ELK部署環境準備
1.機器準備
兩臺服務器:
ubuntu-elk-node1:Ubuntu 16.04.3/192.168.15.68
ubuntu-nginx-node2:Ubuntu 16.04.3/192.168.15.244
2.elk準備環境
-rwxrwxrwx 1 root root 27542289 Dec 26 12:48 elasticsearch-2.3.3.tar.gz* -rwxrwxrwx 1 root root 33045518 Dec 26 12:52 kibana-4.5.1-linux-x64.tar.gz* -rwxrwxrwx 1 root root 78887475 Dec 26 13:18 logstash-2.3.3.tar.gz* -rw-r--r-- 1 root root 189784266 Dec 25 16:47 jdk-8u152-linux-x64.tar.gz
3.安裝Java(兩服務器都需要安裝)
解壓到 /usr/java/jdk1.8.0_152
vim /etc/profie 在尾部添加以下內容
#JDK 1.8 export JAVA_HOME=/usr/java/jdk1.8.0_152 export JRE_HOME=${JAVA_HOME}/jre export CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/lib #export PATH=${JAVA_HOME}/bin:$PATH export PATH=$JAVA_HOME/bin:$JRE_HOME/bin:$PATH
立即生效配置
source /etc/profile
java -version
ubuntu-elk-node1:Ubuntu 16.04.3/192.168.15.68上安裝
4.1.elasticsearch安裝
解壓elasticsearch
tar xvf elasticsearch-2.3.3.tar.gz -C /usr/local/elk/
創建elasticsearch用戶
adduser elasticsearch
elasticsearch目錄權限修改
chown -R elasticsearch.elasticsearch /usr/local/elk/elasticsearch-2.3.3/
elasticsearch配置文件elasticsearch.yml
cluster.name: chuck-cluster #判別節點是否是統一集羣 node.name: ubuntu-elk-node1 #節點的hostname path.data: /data/es-data #數據存放路徑 path.logs: /var/log/elasticsearch/ #日誌路徑 bootstrap.mlockall: true #鎖住內存,使內存不會再swap中使用 network.host: 0.0.0.0 #允許訪問的ip http.port: 9200 #端口
創建日誌數據目錄,並授權
mkdir -p /data/es-data mkdir -p /var/log/elasticsearch/ chown -R elasticsearch.elasticsearch /data/es-data chown -R elasticsearch.elasticsearch /var/log/elasticsearch/
啓動elasticsearch 後臺運行加上&
su elasticsearch -l -c "/usr/local/elk/elasticsearch-2.3.3/bin/elasticsearch -d" netstat -lntup|grep 9200 tcp6 0 0 :::9200 :::* LISTEN 1759/java
訪問9200端口,會把信息顯示出來
安裝head插件顯示索引和分片情況
/usr/local/elk/elasticsearch-2.3.3/bin/plugin install mobz/elasticsearch-head
訪問頁面http://192.168.15.68:9200/_plugin/head/
4.2.kibana安裝
解壓kibana
tar xvf kibana-4.5.1-linux-x64.tar.gz -C /usr/local/elk/
修改kibana.yml
server.port: 5601 kibana端口 server.host: "0.0.0.0" 對外服務的主機 elasticsearch.url: "http://192.168.15.68:9200" kibana.index: ".kibana 在elasticsearch中添加.kibana索引
啓動kibana 後臺運行加上&
/usr/local/elk/kibana-4.5.1-linux-x64/bin/kibana & netstat -lntup|grep 5601 tcp 0 0 0.0.0.0:5601 0.0.0.0:* LISTEN 1815/node
ubuntu-nginx-node1:Ubuntu 16.04.3/192.168.15.244上安裝
5.1.logstash安裝
解壓logstash
tar xvf logstash-2.3.3.tar.gz -C /usr/local/elk/
Nginx配置修改使用json
log_format json '{ "@timestamp": "$time_iso8601", '#ISO8601標準格式下的本地時間 '"@fields": { ' '"remote_addr": "$remote_addr", '#記錄客戶端IP地址 '"remote_user": "$remote_user", '#記錄客戶端用戶名稱 '"time_local": "$time_local", '#通用日誌格式下的本地時間 '"request": "$request", '#記錄請求的URL和HTTP協議 '"status": "$status", '#記錄請求狀態 '"body_bytes_sent": "$body_bytes_sent", '#發送給客戶端的字節數,不包括響應頭的大小; 該變量與Apache模塊mod_log_config裏的“%B”參數兼容 '"http_referer": "$http_referer", '#記錄從哪個頁面鏈接訪問過來的 '"http_user_agent": "$http_user_agent", '#記錄客戶端瀏覽器相關信息 '"http_x_forwarded_for": "$http_x_forwarded_for", '#記錄客戶端IP地址 '"upstream_cache_status": "$upstream_cache_status", '# '"request_time": "$request_time", '#請求處理時間,單位爲秒,精度毫秒; 從讀入客戶端的第一個字節開始,直到把最後一個字符發送給客戶端後進行日誌寫入爲止 '"upstream_response_time": "$upstream_response_time" } }'; access_log /usr/local/n/logs/www.test.com-access.log json;
logstash獲取nginx日誌推送到192.168.15.68elasticsearch
創建存放配置文件目錄
mkdir /usr/local/elk/logstash-2.3.3/conf
創建nginx-www.test.com.conf配置文件
input{ file { path => "/usr/local/n/logs/www.test.com-access.log" codec => json type => "nginx-www.test.com" start_position => "beginning" } } output{ if [type] == "nginx-www.test.com" { elasticsearch{ hosts => ["192.168.15.68:9200"] index => "nginx-www.test.com-%{+YYYY.MM.dd}" } } }
啓動logstash
/usr/local/elk/logstash-2.3.3/bin/logstash -f /usr/local/elk/logstash-2.3.3/conf/nginx-www.test.com.conf