}
}
output {
elasticsearch {
hosts => "192.168.16.177"
index => "logstash-%{+YYYY.MM.dd}"
}
}2.client端的logstash.conf的配置
vim /usr/local/logstash-2.3.4/conf/logstash_redis.conf
input {
file {
path => "/var/log/messages"
start_position => beginning
sincedb_write_interval => 0
add_field => {"Host"=>"192.168.16.177"}
type => "SYSLOG_LOG"
}
}
output {
redis {
host => "192.168.16.177:6379"
data_type => "list"
key => "logstash:syslog_log"
}
}七、啓動ELK各項服務
logstash -f /usr/local/logstash-2.3.4/conf/logstash_redis.conf & logstash -f /usr/local/logstash-2.3.4/conf/redis_elasticserach.conf & /usr/local/elasticsearch-2.3.4/bin/elasticsearch -d #elk用戶啓動 /usr/local/kibana-4.5.2-linux-x64/bin/kibana &
八、查看
http://192.168.16.177:9200/_plugin/head/ 點擊數據瀏覽
http://192.168.16.177:5601/ 點擊Discover
九、配置客戶端傳輸日誌到ELK
1.server端創建證書
[root@ELK-16 ~]# cd /etc/pki/tls/ [root@ELK-16 tls]# openssl req -subj '/CN=www.elk.com/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt [root@ELK-16 tls]# scp certs/logstash-forwarder.crt 192.168.16.188:/etc/pki/tls/certs/ #在將logstash-forwarder.crt拷貝到client端
2.創建server端logstash.conf配置
echo "192.168.16.177 www.elk.com" >> /etc/hosts
vim /usr/local/logstash-2.3.4/conf/logstash.conf
input {
file {
type => "syslog"
path => [ "/var/log/pacloud/pacloud.log" ]
}
lumberjack {
port => 5000
type => "logs"
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
output {
stdout { codec=> rubydebug }
elasticsearch {hosts => "192.168.16.177:9200" }
}3.客戶端安裝
[root@easycloud16 ~]# wget https://download.elastic.co/logstash-forwarder/binaries/logstash-forwarder-0.4.0-1.x86_64.rpm [root@easycloud16 ~]# yum localinstall -y logstash-forwarder-0.4.0-1.x86_64.rpm
#注意兩個配置文件:
配置文件 /etc/logstash-forwarder.conf
日誌目錄 /var/log/logstash-forwarder
[root@easycloud16 ~]# cp /etc/logstash-forwarder.conf /etc/logstash-forwarder.conf.bak
[root@easycloud16 ~]# echo "192.168.16.177 www.elk.com" >> /etc/hosts
[root@easycloud16 ~]# > /etc/logstash-forwarder.conf
[root@easycloud16 ~]# vim /etc/logstash-forwarder.conf
{
"network": {
"servers": [ "www.elk.com:5000" ],
"ssl ca": "/etc/pki/tls/certs/logstash-forwarder.crt",
"timeout": 15
},
"files": [
{
"paths": [
"/var/log/pacloud/pacloud.log"
],
"fields": { "type": "syslog" }
}, {
"paths": [
"其他路徑的文件"
],
"fields": { "type": "pacloud" }
}
]
}注意:
一定要寫域名,不能寫server端的IP,因爲寫IP不能通過證書的認知
"ssl ca" 一定要正確寫明路徑
5.啓動測試
服務端啓動
logstash -f /usr/local/logstash-2.3.4/conf/logstash.conf & /usr/local/elasticsearch-2.3.4/bin/elasticsearch -d #elk用戶啓動 /usr/local/kibana-4.5.2-linux-x64/bin/kibana&
