一)簡介
elk系統是一套目前較爲流行的日誌收集分析系統,主要由elasticserch,logstash,kibana三部分組成,其中elasticsearch負責數據的存儲,logstash負責日誌的收集過濾,kibana負責日誌的可視化部分。整個工作流程爲logstash收集日誌,過濾後輸出並保存到elasticsearch中,最後用戶通過kibana從elasticsearch中讀取數據並處理。本文中日誌收集引入filebeat收集日誌,logstash監聽在5000端口並接受filebeat傳入的日誌。
各組件分配如下:
192.168.1.17filebeat
192.168.1.18elk
二)搭建過程
1.在官方網站下載安裝包
https://www.elastic.co/cn/downloads
2.因爲elk依賴java開發環境,所以首先安裝jdk
yum install java-1.8.0-openjdk
3.安裝elk(192.168.1.18主機上)
yum install elasticsearch-5.5.2.rpm kibana-5.5.2-x86_64.rpm logstash-5.5.2.rpm
4.創建elasticsearch數據存儲目錄並賦予權限
mkdir -p /data/elasticsearch
chown elasticsearch.elasticsearch /data/elasticsearch
5.修改elasticsearch配置文件,更改其中的數據存儲路徑
vim /etc/elasticsearch/elasticsearch.yml
path.data: /data/elasticsearch
6.啓動elasticsearch服務,並查看9200端口是否處於監聽狀態
systemctl start elasticsearch
ss -tnl
7.修改kibana配置文件,改變其監聽的ip地址
vim /etc/kibana/kibana.yml
server.host: "0.0.0.0" (也可更改爲192.168.1.17,此處主要是爲了方便訪問)
8.啓動kibana服務並查看端口
systemctl start kibana
ss -tnl
9.在/etc/logstash/conf.d/目錄中添加logstash配置文件nginx.conf
input {
beats {
port => 5000
type => "logs"
}
}
filter {
if [type] == "nginx-all" {
grok {
match => [ "message","(?:%{IPORHOST:clientip}|-) - %{NOTSPACE:remote_user} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent} \"(?:%{IPV4:http_x_forwarded_for}|-)\"" ]
}
geoip {
source => "clientip"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
convert => [ "response","integer" ]
convert => [ "bytes","integer" ]
}
syslog_pri {}
date {
match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
}
}
}
output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "logstash-nginx-access-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
}
input段:表示監聽的端口以及類型
filter段:
grok:日誌的匹配,數據結構轉換,需要根據日誌的具體格式進行匹配,匹配格式可以參考https://grokdebug.herokuapp.com/patterns,匹配結果可以在https://grokdebug.herokuapp.com/中進行驗證
geoip:獲取ip,以便最後顯示地理位置,部分系統可能需要安裝geoip
mutate:數據類型轉換
date:用日誌中的時間對timestamp進行轉換,若不做轉換,在導入老數據的時候系統會根據當前時間排序
output段:輸出到elasticsearch中
10.啓動logstash服務並查看端口
systemctl start logstash
ss -tnl
11.安裝filebeat(192.168.1.17)
yum install filebeat-5.5.2-x86_64.rpm (包需要提前下載)
12.修改配置文件/etc/filebeat/filebeat.yml
filebeat:
spool_size: 1024
idle_timeout: 5s
registry_file: .filebeat
config_dir: /etc/filebeat/conf.d
output:
logstash:
hosts:
- 192.168.1.18:5000
enabled: true
shipper: {}
logging: {}
runoptions: {}
其中output中host指向logstash
13.創建/etc/filebeat/conf.d/目錄。並添加配置文件nginx.yml
filebeat:
prospectors:
- paths:
- /var/log/nginx/access.log
encoding: plain
fields_under_root: false
input_type: log
ignore_older: 24h
document_type: nginx-all
scan_frequency: 10s
harvester_buffer_size: 16384
tail_files: false
force_close_files: false
backoff: 1s
max_backoff: 1s
backoff_factor: 2
partial_line_waiting: 5s
max_bytes: 10485760
其中path指向需要收集的日誌文件,type需要與logstash配置文件中對應
14.啓動filebeat並查看
systemctl start filebeat
netstat -altp|grep filebeat(與logstash建立了連接)