什麼是ELK
- Elasticsearch是個開源分佈式搜索引擎,它的特點有:分佈式,零配置,自動發現,索引自動分片,索引副本機制,restful風格接口,多數據源,自動搜索負載等。
- Logstash是一個完全開源的工具,他可以對你的日誌進行收集、過濾,並將其存儲供以後使用(如,搜索)。
- Kibana 也是一個開源和免費的工具,它Kibana可以爲 Logstash 和 ElasticSearch 提供的日誌分析友好的
- Web 界面,可以幫助您彙總、分析和搜索重要數據日誌
- Filebeat隸屬於Beats。目前Beats包含四種工具:
Packetbeat(蒐集網絡流量數據)
Topbeat(蒐集系統、進程和文件系統級別的 CPU 和內存使用情況等數據)
Filebeat(蒐集文件數據)
Winlogbeat(蒐集 Windows 事件日誌數據)
| 操作系統 | IP地址 | 主要軟件 |
|---|---|---|
| centos7 | 10.0.0.73 | jdk,elasticsearch,kibana |
| centos7 | 10.0.0.74 | jdk,logstash |
##10.0.0.73操作
安裝Elk包
[root@ localhost ~]# unzip ELK.zip
Archive: ELK.zip
inflating: ELK/elasticsearch-6.6.2.rpm
inflating: ELK/jdk-8u131-linux-x64_.rpm
inflating: ELK/kibana-6.6.2-x86_64.rpm
inflating: ELK/logstash-6.6.0.rpm
安裝jdk
# 切換目錄到Elk
[root@ localhost ~]# cd ELK/
[root@ localhost ELK]# rpm -ivh jdk-8u131-linux-x64_.rpm
Preparing... ################################# [100%]
Updating / installing...
1:jdk1.8.0_131-2000:1.8.0_131-fcs ################################# [100%]
Unpacking JAR files...
tools.jar...
plugin.jar...
javaws.jar...
deploy.jar...
rt.jar...
jsse.jar...
charsets.jar...
localedata.jar...
# 查看版本
[root@ localhost ELK]# java -version
java version "1.8.0_131"
Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)
安裝elasticsearch
[root@ localhost ELK]# yum -y install elasticsearch-6.6.2.rpm
Loaded plugins: fastestmirror
Examining elasticsearch-6.6.2.rpm: elasticsearch-6.6.2-1.noarch
Marking elasticsearch-6.6.2.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package elasticsearch.noarch 0:6.6.2-1 will be installed
--> Finished Dependency Resolution
# 配置開機自啓動
[root@ localhost ELK]# systemctl enable elasticsearch
Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.
# 開啓服務
[root@ localhost ELK]# systemctl start elasticsearch
# 驗證服務是否啓動
[root@ localhost ELK]# netstat -lptnu|grep java
tcp6 0 0 127.0.0.1:9200 :::* LISTEN 2239/java
tcp6 0 0 ::1:9200 :::* LISTEN 2239/java
tcp6 0 0 127.0.0.1:9300 :::* LISTEN 2239/java
tcp6 0 0 ::1:9300 :::* LISTEN 2239/java
# 監聽端口:
9200作爲Http協議,主要用於外部通訊(http協議,給客戶端用的)
9300作爲Tcp協議,ES集羣之間是通過9300進行通訊(tcp協議,是es集羣內部通信使用)
# 修改elasticsearch配置文件
[root@ localhost ELK]# vim /etc/elasticsearch/elasticsearch.yml
network.host: 10.0.0.73(本機IP)
http.port: 9200 (註釋打開)
安裝 kibana
[root@ localhost ELK]# yum -y install kibana-6.6.2-x86_64.rpm
Loaded plugins: fastestmirror
Examining kibana-6.6.2-x86_64.rpm: kibana-6.6.2-1.x86_64
Marking kibana-6.6.2-x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package kibana.x86_64 0:6.6.2-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
# 配置kibana文件
[root@ localhost ELK]# vim /etc/kibana/kibana.yml
server.port: 5601(註釋打開)
server.host: "10.0.0.73"(默認打開並修改IP)
elasticsearch.hosts: ["http://10.0.0.73:9200"](默認打開並修改IP)
# 配置開機自啓動
[root@ localhost ELK]# systemctl enable kibana
Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /etc/systemd/system/kibana.service.
# 開啓服務
[root@ localhost ELK]# systemctl start kibana
##10.0.0.74操作
安裝Elk包
[root@ localhost ~]# unzip ELK.zip
Archive: ELK.zip
inflating: ELK/elasticsearch-6.6.2.rpm
inflating: ELK/jdk-8u131-linux-x64_.rpm
inflating: ELK/kibana-6.6.2-x86_64.rpm
inflating: ELK/logstash-6.6.0.rpm
安裝jdk
# 切換目錄到Elk
[root@ localhost ~]# cd ELK/
[root@ localhost ELK]# rpm -ivh jdk-8u131-linux-x64_.rpm
Preparing... ################################# [100%]
Updating / installing...
1:jdk1.8.0_131-2000:1.8.0_131-fcs ################################# [100%]
Unpacking JAR files...
tools.jar...
plugin.jar...
javaws.jar...
deploy.jar...
rt.jar...
jsse.jar...
charsets.jar...
localedata.jar...
# 查看版本
[root@ localhost ELK]# java -version
java version "1.8.0_131"
Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)
安裝logstash
[root@ localhost ELK]# yum -y install logstash-6.6.0.rpm
Loaded plugins: fastestmirror
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
Examining logstash-6.6.0.rpm: 1:logstash-6.6.0-1.noarch
Marking logstash-6.6.0.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package logstash.noarch 1:6.6.0-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
# 配置文件路徑:
[root@localhost logstash]# pwd
/etc/logstash
[root@localhost logstash]# ll
total 36
drwxrwxr-x 2 root root 6 2019-01-24 20:16 conf.d
-rw-r--r-- 1 root root 1846 2019-01-24 20:16 jvm.options
-rw-r--r-- 1 root root 4568 2019-01-24 20:16 log4j2.properties
-rw-r--r-- 1 root root 342 2019-01-24 20:16 logstash-sample.conf
-rw-r--r-- 1 root root 8194 2020-02-11 18:05 logstash.yml
-rw-r--r-- 1 root root 285 2019-01-24 20:16 pipelines.yml
-rw------- 1 root root 1696 2019-01-24 20:16 startup.options
# 日誌文件路徑:
[root@localhost logstash]# pwd
/var/log/logstash
# logstash是用來收集日誌,並對日誌做過濾處理的,我們下面要分析的是系統日誌,所以要編寫一個收集日誌的配置文件
[root@ localhost ELK]# vim /etc/logstash/conf.d/message.conf
# input日誌輸入模塊:日誌的獲取方式和路徑
input {
file {
path => "/var/log/messages"
type => "messages-log"
start_position => "beginning"
}
}
# output日誌的輸出模塊:導出你的數據
output {
elasticsearch {
hosts => "10.0.0.73:9200"
index => "messages_log=%{+YYYY.MM.dd}"
}
}
# 配置開機自啓動
[root@ localhost ELK]# systemctl enable logstash
Created symlink from /etc/systemd/system/multi-user.target.wants/logstash.service to /etc/systemd/system/logstash.service.
# 啓動logstash服務
[root@ localhost ELK]# systemctl start logstash
測試訪問IP:10.0.0.73:5601
在kibana上創建索引
給系統日誌添加可視化圖形
選擇繪畫哪個索引的圖形
選擇x軸爲繪畫日期的柱狀圖,然後點擊開始獲取數據
