0、架构图

image.png

1、宿主机环境准备

• 基础环境配置

# 关闭selinux
setenforce 0    # 临时关闭
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config    # 永久关闭

# 关闭并禁用防火墙
systemctl stop firewalld.service
systemctl disable firewalld.service

• rsyslog配置

# rsyslog配置文件
[root@testhost mnt]# grep -v "^#\|^$" /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none;local6.none                /var/log/messages
$template h3c,"/apps/logs/h3c_log/%FROMHOST-IP%.log"      # 交换机日志路径和文件名格式
local6.* ?h3c
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

# 重启rsyslog服务
systemctl restart rsyslog.service

# 检查514端口是否正常监听
netstat -antupl |grep syslog

# 创建交换机日志存放目录
mkdir -p /apps/logs/h3c_log/

2、交换机配置（h3c为例）

<H3C>dis curr | inc info-center
 undo info-center logfile enable
 info-center loghost source Vlan-interface3
 info-center loghost 192.168.10.100 facility local6      # 192.168.10.100为rsyslog的地址

远程ssh登录或退出交换机的命令行触发产生日志后可在rsyslog服务器上看到对应的日志

ls -alF /apps/logs/h3c_log/

3、docker相关环境准备

# 安装docker
curl https://download.docker.com/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker.repo
yum install docker-ce -y

# 全局修改docker配置
vi /etc/docker/daemon.json
{
    "registry-mirrors": ["https://registry.docker-cn.com","http://hub-mirror.c.163.com"],      # 修改镜像仓库源
    "log-driver": "json-file",      # 指定日志驱动为json文件
    "log-opts": {
        "max-size" : "100m",      # 指定日志文件最大为100M
        "max-file": "10",       # 指定保存最多10个日志文件
        "compress": "true"      # 开启切割后的日志压缩
    }
}

# 启用docker服务
systemctl daemon-reload
systemctl start docker
systemctl enable docker

# 安装docker-compose
sudo curl -L "https://github.com/docker/compose/releases/download/1.28.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

# 修改响应时间（解决docker-compose启动容器超时问题）
vi /etc/profile
export COMPOSE_HTTP_TIMEOUT=500
export DOCKER_CLIENT_TIMEOUT=500
# 使配置生效
source /etc/profile

# 新建目录
mkdir -p /apps/elastiflow    # 脚本及配置文件目录
mkdir /elastiflow_data && chown -R 1000:1000 /elastiflow_data    # 宿主机上es持久化数据目录

4、应用配置

• filebeat配置文件：filebeat.yml

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/networklogs/*.log      # 日志文件路径列表，可用通配符，不递归
  tags: ["h3c"]      # 标记tag，可用于分组
  include_lines: ['LOGIN','Failed','failed','error','ERROR','\bDOWN\b','\bdown\b','\bUP\b','\bup\b']      # 只输出匹配行
output.logstash:      # output到logstash
  hosts: ["127.0.0.1:5044"]
processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~

• logstash配置文件：logstash_networklog.conf

input {
  beats {
    port => 5044
  }
}
filter {
  if "huawei" in [tags] {
    grok{      # 解析文本构造
      match => {"message" => "%{SYSLOGTIMESTAMP:time} %{DATA:hostname} %{GREEDYDATA:info}"}
        }
  }
   else if "h3c" in [tags] {
    grok{
      match => {"message" => "%{SYSLOGTIMESTAMP:time} %{YEAR:year} %{DATA:hostname} %{GREEDYDATA:info}"}
        }
  }
mutate {      # 对字段做处理 重命名、删除、替换和修改字段
      remove_field => ["message","time","year","offset","tags","path","host","@version","[log]","[prospector]","[beat]","[input][type]","[source]"]
    }
}
output{
stdout {codec => rubydebug}
elasticsearch {
    index => "networklogs-%{+YYYY.MM.dd}"
    hosts => ["127.0.0.1:9200"]
    sniffing => false
    }
}

• logstash管道配置文件：logstash_pipelines.yml

- pipeline.id: main
  path.config: "/etc/logstash/conf.d/*.conf"      # 加载networklog.conf配置
- pipeline.id: elastiflow
  path.config: "/etc/logstash/elastiflow/conf.d/*.conf"      # 加载elastiflow配置（sflow使用）

• docker-compose.yml

version: '3'

services:
  elastiflow-elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.8.1
    container_name: elastiflow-elasticsearch
    restart: 'no'
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 131072
        hard: 131072
      nproc: 8192
      fsize: -1
    network_mode: host
    volumes:
      - /elastiflow_data:/usr/share/elasticsearch/data       # 持久化数据目录
    environment:
      ES_JAVA_OPTS: '-Xms8g -Xmx8g'
      cluster.name: elastiflow
      bootstrap.memory_lock: 'true'
      network.host: 0.0.0.0
      http.port: 9200
      discovery.type: 'single-node'
      indices.query.bool.max_clause_count: 8192
      search.max_buckets: 250000
      action.destructive_requires_name: 'true'

  elastiflow-kibana:
    image: docker.elastic.co/kibana/kibana:7.8.1
    container_name: elastiflow-kibana
    restart: 'no'
    depends_on:
      - elastiflow-elasticsearch
    network_mode: host
    environment:
      SERVER_HOST: 0.0.0.0
      SERVER_PORT: 5601
      SERVER_MAXPAYLOADBYTES: 8388608
      ELASTICSEARCH_HOSTS: "http://127.0.0.1:9200"
      ELASTICSEARCH_REQUESTTIMEOUT: 132000
      ELASTICSEARCH_SHARDTIMEOUT: 120000
      KIBANA_DEFAULTAPPID: "dashboard/653cf1e0-2fd2-11e7-99ed-49759aed30f5"
      KIBANA_AUTOCOMPLETETIMEOUT: 3000
      KIBANA_AUTOCOMPLETETERMINATEAFTER: 2500000
      LOGGING_DEST: stdout
      LOGGING_QUIET: 'false'
      I18N_LOCALE: zh-CN

  elastiflow-logstash:
    image: robcowart/elastiflow-logstash:4.0.1
    container_name: elastiflow-logstash
    restart: 'no'
    depends_on:
      - elastiflow-elasticsearch
    network_mode: host
    volumes:
      - /apps/elastiflow/logstash_networklog.conf:/etc/logstash/conf.d/networklog.conf
      - /apps/elastiflow/logstash_pipelines.yml:/usr/share/logstash/config/pipelines.yml
    environment:
      # JVM Heap size - this MUST be at least 3GB (4GB preferred)
      LS_JAVA_OPTS: '-Xms4g -Xmx4g'

      # ElastiFlow global configuration
      ELASTIFLOW_AGENT_ID: elastiflow
      ELASTIFLOW_GEOIP_CACHE_SIZE: 16384
      ELASTIFLOW_GEOIP_LOOKUP: 'true'
      ELASTIFLOW_ASN_LOOKUP: 'true'
      ELASTIFLOW_OUI_LOOKUP: 'false'
      ELASTIFLOW_POPULATE_LOGS: 'true'
      ELASTIFLOW_KEEP_ORIG_DATA: 'true'
      ELASTIFLOW_DEFAULT_APPID_SRCTYPE: '__UNKNOWN'

      # Name resolution option
      ELASTIFLOW_RESOLVE_IP2HOST: 'false'
      ELASTIFLOW_NAMESERVER: '127.0.0.1'
      ELASTIFLOW_DNS_HIT_CACHE_SIZE: 25000
      ELASTIFLOW_DNS_HIT_CACHE_TTL: 900
      ELASTIFLOW_DNS_FAILED_CACHE_SIZE: 75000
      ELASTIFLOW_DNS_FAILED_CACHE_TTL: 3600
      ELASTIFLOW_ES_HOST: '127.0.0.1:9200'
      #ELASTIFLOW_ES_USER: 'elastic'
      #ELASTIFLOW_ES_PASSWD: 'changeme'
      ELASTIFLOW_NETFLOW_IPV4_PORT: 2055
      ELASTIFLOW_NETFLOW_UDP_WORKERS: 2
      ELASTIFLOW_NETFLOW_UDP_QUEUE_SIZE: 4096
      ELASTIFLOW_NETFLOW_UDP_RCV_BUFF: 2000000
      ELASTIFLOW_SFLOW_IPV4_PORT: 6343
      ELASTIFLOW_SFLOW_UDP_WORKERS: 2
      ELASTIFLOW_SFLOW_UDP_QUEUE_SIZE: 4096
      ELASTIFLOW_SFLOW_UDP_RCV_BUFF: 2000000
      ELASTIFLOW_IPFIX_UDP_IPV4_PORT: 4739
      ELASTIFLOW_IPFIX_UDP_WORKERS: 2
      ELASTIFLOW_IPFIX_UDP_QUEUE_SIZE: 4096
      ELASTIFLOW_IPFIX_UDP_RCV_BUFF: 2000000

  elastiflow-filebeat:
    user: root
    container_name: elastiflow-filebeat
    restart: 'no'
    image: docker.elastic.co/beats/filebeat:7.8.1
    depends_on:
      - elastiflow-logstash
    network_mode: host
    volumes:
#      - /var/run/docker.sock:/var/run/docker.sock
#      - /var/log/remote_log:/usr/share/filebeat/remote_log  #use your log file location to update this line
      - /apps/logs/h3c_log/:/var/log/networklogs/
      - /apps/elastiflow/filebeat.yml:/usr/share/filebeat/filebeat.yml

5、启动容器

docker-compose up -d

6、验证和测试

• docker验证

docker ps -a    # docker运行情况
journalctl -u docker.service     # docker 引擎日志
docker logs -f xxxxx     # docker日志

• 相关端口

netstat -antupl | grep 9200      # es端口
netstat -antupl | grep 6343      # sflow端口
netstat -antupl | grep 5044      # logstash端口
netstat -antupl | grep 5601      # kibana端口

• filebeat测试

docker exec -it elastiflow-filebeat /bin/bash
filebeat test config    # 测试配置文件
filebeat test output    # 测试连接logstash 5044端口是否正常

7、页面配置-sflow

http://x.x.x.x:5601打开kibana页面
Management -> Stack Management -> Kibana Saved Objects 导入模板文件elastiflow.kibana.7.8.x.json（该文件从github中获取 https://github.com/robcowart/elastiflow/tree/master/kibana）
效果图如下

image.png

8、页面配置-交换机log

浏览器打开http://x.x.x.x:5601
打开管理页面：Home --> Management --> Stack Management

image.png

image.png

image.png

image.png

image.png

image.png

image.png

9、es管理

查看es集群健康状态curl -XGET 'http://127.0.0.1:9200/_cluster/health?pretty'

[root@testhost]# curl -XGET 'http://127.0.0.1:9200/_cluster/health?pretty'
{
  "cluster_name" : "elastiflow",
  "status" : "yellow",    # 集群状态
  "timed_out" : false,
  "number_of_nodes" : 1,    # 集群中节点数量
  "number_of_data_nodes" : 1,    # 集群中存放数据的节点总数
  "active_primary_shards" : 17,    # 集群中全部索引的主分片总数
  "active_shards" : 17,    # 集群中全部索引的所有分片（包括主分片和副本分片）总数
  "relocating_shards" : 0,    # 当下正在多个节点间移动的分片数量
  "initializing_shards" : 0,    # 新创建的分片数量
  "unassigned_shards" : 11,    # 集群中定义的，却未能发现的分片数量（此项非0的话集群状态为yellow）
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 60.71428571428571
}

说明：单点部署的 Elasticsearch，默认分片的副本数为 1，而相同的分片不能在同一个节点上，所以就出现上面 unsigned shards 非0的问题，最简单的解决方案是增加es的节点。
参考链接：
https://github.com/robcowart/elastiflow