(一)Beats是什麼?
Beats是elasticsearch公司開源的一款採集系統監控數據的代理agent,它可以發送不同類型的數據到elasticsearch中,也可以行將採集完的數據發送到logstash中轉,然後在推送到elasticsearch中,目前還在發展中,與成熟的監控系統zabbix和ganglia相比就界面看起來爽了點,系統功能還是有點弱,不過與elasticsearch全文搜索框架集成後,數據查詢過濾功能非常強悍,還是非常有前途
的,在ELKB中,各個框架角色如下:
Beats:負責收集系統數據,可以直接發送到es中,也可以通過logstash中轉
logstash:收集日誌,爲beats提供中轉功能
Elasticsearch:提供數據存儲,服務端聚合計算功能
Kibana:提供炫麗的可視化圖形展示並且作爲elasticsearch的搜索的小清新客戶端
(二)Beats的組成:
到目前elasticsearch已經提供的有:
(1)Packetbeat 網絡流量監控採集
(2)Topbeat 類似linux top的監控採集
(3)Filebeat 文件log的監控採集
(4)WinlogBeat windows系統的log監控採集
(5)自定義beat ,如果上面的指標不能滿足需求,elasticsarch公司鼓勵開發者
使用go語言,擴展實現自定義的beats指標,只需要按照模板,實現監控的輸入,日誌,輸出等即可
(三)Beats的基本拓撲
(四)安裝部署
安裝JAVA環境
[root@node1 ~]# rpm -ivh jdk-8u51-linux-x64.rpm Preparing... ########################################### [100%] 1:jdk1.8.0_51 ########################################### [100%] Unpacking JAR files... rt.jar... jsse.jar... charsets.jar... tools.jar... localedata.jar... jfxrt.jar... plugin.jar... javaws.jar... deploy.jar... [root@node1 ~]# java -version java version "1.8.0_51" Java(TM) SE Runtime Environment (build 1.8.0_51-b16) Java HotSpot(TM) 64-Bit Server VM (build 25.51-b03, mixed mode)
安裝elasticsearch-2.3.4
[root@node1 ~]# tar zxvf elasticsearch-2.3.4.tar.gz -C /usr/local/ elasticsearch-2.3.4/README.textile elasticsearch-2.3.4/LICENSE.txt elasticsearch-2.3.4/NOTICE.txt elasticsearch-2.3.4/modules/ elasticsearch-2.3.4/modules/lang-groovy/ elasticsearch-2.3.4/modules/reindex/ elasticsearch-2.3.4/modules/lang-expression/ elasticsearch-2.3.4/modules/lang-groovy/plugin-security.policy elasticsearch-2.3.4/modules/lang-groovy/plugin-descriptor.properties ........
新增elasticsearch用戶
useradd elasticsearch
新增elasticsearch啓動的日誌目錄及bin目錄
[root@node1 bin]# mkdir /usr/local/elasticsearch-2.3.4/{logs,bin}
權限:
chown -R elasticsearch:elasticsearch /usr/local/elasticsearch-2.3.4/
啓動elasticsearch
[elasticsearch@node1 bin]$ ./elasticsearch -d [2016-07-20 11:30:29,413][INFO ][env ] [Jon Spectre] heap size [1007.3mb], compressed ordinary object pointers [true] [2016-07-20 11:30:29,413][WARN ][env ] [Jon Spectre] max file descriptors [4096] for elasticsearch process likely too low, consider increasing to at least [65536] [2016-07-20 11:30:33,422][INFO ][node ] [Jon Spectre] initialized [2016-07-20 11:30:33,423][INFO ][node ] [Jon Spectre] starting ... [2016-07-20 11:30:33,651][INFO ][transport ] [Jon Spectre] publish_address {127.0.0.1:9300}, bound_addresses {[::1]:9300}, {127.0.0.1:9300} [2016-07-20 11:30:33,670][INFO ][discovery ] [Jon Spectre] elasticsearch/Rr-U_JhCStexH5Htmj4qKQ [2016-07-20 11:30:36,795][INFO ][cluster.service ] [Jon Spectre] new_master {Jon Spectre}{Rr-U_JhCStexH5Htmj4qKQ}{127.0.0.1}{127.0.0.1:9300}, reason: zen-disco-join(elected_as_master, [0] joins received) [2016-07-20 11:30:36,851][INFO ][http ] [Jon Spectre] publish_address {127.0.0.1:9200}, bound_addresses {[::1]:9200}, {127.0.0.1:9200} [2016-07-20 11:30:36,852][INFO ][node ] [Jon Spectre] started [2016-07-20 11:30:36,996][INFO ][gateway ] [Jon Spectre] recovered [0] indices into cluster_state
查看端口是否正常啓動9200,9300
elasticsearch@node1 logs]$ ss -tanl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 50 ::ffff:127.0.0.1:9200 :::* LISTEN 0 50 ::1:9200 :::* LISTEN 0 50 ::ffff:127.0.0.1:9300 :::* LISTEN 0 50 ::1:9300
至此:elasticsearch已經安裝完成。
Kibana安裝
Kibana安裝非常簡單。官網上下載好kibana-4.5.3-linux-x64
tar zxvf kibana-4.5.3-linux-x64.tar.gz -C /usr/local/
啓動Kibana
[root@node1 bin]# cd /usr/local/kibana-4.5.3-linux-x64/bin [root@node1 bin]# ./kibana & [root@node1 bin]# log [12:11:05.529] [info][status][plugin:kibana] Status changed from uninitialized to green - Ready log [12:11:05.609] [info][status][plugin:elasticsearch] Status changed from uninitialized to yellow - Waiting for Elasticsearch log [12:11:05.648] [info][status][plugin:kbn_vislib_vis_types] Status changed from uninitialized to green - Ready log [12:11:05.655] [info][status][plugin:markdown_vis] Status changed from uninitialized to green - Ready [root@node1 bin]# log [12:11:05.662] [info][status][plugin:metric_vis] Status changed from uninitialized to green - Ready log [12:11:05.669] [info][status][plugin:spyModes] Status changed from uninitialized to green - Ready log [12:11:05.683] [info][status][plugin:statusPage] Status changed from uninitialized to green - Ready log [12:11:05.690] [info][status][plugin:table_vis] Status changed from uninitialized to green - Ready log [12:11:05.700] [info][listening] Server running at log [12:11:22.664] [info][status][plugin:elasticsearch] Status changed from yellow to green - Kibana index ready
查看端口5601是否監聽
[root@node1 bin]# ss -tanl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:5601
安裝filebeat組件
官網下載filebeat-1.2.3-x86_64.tar.gz
[root@node1 ~]# rpm -ivh https://download.elastic.co/beats/filebeat/filebeat-1.2.3-x86_64.rpm
配置Filebeat
filebeat 默認預定了適應大部分場景的配置參數。對於最基本的Filebeat配置,可以定義一個單一路徑的單一prospector,如:
# Make sure not file is defined twice as this can lead to unexpected behaviour. paths: - /var/log/*.log
該配置將獲取/va/log/目錄下的所有以.log結尾的文件。
如果要獲取子目錄下的所有文件可以這麼設置/var/log/*/*.log。只會收集到/var/log/目錄的子目錄以.log結尾的文件,不包括 /var/log自身目錄下的以.log結尾的文件。同時,也不會遞歸的去獲取子目錄的子目錄下的文件。
一個配置文件可以包含多個prospector和每個prospector多個路徑,如:
filebeat: prospectors: - paths: - /var/log/system.log - /var/log/wifi.log - paths: - "/var/log/apache/*"
該配置文件啓動兩個prospector,第一個prospector具有兩個harvester,一個獲取system.log文件另一個獲取wifi.log文件。第二個prospector啓動一個harvester獲取/var/log/apache目錄下的每個文件。
向Elasticsearch加載索引模板:
[root@node1 ~]# curl -XPUT 'http://192.168.254.15:9200/_template/filebeat?preety' -d@/usr/local/filebeat-1.2.3-x86_64/filebeat.template.json {"acknowledged":true}
安裝Kibana dashboards 的模板數據
1, 下載 wget http://download.elastic.co/beats/dashboards/beats-dashboards -1.1.1.zip 2, 解壓 unzip beats-dashboards-1.1.1.zip 3, 進入 cd beats-dashboards-1.1.1/ 4, 執行 ./load.sh 或者 ./load.sh -url http://192.168.254.15:9200 將dashboard的模板配置數據存進elasticsarch裏面
查看kibana日誌索引及儀表
已經有日誌產生了。
安裝Packetbeat組件:
(A)安裝初始化包
(1)安裝依賴庫 sudo yum install libpcap (2)官網上下載最新的Packbeat包 packetbeat-1.2.3-x86_64.tar.gz [root@node1 ~]# tar zxvf packetbeat-1.2.3-x86_64.tar.gz -C /usr/local/ packetbeat-1.2.3-x86_64/ packetbeat-1.2.3-x86_64/packetbeat.template.json packetbeat-1.2.3-x86_64/packetbeat.yml packetbeat-1.2.3-x86_64/packetbeat 發現tar包的文件,無法啓動packbeat,索性用rpm的安裝方式來操作如下: rpm -ivh https://download.elastic.co/beats/packetbeat/packetbeat-1.2.3-x86_64.rpm
(B)配置elasticsearch地址或者Logstash(可選)採集的beats指標
/etc/packetbeat/packetbeat.yml 主要是一些服務的端口以及OUTPUT EL的端口
(C)配置elasticsearch模板
[root@node1 ~]# curl -XPUT 'http://192.168.254.15:9200/_template/packetbeat' -d@/usr/local/packetbeat-1.2.3-x86_64/packetbeat.template.json {"acknowledged":true}
(D)啓動Packetbeat 指標收集進程
/etc/rc.d/init.d/packetbeat start
(E) 查看一下ES的索引
[root@node1 beats-dashboards-1.1.1]# curl -XGET 'http://192.168.254.15:9200/packetbeat-*/_search?pretty'
可以查看到蒐集的相關數據信息。
{ "took" : 4, "timed_out" : false, "_shards" : { "total" : 5, "successful" : 5, "failed" : 0 }, "hits" : { "total" : 39, "max_score" : 1.0, "hits" : [ { "_index" : "packetbeat-2016.07.21", "_type" : "dns", "_id" : "AVYLlEJXOy0XFf94lOui", "_score" : 1.0, "_source" : { "@timestamp" : "2016-07-21T03:51:20.846Z", "beat" : { "hostname" : "node1", "name" : "node1" }, "bytes_in" : 37, "bytes_out" : 65, "client_ip" : "192.168.254.15", "client_port" : 36959, "client_proc" : "", "client_server" : "", "count" : 1, "direction" : "out", "dns" : { "additionals_count" : 0, "answers" : [ { "class" : "IN", "data" : "2001:da8:d800:95::110", "name" : "mirrors.ustc.edu.cn", "ttl" : 60, "type" : "AAAA" } ], "answers_count" : 1, "authorities_count" : 0, "flags" : { "authoritative" : false, "recursion_allowed" : true, "recursion_desired" : true, "truncated_response" : false }, "id" : 51339, "op_code" : "QUERY", "question" : { "class" : "IN", "name" : "mirrors.ustc.edu.cn", "type" : "AAAA" }, "response_code" : "NOERROR" }, "ip" : "210.22.84.3", "method" : "QUERY", "port" : 53, "proc" : "", "query" : "class IN, type AAAA, mirrors.ustc.edu.cn", "resource" : "mirrors.ustc.edu.cn", "responsetime" : 2, "server" : "", "status" : "OK", "transport" : "udp", "type" : "dns" } }, { "_index" : "packetbeat-2016.07.21", "_type" : "dns", "_id" : "AVYLlEZAOy0XFf94lOum", "_score" : 1.0, "_source" : { "@timestamp" : "2016-07-21T03:51:21.576Z", "beat" : { "hostname" : "node1", "name" : "node1" }, "bytes_in" : 27, "bytes_out" : 59, "client_ip" : "192.168.254.15", "client_port" : 57694, "client_proc" : "", "client_server" : "", "count" : 1, "direction" : "out", "dns" : { "additionals_count" : 0, "answers" : [ { "class" : "IN", "data" : "206.251.255.63", "name" : "nginx.org", "ttl" : 60, "type" : "A" }, { "class" : "IN", "data" : "95.211.80.227", "name" : "nginx.org", "ttl" : 60, "type" : "A" } ], "answers_count" : 2, "authorities_count" : 0, "flags" : { "authoritative" : false, "recursion_allowed" : true, "recursion_desired" : true, "truncated_response" : false }, "id" : 34503, "op_code" : "QUERY", "question" : { "class" : "IN", "name" : "nginx.org", "type" : "A" }, "response_code" : "NOERROR" }, "ip" : "210.22.84.3", "method" : "QUERY", "port" : 53, "proc" : "", "query" : "class IN, type A, nginx.org", "resource" : "nginx.org", "responsetime" : 2, "server" : "", "status" : "OK", "transport" : "udp", "type" : "dns" } }, { "_index" : "packetbeat-2016.07.21", "_type" : "http", "_id" : "AVYLlF2wOy0XFf94lOur", "_score" : 1.0, "_source" : { "@timestamp" : "2016-07-21T03:51:27.368Z", "beat" : { "hostname" : "node1", "name" : "node1" }, "bytes_in" : 169, "bytes_out" : 843202, "client_ip" : "192.168.254.15", "client_port" : 38464, "client_proc" : "", "client_server" : "", "count" : 1, "direction" : "out", "http" : { "code" : 200, "content_length" : 853092, "phrase" : "OK" }, "ip" : "114.247.56.117", "method" : "GET", "notes" : [ "Packet loss while capturing the response", "Packet loss while capturing the response" ], "params" : "", "path" : "/centos/6.8/updates/x86_64/Packages/httpd-2.2.15-54.el6.centos.x86_64.rpm", "port" : 80, "proc" : "", "query" : "GET /centos/6.8/updates/x86_64/Packages/httpd-2.2.15-54.el6.centos.x86_64.rpm", "responsetime" : 34, "server" : "", "status" : "OK", "type" : "http" } }, { "_index" : "packetbeat-2016.07.21", "_type" : "dns", "_id" : "AVYLlIipOy0XFf94lOuy", "_score" : 1.0, "_source" : { "@timestamp" : "2016-07-21T03:51:38.673Z", "beat" : { "hostname" : "node1", "name" : "node1" }, "bytes_in" : 33, "bytes_out" : 80, "client_ip" : "192.168.254.15", "client_port" : 39495, "client_proc" : "", "client_server" : "", "count" : 1, "direction" : "out", "dns" : { "additionals_count" : 0, "answers_count" : 0, "authorities" : [ { "class" : "IN", "data" : "localhost", "expire" : 86400, "minimum" : 3600, "name" : "localhost", "refresh" : 3600, "retry" : 1800, "rname" : "postmaster.localhost", "serial" : 1993050801, "ttl" : 3600, "type" : "SOA" } ], "authorities_count" : 1, "flags" : { "authoritative" : true, "recursion_allowed" : true, "recursion_desired" : true, "truncated_response" : false }, "id" : 61452, "op_code" : "QUERY", "question" : { "class" : "IN", "name" : "node1.localhost", "type" : "AAAA" }, "response_code" : "NXDOMAIN" }, "ip" : "210.22.84.3", "method" : "QUERY", "port" : 53, "proc" : "", "query" : "class IN, type AAAA, node1.localhost", "resource" : "node1.localhost", "responsetime" : 2, "server" : "", "status" : "Error", "transport" : "udp", "type" : "dns" } }, { "_index" : "packetbeat-2016.07.21", "_type" : "http", "_id" : "AVYLlMcoOy0XFf94lOu2", "_score" : 1.0, "_source" : { "@timestamp" : "2016-07-21T03:51:54.121Z", "beat" : { "hostname" : "node1", "name" : "node1" }, "bytes_in" : 315, "bytes_out" : 4211, "client_ip" : "192.168.254.88", "client_port" : 51951, "client_proc" : "", "client_server" : "", "count" : 1, "direction" : "in", "http" : { "code" : 200, "content_length" : 3956, "phrase" : "OK" }, "ip" : "192.168.254.15", "method" : "GET", "params" : "", "path" : "/icons/poweredby.png", "port" : 80, "proc" : "", "query" : "GET /icons/poweredby.png", "responsetime" : 20, "server" : "", "status" : "OK", "type" : "http" } }, { "_index" : "packetbeat-2016.07.21", "_type" : "http", "_id" : "AVYLlMcoOy0XFf94lOu3", "_score" : 1.0, "_source" : { "@timestamp" : "2016-07-21T03:51:54.262Z", "beat" : { "hostname" : "node1", "name" : "node1" }, "bytes_in" : 307, "bytes_out" : 469, "client_ip" : "192.168.254.88", "client_port" : 51952, "client_proc" : "", "client_server" : "", "count" : 1, "direction" : "in", "http" : { "code" : 404, "content_length" : 289, "phrase" : "Found" }, "ip" : "192.168.254.15", "method" : "GET", "params" : "", "path" : "/favicon.ico", "port" : 80, "proc" : "", "query" : "GET /favicon.ico", "responsetime" : 1, "server" : "", "status" : "Error", "type" : "http" } }, { "_index" : "packetbeat-2016.07.21", "_type" : "http", "_id" : "AVYLlDqHOy0XFf94lOuY", "_score" : 1.0, "_source" : { "@timestamp" : "2016-07-21T03:51:17.055Z", "beat" : { "hostname" : "node1", "name" : "node1" }, "bytes_in" : 147, "bytes_out" : 693, "client_ip" : "192.168.254.15", "client_port" : 48948, "client_proc" : "", "client_server" : "", "count" : 1, "direction" : "out", "http" : { "code" : 200, "content_length" : 533, "phrase" : "OK" }, "ip" : "85.236.43.108", "method" : "GET", "params" : "arch=x86_64&infra=stock&release=6&repo=extras", "path" : "/", "port" : 80, "proc" : "", "query" : "GET /", "responsetime" : 1131, "server" : "", "status" : "OK", "type" : "http" } }, { "_index" : "packetbeat-2016.07.21", "_type" : "dns", "_id" : "AVYLlD5xOy0XFf94lOub", "_score" : 1.0, "_source" : { "@timestamp" : "2016-07-21T03:51:19.752Z", "beat" : { "hostname" : "node1", "name" : "node1" }, "bytes_in" : 37, "bytes_out" : 53, "client_ip" : "192.168.254.15", "client_port" : 38047, "client_proc" : "", "client_server" : "", "count" : 1, "direction" : "out", "dns" : { "additionals_count" : 0, "answers" : [ { "class" : "IN", "data" : "202.141.176.110", "name" : "mirrors.ustc.edu.cn", "ttl" : 568, "type" : "A" } ], "answers_count" : 1, "authorities_count" : 0, "flags" : { "authoritative" : false, "recursion_allowed" : true, "recursion_desired" : true, "truncated_response" : false }, "id" : 18929, "op_code" : "QUERY", "question" : { "class" : "IN", "name" : "mirrors.ustc.edu.cn", "type" : "A" }, "response_code" : "NOERROR" }, "ip" : "210.22.84.3", "method" : "QUERY", "port" : 53, "proc" : "", "query" : "class IN, type A, mirrors.ustc.edu.cn", "resource" : "mirrors.ustc.edu.cn", "responsetime" : 2, "server" : "", "status" : "OK", "transport" : "udp", "type" : "dns" } }, { "_index" : "packetbeat-2016.07.21", "_type" : "dns", "_id" : "AVYLlD5xOy0XFf94lOue", "_score" : 1.0, "_source" : { "@timestamp" : "2016-07-21T03:51:19.755Z", "beat" : { "hostname" : "node1", "name" : "node1" }, "bytes_in" : 36, "bytes_out" : 68, "client_ip" : "192.168.254.15", "client_port" : 42875, "client_proc" : "", "client_server" : "", "count" : 1, "direction" : "out", "dns" : { "additionals_count" : 0, "answers" : [ { "class" : "IN", "data" : "112.124.140.210", "name" : "mirrors.aliyun.com", "ttl" : 595, "type" : "A" }, { "class" : "IN", "data" : "115.28.122.210", "name" : "mirrors.aliyun.com", "ttl" : 595, "type" : "A" } ], "answers_count" : 2, "authorities_count" : 0, "flags" : { "authoritative" : false, "recursion_allowed" : true, "recursion_desired" : true, "truncated_response" : false }, "id" : 35325, "op_code" : "QUERY", "question" : { "class" : "IN", "name" : "mirrors.aliyun.com", "type" : "A" }, "response_code" : "NOERROR" }, "ip" : "210.22.84.3", "method" : "QUERY", "port" : 53, "proc" : "", "query" : "class IN, type A, mirrors.aliyun.com", "resource" : "mirrors.aliyun.com", "responsetime" : 2, "server" : "", "status" : "OK", "transport" : "udp", "type" : "dns" } }, { "_index" : "packetbeat-2016.07.21", "_type" : "dns", "_id" : "AVYLlD5xOy0XFf94lOuf", "_score" : 1.0, "_source" : { "@timestamp" : "2016-07-21T03:51:19.840Z", "beat" : { "hostname" : "node1", "name" : "node1" }, "bytes_in" : 33, "bytes_out" : 65, "client_ip" : "192.168.254.15", "client_port" : 39388, "client_proc" : "", "client_server" : "", "count" : 1, "direction" : "out", "dns" : { "additionals_count" : 0, "answers" : [ { "class" : "IN", "data" : "123.58.173.185", "name" : "mirrors.163.com", "ttl" : 2312, "type" : "A" }, { "class" : "IN", "data" : "123.58.173.186", "name" : "mirrors.163.com", "ttl" : 2312, "type" : "A" } ], "answers_count" : 2, "authorities_count" : 0, "flags" : { "authoritative" : false, "recursion_allowed" : true, "recursion_desired" : true, "truncated_response" : false }, "id" : 22466, "op_code" : "QUERY", "question" : { "class" : "IN", "name" : "mirrors.163.com", "type" : "A" }, "response_code" : "NOERROR" }, "ip" : "210.22.84.3", "method" : "QUERY", "port" : 53, "proc" : "", "query" : "class IN, type A, mirrors.163.com", "resource" : "mirrors.163.com", "responsetime" : 2, "server" : "", "status" : "OK", "transport" : "udp", "type" : "dns" } } ] } }
查看packetbeat-*索引下的Discover
還可以查看HTTP、redis、mysql、mongodb等數據。
安裝topbeat組件
(A)安裝初始化包
[root@node1 ~]# rpm -ivh topbeat-1.2.3-x86_64.rpm
(B)配置elasticsearch地址或者Logstash(可選)採集的beats指標
[root@node1 ~]# vim /etc/topbeat/topbeat.yml input: period: 10 procs: [".*"] stats: system: true proc: true filesystem: trueoutput: elasticsearch: hosts: ["localhost:9200"] shipper: logging: files:
period 選項定義收集信息的頻率,默認是10秒。
procs 選項定義正則表達式,以匹配你所要監控的進程。默認是所有正在運行的進程都進行監控。
如果不監控進程,可以這麼做:
input: period: 10 procs: ["^$"]
(C)配置elasticsearch模板
# curl -XPUT 'http://192.168.254.15:9200/_template/topbeat' -d@/etc/topbeat/topbeat.template.json {"acknowledged":true}
運行topbeat
[root@node1 ~]# /etc/init.d/topbeat start Starting topbeat: [確定]
查看Kibana儀表盤:服務器的CPU、進程、空閒率、磁盤使用率等數據都已經有了。