原來的架構
這樣的架構會導致ES壓力太大
引入redis架構圖
redis不能直接對接ES 所以使用logstash進行轉換
redis的數據是filebeat輸入的
logstash 從redis(倉庫中)拿取數據 給ES
使用redis緩存服務來緩解ES壓力
1.安裝redis
yum install redis
sed -i 's#^bind 127.0.0.1#bind 127.0.0.1 10.0.0.51#' /etc/redis.conf
systemctl start redis
netstat -lntup|grep redis
redis-cli -h 10.0.0.51
2.停止docker容器
docker stop $(docker ps -q)
3.停止filebeat
systemctl stop filebeat
4.刪除舊的ES索引
5.確認nginx日誌爲json格式
grep "access_log" nginx.conf
6.修改filebeat配置文件
cat >/etc/filebeat/filebeat.yml <<EOF
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
output.redis:
hosts: ["10.0.0.51"]
keys:
- key: "nginx_access"
when.contains:
tags: "access"
- key: "nginx_error"
when.contains:
tags: "error"
setup.template.name: "nginx"
setup.template.pattern: "nginx_*"
setup.template.enabled: false
setup.template.overwrite: true
EOF
7.重啓filebaet和nginx
systemctl restart nginx
systemctl restart filebeat
8.生成測試數據
curl 127.0.0.1/haha
9.檢查
redis-cli -h 10.0.0.51
keys *
TYPE nginx_access
LLEN nginx_access
LRANGE nginx_access 0 -1
確認是否爲json格式
10.安裝logstash
rpm -ivh jdk-8u102-linux-x64.rpm
rpm -ivh logstash-6.6.0.rpm
11.配置logstash
cat >/etc/logstash/conf.d/redis.conf<<EOF
input {
redis {
host => "10.0.0.51"
port => "6379"
db => "0"
key => "nginx_access"
data_type => "list"
}
redis {
host => "10.0.0.51"
port => "6379"
db => "0"
key => "nginx_error"
data_type => "list"
}
}
filter {
mutate {
convert => ["upstream_time", "float"]
convert => ["request_time", "float"]
}
}
output {
stdout {}
if "access" in [tags] {
elasticsearch {
hosts => "http://10.0.0.51:9200"
manage_template => false
index => "nginx_access-%{+yyyy.MM}"
}
}
if "error" in [tags] {
elasticsearch {
hosts => "http://10.0.0.51:9200"
manage_template => false
index => "nginx_error-%{+yyyy.MM}"
}
}
}
EOF
12.前臺啓動測試
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/redis.conf
13.檢查
logstash輸出的內容有沒有解析成json
es-head上有沒有索引生成
redis裏的列表數據有沒有在減少
14.將logstash放在後臺運行
ctrl+c
systemctl start logstash
聽風扇聲音,開始轉的時候表示logstash啓動了 --查看9600端口
redis操作命令
redis-cli -h 10.0.0.51
keys *
type nginx_access
llen nginx_access
lrange nginx_access 0 -1
架構的優化部分
如果現在想要新增加一個日誌文件
需要修改4個地方
redis優化:
新增加一個日誌 需要修改4個地方
優化後新增加一個日誌 需要修改2個地方
原理:只有在logstash輸出到ES時 進行分類 前面的filebeat和redis中只是打標籤 不需要放到不同的文件中(access error放到一起)
filebeat端口:監控日誌 寫到redis中
redis端口:6379
logstash端口:9600
elasticsearch端口: 9200 9300
filebeat 不支持鏈接 redis集羣或者哨兵,所以下圖中 redis 只是一個一個的工作
多個logstash會不會 同時讀取redis中的數據 (是多個logstash工作)
擴容多臺redis和logstash
1.增加redis備份節點:
cat >/etc/filebeat/filebeat.yml <<'EOF'
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
output.redis:
hosts: ["10.0.0.51:6379","10.0.0.52:6379"]
key: "nginx_log"
setup.template.name: "nginx"
setup.template.pattern: "nginx_*"
setup.template.enabled: false
setup.template.overwrite: true
EOF
2.logstash從多臺redis讀取數據:
cat >/etc/logstash/conf.d/redis.conf <<'EOF'
input {
redis {
host => "10.0.0.51"
port => "6379"
db => "0"
key => "nginx_log"
data_type => "list"
}
redis {
host => "10.0.0.52"
port => "6379"
db => "0"
key => "nginx_log"
data_type => "list"
}
}
filter {
mutate {
convert => ["upstream_time", "float"]
convert => ["request_time", "float"]
}
}
output {
stdout {}
if "access" in [tags] {
elasticsearch {
hosts => "http://10.0.0.51:9200"
manage_template => false
index => "nginx_access-%{+yyyy.MM}"
}
}
if "error" in [tags] {
elasticsearch {
hosts => "http://10.0.0.51:9200"
manage_template => false
index => "nginx_error-%{+yyyy.MM}"
}
}
}
EOF
這個架構圖中 logstash 讀取redis是輪詢的
消息隊列:
kafka 、zookeeper 配套使用
原理圖:
這樣的架構比使用redis更大 性能更高,一天100G之前的
生產者放消息 消費者拿消息
kafka和zookeeper 引入
0.配置密鑰
cat >/etc/hosts<<EOF
10.0.0.51 db01
10.0.0.52 db02
10.0.0.53 db03
EOF
ssh-keygen
ssh-copy-id 10.0.0.52
ssh-copy-id 10.0.0.53
1.安裝zook
###db01操作
cd /data/soft
tar zxf zookeeper-3.4.11.tar.gz -C /opt/
ln -s /opt/zookeeper-3.4.11/ /opt/zookeeper
mkdir -p /data/zookeeper
cat >/opt/zookeeper/conf/zoo.cfg<<EOF
tickTime=2000
initLimit=10
syncLimit=5
dataDir=/data/zookeeper
clientPort=2181
server.1=10.0.0.51:2888:3888
server.2=10.0.0.52:2888:3888
server.3=10.0.0.53:2888:3888
EOF
echo "1" > /data/zookeeper/myid
cat /data/zookeeper/myid
rsync -avz /opt/zookeeper* 10.0.0.52:/opt/
rsync -avz /opt/zookeeper* 10.0.0.53:/opt/
###db02操作
mkdir -p /data/zookeeper
echo "2" > /data/zookeeper/myid
cat /data/zookeeper/myid
###db03操作
mkdir -p /data/zookeeper
echo "3" > /data/zookeeper/myid
cat /data/zookeeper/myid
2.啓動zookeeper
/opt/zookeeper/bin/zkServer.sh start
3.檢查啓動是否成功
/opt/zookeeper/bin/zkServer.sh status
如果啓動正常mode應該是
2個follower
1個leader
4.測試zook通訊是否正常
在一個節點上執行,創建一個頻道
/opt/zookeeper/bin/zkCli.sh -server 10.0.0.51:2181
create /test "hello"
在其他節點上看能否接收到
/opt/zookeeper/bin/zkCli.sh -server 10.0.0.52:2181
get /test
5.安裝kafka
###db01操作
cd /data/soft/
tar zxf kafka_2.11-1.0.0.tgz -C /opt/
ln -s /opt/kafka_2.11-1.0.0/ /opt/kafka
mkdir /opt/kafka/logs
cat >/opt/kafka/config/server.properties<<EOF
broker.id=1
listeners=PLAINTEXT://10.0.0.51:9092
num.network.threads=3
num.io.threads=8
socket.send.buffer.bytes=102400
socket.receive.buffer.bytes=102400
socket.request.max.bytes=104857600
log.dirs=/opt/kafka/logs
num.partitions=1
num.recovery.threads.per.data.dir=1
offsets.topic.replication.factor=1
transaction.state.log.replication.factor=1
transaction.state.log.min.isr=1
log.retention.hours=24
log.segment.bytes=1073741824
log.retention.check.interval.ms=300000
zookeeper.connect=10.0.0.51:2181,10.0.0.52:2181,10.0.0.53:2181
zookeeper.connection.timeout.ms=6000
group.initial.rebalance.delay.ms=0
EOF
rsync -avz /opt/kafka* 10.0.0.52:/opt/
rsync -avz /opt/kafka* 10.0.0.53:/opt/
###db02操作
sed -i "s#10.0.0.51:9092#10.0.0.52:9092#g" /opt/kafka/config/server.properties
sed -i "s#broker.id=1#broker.id=2#g" /opt/kafka/config/server.properties
###db03操作
sed -i "s#10.0.0.51:9092#10.0.0.53:9092#g" /opt/kafka/config/server.properties
sed -i "s#broker.id=1#broker.id=3#g" /opt/kafka/config/server.properties
6.先前臺啓動kafka測試
/opt/kafka/bin/kafka-server-start.sh /opt/kafka/config/server.properties
7.檢查是否啓動
jps
8.kafka測試命令發送消息
創建命令
/opt/kafka/bin/kafka-topics.sh --create --zookeeper 10.0.0.51:2181,10.0.0.52:2181,10.0.0.53:2181 --partitions 3 --replication-factor 3 --topic messagetest
測試獲取所有的頻道
/opt/kafka/bin/kafka-topics.sh --list --zookeeper 10.0.0.51:2181,10.0.0.52:2181,10.0.0.53:2181
測試發送消息
/opt/kafka/bin/kafka-console-producer.sh --broker-list 10.0.0.51:9092,10.0.0.52:9092,10.0.0.53:9092 --topic messagetest
其他節點測試接收
/opt/kafka/bin/kafka-console-consumer.sh --zookeeper 10.0.0.51:2181,10.0.0.52:2181,10.0.0.53:2181 --topic messagetest --from-beginning
9.測試成功之後,可以放在後臺啓動
按ctrl + c 停止kafka的前臺啓動,切換到後臺啓動
/opt/kafka/bin/kafka-server-start.sh -daemon /opt/kafka/config/server.properties
10.配置filebeat
cat >/etc/filebeat/filebeat.yml <<EOF
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
output.kafka:
hosts: ["10.0.0.51:9092", "10.0.0.52:9092", "10.0.0.53:9092"]
topic: 'filebeat'
setup.template.name: "nginx"
setup.template.pattern: "nginx_*"
setup.template.enabled: false
setup.template.overwrite: true
EOF
重啓filebeat
systemctl restart filebeat
11.訪問並檢查kafka裏有沒有收到日誌
curl 10.0.0.51
/opt/kafka/bin/kafka-topics.sh --list --zookeeper 10.0.0.51:2181,10.0.0.52:2181,10.0.0.53:2181
/opt/kafka/bin/kafka-console-consumer.sh --zookeeper 10.0.0.51:2181,10.0.0.52:2181,10.0.0.53:2181 --topic filebeat --from-beginning
12.logstash配置文件
cat > /etc/logstash/conf.d/kafka.conf<<EOF
input {
kafka{
bootstrap_servers=>["10.0.0.51:9092,10.0.0.52:9092,10.0.0.53:9092"]
topics=>["filebeat"]
group_id=>"logstash"
codec => "json"
}
}
filter {
mutate {
convert => ["upstream_time", "float"]
convert => ["request_time", "float"]
}
}
output {
stdout {}
if "access" in [tags] {
elasticsearch {
hosts => "http://10.0.0.51:9200"
manage_template => false
index => "nginx_access-%{+yyyy.MM}"
}
}
if "error" in [tags] {
elasticsearch {
hosts => "http://10.0.0.51:9200"
manage_template => false
index => "nginx_error-%{+yyyy.MM}"
}
}
}
EOF
13.前臺啓動logatash測試
先清空ES以前生成的索引
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/kafka.conf
生成訪問日誌
curl 127.0.0.1
14.總結kafka實驗
1.前提條件
- kafka和zook都是基於java的,所以需要java環境
- 這倆比較喫資源,內存得夠
2.安裝zook注意
- 每臺機器的myid要不一樣,而且要和配置文件裏的id對應上
- 啓動測試,角色爲leader和follower
- 測試發送和接受消息
3.安裝kafka注意
- kafka依賴於zook,所以如果zook不正常,kafka不能工作
- kafka配置文件裏要配上zook的所有IP的列表
- kafka配置文件裏要注意,寫自己的IP地址
- kafka配置文件裏要注意,自己的ID是zook裏配置的myid
- kafka啓動要看日誌出現started纔算是成功
4.測試zook和kafka
- 一端發送消息
- 兩端能實時接收消息
5.配置filebeat
- output要配上kafka的所有的IP列表
6.配置logstash
- input要寫上所有的kafka的IP列表,別忘了[]
- 前臺啓動測試成功後再後臺啓動
7.毀滅測試結果
- 只要還有1個zook和1個kafka節點,就能正常收集日誌