Elasticsearch : 数据库,存数据(Java)
Logstash: 收集日志、过滤(筛选)日志(Java)
Filebeat: 收集日志,传输到ES(go)
Kibana: 分析、过滤、展示(Java)
日志收集分类:
- 代理层:nginx、HAproxy
- web层:nginx、docker、k8s
- db层:redis、mongodb、es、mysql
| 主机 | 服务 | IP | 环境 |
|---|---|---|---|
| elasticsearch | Elasticsearch | 192.168.66.77 | openjdk version "1.8.0_282 |
| filebeat | Filebeat | 192.168.66.78 | |
| kibana | Kibana | 192.168.66.79 | openjdk version "1.8.0_282 |
一、安装Elasticsearch
下载地址:
https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.6.0.rpm
https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.6.0-x86_64.rpm
https://artifacts.elastic.co/downloads/kibana/kibana-6.6.0-x86_64.rpm
因为Elasticsearch 是用JAVA语言编写的,所以安装之前要配置好JAVA环境。
安装JAVA环境
使用YUM方式安装jdk
yum -y install java-1.8.0-openjdk
下载Elasticsearch得rpm包:
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.6.0.rpm
安装
rpm -ivh elasticsearch-6.6.0.rpm
修改配置文件(单节点):
vim /etc/elasticsearch/elasticsearch.yml
node.name: node-1
path.data: /data/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true
network.host: 192.168.66.77
http.port: 9200
创建数据目录并授权:
mkdir -p /data/elasticsearch
chown elasticsearch:elasticsearch -R /data/elasticsearch
关闭swap分区
swapoff -a
修改系统限制
官网链接:修改系统内存限制
systemctl edit elasticsearch
[Service]
LimitMEMLOCK=infinity
重新加载单元
systemctl daemon-reload
启动服务:
systemctl restart elasticsearch.service
[root@elasticsearch src]# netstat -tlunp|grep 9200
tcp6 0 0 192.168.66.77:9200 :::* LISTEN 2362/java
[root@elasticsearch src]# curl 192.168.66.77:9200
{
"name" : "node-1",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "lF-kCYKxSJamHdM3-hVwWQ",
"version" : {
"number" : "6.6.0",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "a9861f4",
"build_date" : "2019-01-24T11:27:09.439740Z",
"build_snapshot" : false,
"lucene_version" : "7.6.0",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
===-单节点脚本部署-===
#!/bin/bash
# 时间:2021年6月4日14点21分
# 项目:单节点部署Elasticsearch
# ================================脚本开始================================
# 定义变量
host="192.168.66.77"
# 1.安装JDK,因为Elasticsearch是由Java语言编写
yum -y install java-1.8.0-openjdk
# 2.下载RPM包
cd /usr/local/src
if [ ! -f "elasticsearch-6.6.0.rpm" ];then
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.6.0.rpm
fi
# 3.安装
rpm -ivh elasticsearch-6.6.0.rpm
# 4.修改配置文件
mv /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml.bak
cat > /etc/elasticsearch/elasticsearch.yml <<EOF
node.name: node-1
path.data: /data/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true
network.host: $host
http.port: 9200
# 支持跨域,如果使用es-head连接不上的话,要开启
http.cors.enabled: true
http.cors.allow-origin: "*"
EOF
# 5.创建数据目录并授权
mkdir -p /data/elasticsearch
chown elasticsearch:elasticsearch -R /data/elasticsearch
# 6.关闭虚拟内存
swapoff -a
# 7.修改系统限制
# 可以使用systemctl edit elasticsearch或者
# 官网链接:https://www.elastic.co/guide/en/elasticsearch/reference/6.6/setting-system-settings.html
mkdir /etc/systemd/system/elasticsearch.service.d
cat >/etc/systemd/system/elasticsearch.service.d/override.conf <<EOF
[Service]
LimitMEMLOCK=infinity
EOF
# 8.重新加载单元
systemctl daemon-reload
sleep 3
# 9.启动服务
systemctl restart elasticsearch.service
sleep 3
systemctl status elasticsearch.service
# 10.查看端口
netstat -tlunp|grep 9200
# 11.命令行访问
sleep 10
curl $host:9200
二、安装Filebeat
下载地址:
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.6.0-x86_64.rpm
安装:
rpm -ivh filebeat-6.6.0-x86_64.rpm
修改配置文件,在修改之前留一份作为备份:
cd /etc/filebeat/
cp filebeat.yml filebeat.yml.bak
vim filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
output.elasticsearch:
hosts: ["192.168.66.77:9200"]
这里收集的是nginx日志,所以前提是安装好nginx服务,尝试访问制造一点数据
安装nginx、压测工具
yum -y install nginx
systemctl restart nginx.service
yum -y install httpd-tools
ab -n 100 -c 100 http://192.168.66.78/
三、安装Kibana
kibana也需要依赖JAVA环境,在安装之前把环境安装好
yum -y install java-1.8.0-openjdk
[root@filebeat ~]# java -version
openjdk version "1.8.0_282"
OpenJDK Runtime Environment (build 1.8.0_282-b08)
OpenJDK 64-Bit Server VM (build 25.282-b08, mixed mode)
下载rpm包
https://artifacts.elastic.co/downloads/kibana/kibana-6.6.0-x86_64.rpm
安装
rpm -ivh kibana-6.6.0-x86_64.rpm
修改配置文件
vim /etc/kibana/kibana.yml
server.port: 5601
server.host: "192.168.66.79"
server.name: "kibana"
elasticsearch.hosts: ["http://192.168.66.77:9200"]
kibana.index: ".kibana"
启动
systemctl restart kibana.service
[root@filebeat ~]# netstat -tlunp|grep 5601
tcp 0 0 192.168.66.79:5601 0.0.0.0:* LISTEN 12281/node
[root@filebeat ~]# curl 192.168.66.79:5601
Kibana server is not ready yet
image-20210324183620857.png
四、kibana的简单使用
创建新的索引
image-20210324183620857.png
image-20210324183909941.png
image-20210324184016424.png
查看日志信息
image-20210324184113436.png
五、ELK收集nginx的json日志
将nginx日志格式修改为json格式,方便kibana过滤、筛选
vim /etc/nginx/nginx.conf
...
http {
log_format json '{"@timestamp":"$time_iso8601",'
'"@version":"1",'
'"server_addr":"$server_addr",'
'"remote_addr":"$remote_addr",'
'"host":"$host",'
'"uri":"$uri",'
'"body_bytes_sent":$body_bytes_sent,'
'"bytes_sent":$body_bytes_sent,'
'"request":"$request",'
'"request_length":$request_length,'
'"request_time":$request_time,'
'"status":"$status",'
'"http_referer":"$http_referer",'
'"http_x_forwarded_for":"$http_x_forwarded_for",'
'"http_user_agent":"$http_user_agent"'
'}';
access_log /var/log/nginx/access.log json;
...
修改Filebeat的日志解析为json格式解析
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.add_error_key: true
...
使用自定义索引模板:
...
output.elasticsearch:
hosts: ["http://localhost:9200"]
index: "nginx-%{[beat.version]}-%{+yyyy.MM.dd}"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
Filebeat收集json格式的Nginx日志完整配置文件
需要修改elasticsearch的主机名和端口
vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.add_error_key: true
output.elasticsearch:
hosts: ["http://localhost:9200"]
index: "nginx-%{[beat.version]}-%{+yyyy.MM.dd}"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
六、ELK收集Nginx正常日志和错误日志
如果需要收集多台服务器的Nginx日志,只需要在服务器上安装
filebeat软件,修改配置文件即可,需要指定相同的Elasticsearch所在的服务器即可。
在生产中会收集到正确的日志和错误的日志,可以在filebeat.yml配置文件中将收集到日志分开收集,方便我们日志管理。
vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.add_error_key: true
tags: ["access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
setup.kibana:
output.elasticsearch:
hosts: ["192.168.66.77:9200"]
indices:
- index: "nginx-access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "access"
- index: "nginx-error-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "error"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
七、ELK收集docker日志
在生产中还会收集docker的日志,docker日志的默认路径为/var/lib/docker/containers/,filebeat官网也提供了docker日志的收集,默认的格式已经是json格式日志。
vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: docker
containers.ids:
- '*'
setup.kibana:
host: "192.168.66.79:5601"
output.elasticsearch:
hosts: ["192.168.66.77:9200"]
index: "docker-%{[beat.version]}-%{+yyyy.MM.dd}"
setup.template.name: "docker"
setup.template.pattern: "docker-*"
setup.template.enabled: false
但是在实际生产中还会收集多个不同docker服务的日志,例如nginx服务、apache服务、tomcat服务等等,如何收集多个不同服务的docker日志呢?
想要解决根据服务类型收集多个容器日志这个问题还得需要借助一个工具
docker-compose,具体的做法是,在编排容器的时候往每个容器打上一个标签,这样我们就可以通过标记来区分不同的容器了。
前提:安装好docker_compose,编写docker-compose.yaml脚本文件
[root@k8s-node1 ~]# vim docker-compose.yaml
version: '3'
services:
nginx:
labels:
service: nginx
image: nginx
logging:
options:
labels: "service"
ports:
- 80:80
httpd:
labels:
service: httpd
image: nginx
logging:
options:
labels: "service"
ports:
- 8080:80
使用docker-compose命令编排容器
docker-compose up -d
修改filebeat.yaml配置文件
filebeat.inputs:
- type: log
paths:
- /var/lib/docker/containers/*/*-json.log
json.keys_under_root: true
json.add_error_key: true
json.message_key: log
output.elasticsearch:
hosts: ["192.168.66.77:9200"]
indices:
- index: "docker-nginx-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
attrs.service: "nginx"
- index: "docker-httpd-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
attrs.service: "httpd"
setup.template.name: "docker"
setup.template.pattern: "docker-*"
setup.template.enabled: false
根据服务类型收集多个容器的正确日志和错误日志
vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
paths:
- /var/lib/docker/containers/*/*-json.log
json.keys_under_root: true
json.add_error_key: true
output.elasticsearch:
hosts: ["192.168.66.77:9200"]
indices:
- index: "docker-nginx-acess-%{[beat.version]}-%{+yyyy.MM.dd}"
when.contains:
attrs.service: "nginx"
stream: "stdout"
- index: "docker-nginx-error-%{[beat.version]}-%{+yyyy.MM.dd}"
when.contains:
attrs.service: "nginx"
stream: "stderr"
- index: "docker-httpd-acess-%{[beat.version]}-%{+yyyy.MM.dd}"
when.contains:
stream: "stdout"
attrs.service: "httpd"
- index: "docker-httpd-error-%{[beat.version]}-%{+yyyy.MM.dd}"
when.contains:
attrs.service: "httpd"
stream: "stderr"
setup.template.name: "docker"
setup.template.pattern: "docker-*"
setup.template.enabled: false
八、ELK收集tomcat日志
前提:部署好tomcat服务器,能正常访问
01.修改tomcat的配置文件server.xml的pattern值
vim conf/server.xml
...
pattern="{"clientip":"%h","ClientUser":"%l","authenticated":"%u","AccessTime":"%t","method":"%r","status":"%s","SendBytes":"%b","Query?string":"%q","partner":"%{Referer}i","AgentVersion":"%{User-Agent}i"}"/>
...
02.重启tomcat,再次访问,查看日志,可以看到日志输出已经是json格式了
tail -f logs/localhost_access_log.2021-06-22.txt
{"clientip":"192.168.66.1","ClientUser":"-","authenticated":"-","AccessTime":"[22/Jun/2021:11:08:24 +0800]","method":"GET / HTTP/1.1","status":"200","SendBytes":"11156","Query?string":"","partner":"-","AgentVersion":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.106 Safari/537.36"}
{"clientip":"192.168.66.1","ClientUser":"-","authenticated":"-","AccessTime":"[22/Jun/2021:11:08:24 +0800]","method":"GET /favicon.ico HTTP/1.1","status":"200","SendBytes":"21630","Query?string":"","partner":"http://192.168.66.67:8080/","AgentVersion":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.106 Safari/537.36"}
03.Filebeat收集json格式的tomcat日志完整filebeat.yml配置文件
vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /usr/local/tomcat-8.5/logs/localhost_access_log.*.txt
json.keys_under_root: true
json.add_error_key: true
tags: ["tomcat"]
output.elasticsearch:
hosts: ["192.168.66.67:9200"]
indices:
- index: "tomcat-access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "tomcat"
setup.template.name: "tomcat"
setup.template.pattern: "tomcat-*"
setup.template.enabled: false
九、ELK收集JAVA多行日志
在input项配置:
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after
注意这三个配置项的缩进,跟paths处于同级。
案例:
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/elasticsearch/elasticsearch.log
tags: ["es"]
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after
十、ELK使用redis作为缓存收集日志
安装logstash软件
cd /usr/local/src
wget https://artifacts.elastic.co/downloads/logstash/logstash-6.6.0.rpm
rpm -ivh logstash-6.6.0.rpm
logstash:
cat > /etc/logstash/conf.d/redis.conf <<EOF
input {
redis {
host => "192.168.66.66"
port => "6379"
db => "0"
key => "filebeat"
data_type => "list"
}
}
filter {
mutate {
convert => ["upstream_time","float"]
convert => ["request_time","float"]
}
}
output {
stdout {
if "access" in [tags] {
elasticsearch {
hosts => "http://localhost:9200"
manage_template => false
index => "nginx_access-%{+yyyy.MM.dd}"
}
}
if "error" in [tags] {
elasticsearch {
hosts => "http://localhost:9200"
manage_template => false
index => "nginx_error-%{+yyyy.MM.dd}"
}
}
}
}
EOF
filebeat:
cat > /etc/filebeat/filebeat.yml <<EOF
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.add_error_key: true
tags: ["access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
output.redis:
hosts: ["192.168.66.66"]
key: "nginx"
EOF
启动软件:
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/redis.conf
