• ELK + Filebeat 日志分析系统


    ELK + Filebeat 日志分析系统

    架构图

    环境

    OS:CentOS 7.4
    Filebeat: 6.3.2
    Logstash: 6.3.2
    Elasticsearch 6.3.2
    Kibana: 6.3.2
    

    FileBeat安装配置

    安装

    wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.3.2-x86_64.rpm
    yum localinstall filebeat-6.3.2-x86_64.rpm
    

    配置

    这里以nginx日志为例作为演示

    配置文件:/etc/filebeat/filebeat.yml

    filebeat.prospectors:
    - input_type: log  #输入类型为log
      paths:  #日志路径
        - /usr/local/nginx/logs/*.access.log
      document_type: ngx-access-log  #日志类型
    - input_type: log
      paths:
        - /usr/local/nginx/logs/*.error.log
      document_type: ngx-error-log
    output.logstash:  #输出到Logstash(也可以输出到其他,如elasticsearch)
      hosts: ["10.1.4.171:1007"]
    

    启动

    systemctl enable filebeat
    systemctl start filebeat
    

    Logstash安装配置

    安装

    wget https://artifacts.elastic.co/downloads/logstash/logstash-6.3.2.rpm
    yum localinstall logstash-6.3.2.rpm
    

    配置

    Logstash需要自定义,自定义配置文件目录是/etc/logstash/conf.d

    这里新建一个filebeat.conf配置文件

    /etc/logstash/conf.d/filebeat.conf

    input {
        #输入方式是beats
        beats {  
            port => "1007"  #监听1007端口(自定义端口)   
        }
    }
    
    filter {
        if [type] == "ngx-access-log" { #对日志类型为ngx-access-log进行处理。日志类型为filebeat配置定义
            grok {
                patterns_dir => "/usr/local/logstash/patterns"
                match => {  #对传过来的message字段做拆分,分割成多个易读字段
                    message => "%{IPV4:remote_addr}|%{IPV4:FormaxRealIP}|%{POSINT:server_port}|%{GREEDYDATA:scheme}|%{IPORHOST:http_host}|%{HTTPDATE:time_local}|%{HTTPMETHOD:request_method}|%{URIPATHPARAM:request_uri}|%{GREEDYDATA:server_protocol}|%{NUMBER:status}|%{NUMBER:body_bytes_sent}|%{GREEDYDATA:http_referer}|%{GREEDYDATA:user_agent}|%{GREEDYDATA:http_x_forwarded_for}|%{HOSTPORT:upstream_addr}|%{BASE16FLOAT:upstream_response_time}|%{BASE16FLOAT:request_time}|%{GREEDYDATA:cookie_formax_preview}"
                }
                remove_field => ["message"]   #已经将message字段拆分,可以将message字段删除
            }
    
            date {
                match => [ "time_local", "dd/MMM/yyyy:HH:mm:ss Z"]    #nginx日志中的时间替换@timestamp
                remove_field => ["time_local"]   #删除nginx日志时间字段
            }
    
            mutate {
                rename => ["http_host", "host"]   #nginx日志中http_host字段,替换host字段
            }
        } 
    }
    
    output {
        elasticsearch {   # 输出到elasticsearch
            hosts => ["127.0.0.1:9200"]
            index => "logstash-%{type}-%{+YYYY.MM.dd}"   #输出索引格式
        }
    }
    

    启动

    systemctl enable logstash
    systemctl start logstash
    

    Elasticsearch安装配置

    安装

    wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.3.2.rpm
    yum localinstall elasticsearch-6.3.2.rpm
    

    配置

    /etc/elasticsearch/elasticsearch.yml

    path.data: /var/lib/elasticsearch
    path.logs: /var/log/elasticsearch
    network.host: 0.0.0.0
    http.port: 9200
    #elasticsearch-head需要下列配置
    http.cors.enabled: true  
    http.cors.allow-origin: "*"
    

    启动

    systemctl enable elasticsearch
    systemctl start elasticsearch
    

    elasticsearch-head安装

    elasticsearch-head用于连接elasticsearch,并提供一个前端管理页面

    git clone git://github.com/mobz/elasticsearch-head.git
    cd elasticsearch-head
    npm install
    npm run start
    open http://localhost:9100/
    

    Kibana安装配置

    安装

    wget https://artifacts.elastic.co/downloads/kibana/kibana-6.3.2-x86_64.rpm
    yum localinstall kibana-6.3.2-x86_64.rpm
    

    配置

    默认配置就好

    启动

    nohup /usr/share/kibana/bin/kibana &> /usr/share/kibana/logs/kibana.stdout &
    

    nginx代理到kibana

    安装nginx

    yum install nginx
    

    配置
    /etc/nginx/conf.d/kibana.conf

    server {
        listen 80;
        server_name test.kibana.com;
    
        root html;
        access_log  /var/log/nginx/test.kibana.com.access.log main;
        error_log   /var/log/nginx/test.kibana.com.error.log;
    
        proxy_next_upstream http_502 http_504 error timeout invalid_header;
        proxy_connect_timeout     10;
        proxy_read_timeout        30;
        proxy_send_timeout        180;
        proxy_ignore_client_abort on;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_buffering           off;
        proxy_set_header Host $host;
    
        location /monitor {
            default_type text/plain;
            return 200 "OK";
        }
    
        location /echoip {
           default_type text/plain;
           return 200 $http_x_forwarded_for,$remote_addr;
        }
    
        location / {
            expires off;
            if ($server_port = "80") {
                proxy_pass http://127.0.0.1:5601;
            }
            proxy_pass  https://127.0.0.1:5601;
    
        }
    }
    

    启动

    systemctl enable nginx
    systemctl start nginx
    

    后记

    本文只是简单介绍了一下ELK+Filebeat日志分析系统的安装配置,以及一个简单的nginx日志处理过程。要想更细致的学习ELK体系,可以看ELKstack 中文指南。虽然该书以ELK5版本进行讲解,ELK6也可以看。

  • 相关阅读:
    MVC3 验证码
    说说.NET反编译工具
    HTTP协议学习
    Spring Web Flow 的优缺点
    Java CLASSPATH 引发的问题
    MySQL 高级
    Java Policy
    AJAX
    数据结构与算法学习资源
    C#学习资源
  • 原文地址:https://www.cnblogs.com/MacoLee/p/9517549.html
Copyright © 2020-2023  润新知