架構解讀
架構解讀 : (整個架構從左到右,總共分爲5層)
第一層:數據採集層
最左邊的是業務服務器集羣,上面安裝了filebeat做日誌採集,同時把採集的日誌分別發送給兩個logstash服務
第二層:數據處理層,數據緩存層
logstash服務把接收到的日誌經過格式處理,轉存到本地的kafka broker+zookeeper集羣中
第三層:數據轉發層
單獨的logstash節點會實時去kafka broker集羣拉數據,轉發至ES DataNode
第四層:數據持久化存儲
ES DataNode會把收到的數據,寫磁盤,建索引庫
第五層:數據檢索,數據展示
ES Master + Kibana主要協調ES集羣,處理數據檢索請求,數據展示
環境準備
(1)操作系統環境
CentOS Linux release 7.7.1908 (Core)
(2)服務器角色分配
| 主機IP | hostname | 角色 | 所屬服務層 | 部署服務 |
|---|---|---|---|---|
| 192.168.213.128 | zookeeper01 | 日誌生產 | 採集層 | filebeat |
| 192.168.213.128 | zookeeper01 | 日誌緩存數據 | 處理層、緩存層 | zookeeper+kafka+logstash |
| 192.168.213.128 | zookeeper01 | 日誌展示 | 持久、檢索、展示層 | elasticsearch+logstash+kibana |
| 192.168.213.136 | zookeeper02 | zookeeper+kafka+elasticsearch | ||
| 192.168.213.135 | zookeeper03 | zookeeper+kafka+elasticsearch |
數據流向 filebeat---->logstash---->kafka---->logstash---->elasticsearch
(3)軟件包版本
| 軟件包版本 |
|---|
| elasticsearch-5.2.0 logstash-5.2.0 kibana-5.2.0-linux-x86_64 jdk-8u842-linux-x64 zookeeper-3.4.14 filebeat-6.6.1-linux-x86_64 kafka_2.13-2.4.1 |
部署安裝
節點初始化
關閉防火牆,做時間同步(略)
部署ELK
ELK集羣部署(略)
ELK集羣配置
(1)配置logstash
[root@zookeeper01 ~]# cd /data/program/software/logstash
[root@zookeeper01 logstash]# cat conf.d/logstash_to_es.conf
input {
kafka {
bootstrap_servers => "192.168.213.128:9092,192.168.213.136:9092"
topics => ["test_logstash"]
}
}
output {
elasticsearch {
hosts => ["192.168.213.128:9200","192.168.213.136:9200"]
index => "dev-log-%{+YYYY.MM.dd}"
}
}
注: test_logstash字段是kafka的消息主題,後邊在部署kafka後需要創建
(2)elasticsearch配置 (略)
(3)kibana配置 (略)
部署zookeeper+kafka+logstash
zookeeper集羣配置(略)
kafka集羣配置(略)
logstash配置
(1)服務部署(略)
(2)服務配置
[root@zookeeper01 logstash]# cat conf.d/logstash_to_filebeat.conf
input {
beats {
port => 5044
}
}
output {
kafka {
bootstrap_servers => "192.168.213.128:9092,192.168.213.136:9092"
topic_id => "test_logstash"
}
}
部署filebeat
[root@zookeeper01 filebeat]# pwd
/data/program/software/filebeat
[root@zookeeper01 filebeat]# cat nginx.yml #只列出了需要修改的部分
#=========================== Filebeat inputs =============================
filebeat.inputs:
- type: log
enabled: yes
paths:
- /var/log/nginx/*.log
#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["localhost:5044"]
注意: beat默認對接elasticsearch,需要修改爲logstash
各環節服務啓動與數據追蹤
(1)啓動zookeeper及kafka集羣
[root@zookeeper01 ~]# cd /data/program/software/zookeeper
[root@zookeeper01 zookeeper]# bin/zkServer.sh start
[root@zookeeper01 ~]# cd /data/program/software/kafka
[root@zookeeper01 kafka]# nohup bin/kafka-server-start.sh config/server.properties >>/tmp/kafka.nohup &
[root@zookeeper01 ~]# netstat -tunlp|egrep "(2181|9092)"
#在3個節點上執行
(2)啓動elasticsearch
[root@zookeeper01 ~]su - elsearch -c "/data/program/software/elasticsearch/bin/elasticsearch -d"
#在3個節點上執行
http://192.168.213.128:9200
查看elasticsearch+zookeeper集羣狀態
http://192.168.213.128:9200/_cat/nodes?pretty
(3)啓動nodejs
[root@zookeeper01 ~]# cd /data/program/software/elasticsearch/elasticsearch-head
[root@zookeeper01 elasticsearch-head]# grunt server &
http://192.168.213.128:9100
(4)啓動kibana
[root@zookeeper01 ~]# cd /data/program/software/kibana
[root@zookeeper01 kibana]# nohup bin/kibana >>/tmp/kibana.nohup &
[root@zookeeper01 kibana]# netstat -tunlp|grep 5601
http://192.168.213.128:5601
(5)啓動logstash
[root@zookeeper01 ~]# cd /data/program/software/logstash
[root@zookeeper01 logstash]# nohup bin/logstash -f conf.d/logstash_to_filebeat.conf >>/tmp/logstash.nohup &
(6)啓動filebeat
[root@zookeeper01 ~]# cd /data/program/software/filebeat
[root@zookeeper01 filebeat]# nohup ./filebeat -e -c nginx.yml >>/tmp/filebeat.nohup &
[root@zookeeper01 filebeat]# ps -ef|grep filebeat
(7)在kafka終端上進行日誌消費
[root@zookeeper03 ~]# cd /data/program/software/kafka
[root@zookeeper03 kafka]# bin/kafka-console-consumer.sh --bootstrap-server 192.168.213.136:9092 --topic test_logstash
訪問zookeeper01產生nginx日誌,在kafka終端上會有實時日誌消息,則filebeat---->logstash---->kafka 數據流轉正常
[root@zookeeper02 ~]# curl -I 192.168.213.128
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Tue, 14 Apr 2020 05:22:07 GMT
Content-Type: text/html
Content-Length: 4833
Last-Modified: Fri, 16 May 2014 15:12:48 GMT
Connection: keep-alive
ETag: "53762af0-12e1"
Accept-Ranges: bytes
(8)啓動logstash轉發
[root@zookeeper01 ~]# cd /data/program/software/logstash
[root@zookeeper01 logstash]# nohup bin/logstash -f conf.d/logstash_to_es.conf >>/tmp/logstash_to_es.nohup &
(9)elasticsearch數據展示
(10)kibana數據展示
踩坑記錄
(1)logstash-6.6.1版本不支持同時運行多個實例
[FATAL] [logstash. runner] Logstash could not be started because there is already another instance using the configured data directory. If you wish to run multiple instances, you must change the “path.data” setting.
原因:logstash-6.6.1版本不支持同時運行多個實例,前一個運行的instance在path.data裏面有.lock文件
網上大多數的解決辦法是刪除其data目錄下的.lock文件,但這並不能解決問題,我們需要conf.d/logstash_to_filebeat.conf和conf.d/logstash_to_es.conf同時在線運行以保證實時日誌統計展示,所以採用了百度出來的另一個方法,直接運行 nohup bin/logstash -f conf.d/ >>/tmp/logstash.nohup &,這樣雖然運行沒報錯,但會使數據採集異常,瘋狂輸出沒有用的數據
實測ELK(elasticsearch+logstash+kibana)6.6.1版本按本教程搭建的平臺數據收集異常
單獨測試filebeat---->logstash---->kafka數據流轉正常;
單獨測試kafka---->logstash---->elasticsearch數據流轉正常;
整體測試數據流轉異常,採集到的數據並非只是nginx的日誌,且不停的輸出,不及時暫停filebeat或logstash會導致無用數據佔用磁盤空間龐大
暫時沒有找到此版本解決此問題的方法
(2)將ELK版本回退部署後集羣狀態異常
http://192.168.213.128:9200/_cat/nodes?pretty
查看集羣狀態爲503
{
"error" : {
"root_cause" : [ {
"type" : "master_not_discovered_exception",
"reason" : null
} ],
"type" : "master_not_discovered_exception",
"reason" : null
},
"status" : 503
}
查看日誌,發現master沒有選舉成功,而且3個節點的"cluster_uuid" : "_na_"都相同(異常)
原因:把elasticsearch複製到其他節點時 ,elk_data下的運行數據也拷貝過去了
解決辦法: 把elk_data目錄下的內容刪除,重啓elasticsearch
後記
嚴禁按舊版本的教程用新版本的軟件做實例,這無異於自己挖坑自己跳