一、ELKStack簡介
Elstaicsearch:日誌存儲和搜索 logstash:日誌收集 kibana:日誌展示
ELK架構示意圖:
二、ELK安裝
環境準備
IP 主機名 操作系統 192.168.56.11 linux-node1 centos7 192.168.56.12 linux-node2 centos7
1、Elasticsearch安裝
安裝JDK
[root@linux-node1 ~]# yum install -y java [root@linux-node1 ~]# java -version openjdk version "1.8.0_91" OpenJDK Runtime Environment (build 1.8.0_91-b14) OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)
YUM安裝ElasticSearch
(1)下載並安裝GPG key
[root@linux-node1 ~]# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
(2)添加yum倉庫
[root@linux-node1 ~]# cat /etc/yum.repos.d/elasticsearch.repo [elasticsearch-2.x] name=Elasticsearch repository for 2.x packages baseurl=http://packages.elastic.co/elasticsearch/2.x/centos gpgcheck=1 gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch enabled=1
(3)安裝elasticsearch
[root@linux-node1 ~]# yum install -y elasticsearch
三、ElasticSearch配置
1、修改配置文件
配置文件在目錄/etc/elasticsearch下
[root@linux-node1 /etc/elasticsearch]# grep '^[a-Z]' elasticsearch.yml cluster.name: myes #集羣名稱 node.name: linux-node1 #es所在節點的名稱 path.data: /data/es-data #es存放數據的位置 path.logs: /var/log/elasticsearch #es存放日誌的位置 bootstrap.mlockall: true #設置內存 network.host: 192.168.56.11 #節點IP http.port: 9200 #監聽端口 [root@linux-node1 /etc/elasticsearch]# 注:elasticsearch簡寫成es,es天生支持集羣
接下來創建數據和日誌的目錄,並修改屬組
mkdir –p /data/es-data mkdir –p /var/log/elasticsearch 授權 chown –R elasticsearch.elasticsearch /data/es-data chown –R elasticsearch.elasticsearch /var/log/elasticsearch
啓動es
[root@linux-node1 /etc/elasticsearch]# systemctl start elasticsearch [root@linux-node1 /var/log/elasticsearch]# ps -ef|grep java logstash 1495 1 4 10:50 ? 00:01:10 /bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djav.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -Djava.io.tmpdir=/var/lib/logstash -Xmx1g -Xss2048k -Djffi.boot.library.path=/opt/logstash/vendor/jruby/lib/jni -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -Djava.io.tmpdir=/var/lib/logstash -XX:HeapDumpPath=/opt/logstash/heapdump.hprof -Xbootclasspath/a:/opt/logstash/vendor/jruby/lib/jruby.jar -classpath : -Djruby.home=/opt/logstash/vendor/jruby -Djruby.lib=/opt/logstash/vendor/jruby/lib -Djruby.script=jruby -Djruby.shell=/bin/sh org.jruby.Main --1.9 /opt/logstash/lib/bootstrap/environment.rb logstash/runner.rb agent -f /etc/logstash/conf.d -l /var/log/logstash/logstash.log **elastic+ 3151 1 93 11:16 ? 00:00:13 /bin/java -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:+DisableExplicitGC -Dfile.encoding=UTF-8 -Djna.nosys=true -Des.path.home=/usr/share/elasticsearch -cp /usr/share/elasticsearch/lib/elasticsearch-2.3.5.jar:/usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch start -Des.pidfile=/var/run/elasticsearch/elasticsearch.pid -Des.default.path.home=/usr/share/elasticsearch -Des.default.path.logs=/var/log/elasticsearch -Des.default.path.data=/var/lib/elasticsearch -Des.default.path.conf=/etc/elasticsearch** root 3243 2486 0 11:16 pts/0 00:00:00 grep --color=auto java
啓動後查看進程及端口監聽,我在第一次啓動時發現進程和端口都沒有 查看日誌
[root@linux-node1 /var/log/elasticsearch]# tail -n 20 myes.log elasticsearch hard memlock unlimited [2016-08-25 10:55:28,469][WARN ][bootstrap ] If you are logged in interactively, you will have to re-login for the new limits to take effect. [2016-08-25 10:55:29,176][INFO ][node ] [linux-node1] version[2.3.5], pid[2719], build[90f439f/2016-07-27T10:36:52Z] [2016-08-25 10:55:29,176][INFO ][node ] [linux-node1] initializing ... [2016-08-25 10:55:31,145][INFO ][plugins ] [linux-node1] modules [reindex, lang-expression, lang-groovy], plugins [head, marvel-agent, kopf], sites [head, kopf] [2016-08-25 10:55:31,250][INFO ][env ] [linux-node1] using [1] data paths, mounts [[/ (rootfs)]], net usable_space [32.1gb], net total_space [47.4gb], spins? [unknown], types [rootfs] [2016-08-25 10:55:31,250][INFO ][env ] [linux-node1] heap size [1015.6mb], compressed ordinary object pointers [true] [2016-08-25 10:55:31,251][WARN ][env ] [linux-node1] max file descriptors [65535] for elasticsearch process likely too low, consider increasing to at least [65536] [2016-08-25 10:55:31,387][ERROR][bootstrap ] Exception **java.lang.IllegalStateException: marvel plugin requires the license plugin to be installed** at org.elasticsearch.marvel.license.LicenseModule.verifyLicensePlugin(LicenseModule.java:37) at org.elasticsearch.marvel.license.LicenseModule.(LicenseModule.java:25) at org.elasticsearch.marvel.MarvelPlugin.nodeModules(MarvelPlugin.java:89) at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263) at org.elasticsearch.node.Node.(Node.java:179) at org.elasticsearch.node.Node.(Node.java:140) at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143) at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:178) at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270) at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)
這種情況下,我們需要安裝license
[root@linux-node1 ~]# /usr/share/elasticsearch/bin/plugin install license -> Installing license... Trying https://download.elastic.co/elasticsearch/release/org/elasticsearch/plugin/license/2.3.5/license-2.3.5.zip ... Downloading .......DONE Verifying https://download.elastic.co/elasticsearch/release/org/elasticsearch/plugin/license/2.3.5/license-2.3.5.zip checksums if available ... Downloading .DONE Installed license into /usr/share/elasticsearch/plugins/license
再次啓動ES
systemctl start elasticsearch
使用curl命令訪問ElasticSearch
[root@linux-node1 /var/log/elasticsearch]# curl http://192.168.56.11:9200 { "name" : "linux-node1", "cluster_name" : "myes", "version" : { "number" : "2.3.5", "build_hash" : "90f439ff60a3c0f497f91663701e64ccd01edbb4", "build_timestamp" : "2016-07-27T10:36:52Z", "build_snapshot" : false, "lucene_version" : "5.5.0" }, "tagline" : "You Know, for Search" } [root@linux-node1 /var/log/elasticsearch]#
通過web訪問es
curl加上-i參數後獲取 含有協議的頭信息
[root@linux-node1 /var/log/elasticsearch]# curl -i 192.168.56.11:9200 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 311 { "name" : "linux-node1", "cluster_name" : "myes", "version" : { "number" : "2.3.5", "build_hash" : "90f439ff60a3c0f497f91663701e64ccd01edbb4", "build_timestamp" : "2016-07-27T10:36:52Z", "build_snapshot" : false, "lucene_version" : "5.5.0" }, "tagline" : "You Know, for Search" }
還可以進行統計
[root@linux-node1 /var/log/elasticsearch]# curl -i -XGET 'http://192.168.56.11:9200/_count?' HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 65 {"count":11658,"_shards":{"total":33,"successful":33,"failed":0}}[root@linux-node1 /var/log/elasticsearch]# [root@linux-node1 /var/log/elasticsearch]#
2、插件安裝與使用
(1)Marvel插件
Marvel插件:在簇中從每個節點彙集數據。
這個插件必須每個節點都得安裝。
Marvel是Elasticsearch的管理和監控工具,在開發環境下免費使用。它包含了一個叫做Sense的交互式控制檯,使用戶方便的通過瀏覽器直接與Elasticsearch進行交互。
安裝方法:
[root@linux-node1 /var/log/elasticsearch]# /usr/share/elasticsearch/bin/plugin install marvel-agent -> Installing marvel-agent... Trying https://download.elastic.co/elasticsearch/release/org/elasticsearch/plugin/marvel-agent/2.3.5/marvel-agent-2.3.5.zip ... Downloading ..........DONE 最後,這個插件安裝在 /usr/share/elasticsearch/plugins/marvel-agent
(2)head插件
elasticsearch-head是一個elasticsearch的集羣管理工具,它是完全由html5編寫的獨立網頁程序,你可以通過插件把它集成到es。
Head插件可以實現基本信息的查看,rest請求的模擬,數據的檢索等等。
如果訪問elastic官網很慢,我們可以在github上下載安裝
[root@linux-node1 ~]# /usr/share/elasticsearch/bin/plugin install mobz/elasticsearch-head -> Installing mobz/elasticsearch-head... Trying https://github.com/mobz/elasticsearch-head/archive/master.zip ... 插件安裝在目錄 /usr/share/elasticsearch/plugins/head
訪問方式
http://192.168.56.11:9200/_plugin/head/
(3)kopf插件
Kopf是一個ElasticSearch的管理工具,它也提供了對ES集羣操作的API。
安裝kopf
[root@linux-node1 ~]# /usr/share/elasticsearch/bin/plugin install lmenezes/elasticsearch-kopf -> Installing lmenezes/elasticsearch-kopf... Trying https://github.com/lmenezes/elasticsearch-kopf/archive/master.zip ...
訪問方式
http://192.168.56.11:9200/_plugin/kopf/#!/cluster
四、ElasticSearch集羣搭建
在192.168.56.12上yum安裝ElasticSearch,並修改配置文件。
[root@linux-node2 elasticsearch]# grep '^[a-Z]' elasticsearch.yml cluster.name: myes node.name: linux-node2 path.data: /data/es-data path.logs: /var/log/elasticsearch bootstrap.mlockall: true network.host: 192.168.56.12 http.port: 9200 discovery.zen.ping.unicast.hosts: ["192.168.56.11", "192.168.56.12"]
Elasticsearch集羣是以組播的形式進行通信的。當node2啓動後,它會以組播的形式尋找其他節點,尋找其他cluster.name爲myes的節點。在一個集羣中,兩個節點會進行選舉,其中的一個會被選爲主節點。主節點負責管理集羣的狀態。
對於用戶而言,可以不用考慮哪個是主節點,連接到其中一個即可。查詢時,也不需要主節點轉發。
注意 注意 注意 在linux-node2上安裝elasticsearch後,我剛開始沒有安裝license;linux-node2一直加入不到es集羣中去,在linux-node1的myes.log中查看發現一直有如下報錯:
[2016-08-26 09:30:49,774][WARN ][discovery.zen ] [linux-node1] failed to validate incoming join request from node [{linux-node2}{cZRtReg6R3STovzviXGT6A}{192.168.56.12}{192.168.56.12:9300}] [2016-08-26 09:30:52,837][WARN ][discovery.zen ] [linux-node1] failed to validate incoming join request from node [{linux-node2}{cZRtReg6R3STovzviXGT6A}{192.168.56.12}{192.168.56.12:9300}] [2016-08-26 09:30:55,881][WARN ][discovery.zen ] [linux-node1] failed to validate incoming join request from node [{linux-node2}{cZRtReg6R3STovzviXGT6A}{192.168.56.12}{192.168.56.12:9300}] [2016-08-26 09:30:58,920][WARN ][discovery.zen ] [linux-node1] failed to validate incoming join request from node [{linux-node2}{cZRtReg6R3STovzviXGT6A}{192.168.56.12}{192.168.56.12:9300}] [2016-08-26 09:31:01,965][WARN ][discovery.zen ] [linux-node1] failed to validate incoming join request from node [{linux-node2}{cZRtReg6R3STovzviXGT6A}{192.168.56.12}{192.168.56.12:9300}] [2016-08-26 09:31:05,007][WARN ][discovery.zen ] [linux-node1] failed to validate incoming join request from node [{linux-node2}{cZRtReg6R3STovzviXGT6A}{192.168.56.12}{192.168.56.12:9300}] [2016-08-26 09:31:08,092][WARN ][discovery.zen ] [linux-node1] failed to validate incoming join request from node [{linux-node2}{cZRtReg6R3STovzviXGT6A}{192.168.56.12}{192.168.56.12:9300}]
安裝license
[root@linux-node2 ~]# /usr/share/elasticsearch/bin/plugin install license -> Installing license... Trying https://download.elastic.co/elasticsearch/release/org/elasticsearch/plugin/license/2.3.5/license-2.3.5.zip ... Downloading .......DONE Verifying https://download.elastic.co/elasticsearch/release/org/elasticsearch/plugin/license/2.3.5/license-2.3.5.zip checksums if available ... Downloading .DONE Installed license into /usr/share/elasticsearch/plugins/license [root@linux-node2 ~]# systemctl restart elasticsearch
登陸到http://192.168.56.11:9200/_plugin/head/查看集羣狀態
可以看到Linux-node2加入到集羣中,而且linux-node1是主節點。
綠色是所有分片都處於健康狀態。
五、ES監控
我們可以使用curl獲取健康數據
[root@linux-node2 ~]# curl -XGET 'http://192.168.56.11:9200/_cluster/health?pretty=true' { "cluster_name" : "myes", "status" : "green", "timed_out" : false, "number_of_nodes" : 2, "number_of_data_nodes" : 2, "active_primary_shards" : 39, "active_shards" : 78, "relocating_shards" : 0, "initializing_shards" : 0, "unassigned_shards" : 0, "delayed_unassigned_shards" : 0, "number_of_pending_tasks" : 0, "number_of_in_flight_fetch" : 0, "task_max_waiting_in_queue_millis" : 0, "active_shards_percent_as_number" : 100.0 } [root@linux-node2 ~]#
ES中_cat提供了豐富了API,幾乎可以監控ES的所有東西
[root@linux-node2 ~]# curl -XGET 'http://192.168.56.11:9200/_cat/health?pretty=true' 1472176491 09:54:51 myes green 2 2 78 39 0 0 0 0 - 100.0% [root@linux-node2 ~]# curl -XGET 'http://192.168.56.11:9200/_cat/plugins?pretty=true' linux-node2 license 2.3.5 j linux-node1 head master s /_plugin/head/ linux-node1 kopf 2.0.1 s /_plugin/kopf/ linux-node1 license 2.3.5 j linux-node1 marvel-agent 2.3.5 j