ELK环境搭建
1. Virtualbox/Vagrant安装 4
1.1. Virtualbox安装 4
1.2. Vagrant安装 4
1.2.1. 简述 4
1.2.2. Vagrant box 4
1.2.3. 安装配置 5
1.2.4. 常用命令 6
2. ELK安装 6
2.1. CentOS7系统配置 6
2.1.1. 安装iptables 6
2.1.2. 安装ifconfig 6
2.1.3. 禁用IPV6 7
2.2. 安装Java并配置环境变量 7
2.3. 安装Elasticsearch 7
2.3.1. 导入elasticsearch公钥 7
2.3.2. 创建elasticsearch.repo 7
2.3.3. 使用yum install安装 8
2.3.4. 修改elasticsearch配置(修改主机ip) 8
2.3.5. 启动elasticsearch 8
2.3.6. 将elasticsearch添加到开机自启动 8
2.3.7. 访问elasticsearch rest服务 8
2.4. 安装Kibana 9
2.4.1. 创建kibana.repo 9
2.4.2. 使用yum install安装kibana 9
2.4.3. 修改kibana配置 9
2.4.4. 启动kibana并添加为开机自启动服务 9
2.5. 安装Nginx(此部分内容不是必须) 10
2.5.1. 安装nginx 10
2.5.2. 创建用户并设定密码 10
2.5.3. 修改/etc/nginx/nginx.conf 10
2.5.4. 创建/etc/nginx/conf.d/kibana.conf文件 11
2.5.5. 启动nginx并添加到开启自启动服务 11
2.6. 安装Logstash 11
2.6.1. 创建logstash.repo 12
2.6.2. 使用yum install安装logstash 12
2.6.3. 生成ssl证书 12
2.6.3.1. 根据ip生成 12
2.6.3.2. 根据域名生成 12
2.6.4. Logstash配置 13
2.6.4.1. Input 13
2.6.4.2. Filter 13
2.6.4.3. Output 14
2.6.5. 测试配置是否正确 14
2.6.6. 启动logstash并添加为开机自启动服务 14
2.6.7. 安装 Kibana Dashboards 14
2.7. 安装Filebeat 15
2.7.1. 导入elasticsearch公钥 15
2.7.2. 创建elastic-beats.repo 15
2.7.3. 安装filebeat 15
2.7.4. 配置Filebeat 15
2.7.4.1. 一个简单的配置 15
2.7.4.1.1. 使用elasticsearch作为输出 16
2.7.4.1.2. 使用logstash作为输出 16
2.7.5. load filebeat template 16
2.7.6. 启动filebeat并添加为系统开机自启动服务 17
2.7.7. 测试filebeat 17
2.7.8. Connect to Kibana 18
2.8. 安装topbeat 19
2.8.1. 导入elasticsearch公钥 19
2.8.2. 创建elastic-beats.repo 20
2.8.3. 安装topbeat 20
2.8.4. 配置Topbeat 20
2.8.5. load topbeat template 20
2.8.6. 启动topbeat并添加为系统开机自启动服务 21
2.8.7. 测试topbeat 21
2.8.8. Connect to Kibana 22
2.9. logstash扩展配置 23
2.9.1. Nginx日志配置 24
2.9.1.1. Logstash Patterns: Nginx 25
2.9.1.2. Logstash Filter: Nginx 25
2.9.1.3. 重启logstash 25
2.9.1.4. Filebeat Prospector: Nginx 25
2.9.1.5. 重启filebeat 26
2.9.1.6. kibana搜索效果图 26
2.9.2. Apache HTTP Web Server日志配置 26
2.9.2.1. Logstash Filter: Apache 26
2.9.2.2. 重启logstash 27
2.9.2.3. Filebeat Prospector: Apache 27
2.9.2.4. 重启filebeat 27
2.9.3. Tomcat日志配置 27
2.9.3.1. 定义Logstash Patterns: Tomcat 28
2.9.3.2. 定义Logstash Filter: Tomcat 28
2.9.3.3. 重启logstash 29
2.9.3.4. Filebeat Prospector: Tomcat 29
2.9.3.5. 重启filebeat 29
2.9.3.6. kibana搜索效果图 30
2.9.4. 最终配置 30
2.10. 使用Kibana查询分析日志 31
2.11. Elasticsearch插件安装 34
2.11.1. plugin命令介绍 35
2.11.2. 安装head插件 35
2.11.3. 安装bigdesk插件 37
2.11.4. 安装kopf插件 39
2.11.5. 插件列表 40
3. 参考资料 40
4. 使用Elasticsearch做全文检索 41
环境:
Vagrant 1.8.1
CentOS 7.2 192.168.0.228
Elasticsearch 2.3.2
logstash 2.2.4
Kibana 4.4.2
filebeat 1.2.2
topbeat 1.2.2
1. Virtualbox/Vagrant安装
此部分内容不是必须,已有linux环境可跳过该步骤。
1.1. Virtualbox安装
主页:https://www.virtualbox.org/
安装包:http://download.virtualbox.org/virtualbox/5.0.20/VirtualBox-5.0.20-106931-Win.exe
1.2. Vagrant安装
主页:https://www.vagrantup.com
1.2.1. 简述
Vagrant与Docker很像。Vagrant是一个基于Ruby的开源工具,用于创建和部署虚拟化开发环境。非常适合 php/python/ruby/java 这类语言开发 web 应用。它 使用Oracle的开源VirtualBox虚拟化系统。可以通过 Vagrant 封装一个 Linux 的开发环境,分发给团队成员。成员可以在自己喜欢的桌面系统(Mac/Windows/Linux)上开发程序,代码却能统一在封装好的环境里运行,非常霸气。
安装包:https://releases.hashicorp.com/vagrant/1.8.1/vagrant_1.8.1.msi下载下来直接安装。
1.2.2. Vagrant box
Vagrant box镜像站点:https://atlas.hashicorp.com/boxes/search
1.2.3. 安装配置
这里我们使用CentOS官方提供的vagrant box
http://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7.box
下载该box到本地,假若放在F:目录下
添加本地box
vagrant box add CentOS/7 F:CentOS-7.box # 添加本地box名称为CentOS/7
vagrant box list # 查看box列表
vagrant init CentOS/7 # 使用已添加的box创建虚拟机
vagrant up # 启动vagrant
最终会在目录下生成一个名为Vagrantfile的文件。
修改或编辑该文件内容如下
Vagrant.configure(2) do |config|
config.vm.box = "CentOS/7"
config.vm.network "public_network", ip: "192.168.0.228"
config.vm.hostname = "c1"
config.vm.provider "virtualbox" do |vb|
vb.name = "c1"
vb.memory = "2048"
end
end
注:其中config.vm.box表示使用哪个box,
config.vm.network 配置网络及ip,
config.vm.hostname设置主机名称,
config.vm.provider设置使用virtualbox当然你还可以使用vmware。
Vb.name设置主机名,
vb.memory设置内存大小。
使用vagrant up启动虚拟机。
1.2.4. 常用命令
$ vagrant init # 初始化
$ vagrant up # 启动虚拟机
$ vagrant halt # 关闭虚拟机
$ vagrant reload # 重启虚拟机
$ vagrant ssh # SSH 至虚拟机
$ vagrant status # 查看虚拟机运行状态
$ vagrant destroy # 销毁当前虚拟机
关于vagrant的详细使用请参考https://github.com/sxyx2008/DevArticles/issues/36。此处不做赘述。
2. ELK安装
2.1. CentOS7系统配置
在开始安装elk之前,我们需要对CentOS7做一系列配置。CentOS7安装后默认没有安装ifconfig、iptables等命令。
2.1.1. 安装iptables
$ systemctl stop firewalld
$ systemctl mask firewalld
$ yum install iptables-services
$ systemctl enable iptables
$ systemctl [stop|start|restart] iptables
$ service iptables save
2.1.2. 安装ifconfig
$ ip addr
$ ip link
$ ip -s link
$ yum provides ifconfig
$ yum whatprovides ifconfig
$ yum install net-tools
$ ifconfig -a
2.1.3. 禁用IPV6
方法一:
$ vi /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.eth1.disable_ipv6 = 1
$ sysctl -p
方法二:
$ vi /etc/sysctl.d/disableipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.eth1.disable_ipv6 = 1
$ reboot
2.2. 安装Java并配置环境变量
$ cd ~
$ wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u73-b02/jdk-8u73-linux-x64.rpm"
$ sudo yum -y localinstall jdk-8u73-linux-x64.rpm
$ sudo vim /etc/profile
export JAVA_HOME=/usr/java/jdk1.8.0_73
export CLASS_PATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
export PATH=$JAVA_HOME/bin:$PATH
$ source /etc/profile
2.3. 安装Elasticsearch
https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html
2.3.1. 导入elasticsearch公钥
$ sudo rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch
2.3.2. 创建elasticsearch.repo
$ echo '[elasticsearch-2.x]
name=Elasticsearch repository for 2.x packages
baseurl=http://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
' | sudo tee /etc/yum.repos.d/elasticsearch.repo
2.3.3. 使用yum install安装
$ sudo yum -y install elasticsearch
2.3.4. 修改elasticsearch配置(修改主机ip)
$ sudo vim /etc/elasticsearch/elasticsearch.yml
network.host: 192.168.0.228
2.3.5. 启动elasticsearch
$ sudo systemctl start elasticsearch
2.3.6. 将elasticsearch添加到开机自启动
$ sudo systemctl enable elasticsearch
2.3.7. 访问elasticsearch rest服务
使用http://192.168.0.228:9200/出现如下内容表示elasticsearch安装成功。
注:
1、 Elasticsearch默认http端口为9200,节点端口为9300
2、 Elasticsearch rest服务访问不到则记得查看防火墙配置。
3、 Elasticsearch默认安装到/usr/share/elasticsearch目录下
4、 Elasticsearch配置文件默认在/etc/elasticsearch/目录下。可以使用rpm -qc命令查看。如下所示:
$ rpm -qc elasticsearch
/etc/elasticsearch/elasticsearch.yml
/etc/elasticsearch/logging.yml
/etc/init.d/elasticsearch
/etc/sysconfig/elasticsearch
/usr/lib/sysctl.d/elasticsearch.conf
/usr/lib/systemd/system/elasticsearch.service
/usr/lib/tmpfiles.d/elasticsearch.conf
2.4. 安装Kibana
https://www.elastic.co/guide/en/kibana/current/index.html
2.4.1. 创建kibana.repo
$ sudo vim /etc/yum.repos.d/kibana.repo
[kibana-4.4]
name=Kibana repository for 4.4.x packages
baseurl=http://packages.elastic.co/kibana/4.4/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
2.4.2. 使用yum install安装kibana
$ sudo yum -y install kibana
注:
1、 Kibana默认端口为5601
2、 kibana默认安装在/opt/kibana目录下
3、 Kibana配置文件路径为/opt/kibana/config/kibana.yml
$ rpm -qc kibana
/opt/kibana/config/kibana.yml
2.4.3. 修改kibana配置
$ sudo vim /opt/kibana/config/kibana.yml
server.host: "192.168.0.228"
elasticsearch.url: "http://192.168.0.228:9200"
2.4.4. 启动kibana并添加为开机自启动服务
$ sudo systemctl start kibana
$ sudo chkconfig kibana on
2.5. 安装Nginx(此部分内容不是必须)
由于elasticsearch、kibana自身均没有提供访问权限安全问题,这里使用nginx代理来验证用户身份。
2.5.1. 安装nginx
$ sudo yum -y install epel-release
$ sudo yum -y install nginx httpd-tools
2.5.2. 创建用户并设定密码
$ sudo htpasswd -c /etc/nginx/htpasswd.users kibanaadmin #创建kibanaadmin用户
注:
这里创建的用户为kibanaadmin/kibanaadmin(用户密码均为kibanaadmin)
2.5.3. 修改/etc/nginx/nginx.conf
$ sudo vim /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
}
2.5.4. 创建/etc/nginx/conf.d/kibana.conf文件
sudo vim /etc/nginx/conf.d/kibana.conf
server {
listen 80;
server_name 192.168.0.228;
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/htpasswd.users;
location / {
proxy_pass http://192.168.0.228:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
注:
1、 以上配置使用http basic认证用户身份。
2、 使用nginx反向代理到kibana所在服务器(http://192.168.0.228:5601)
为了使上述配置生效并能成功代理,需做如下操作
$ sudo setsebool -P httpd_can_network_connect 1
至此,访问nginx时则会要求输入用户名密码(kibanaadmin/kibanaadmin)。输入正确后请求会请求代理到kibana
2.5.5. 启动nginx并添加到开启自启动服务
$ sudo systemctl start nginx
$ sudo systemctl enable nginx
2.6. 安装Logstash
https://www.elastic.co/guide/en/logstash/current/index.html
2.6.1. 创建logstash.repo
$ sudo vim /etc/yum.repos.d/logstash.repo
[logstash-2.2]
name=logstash repository for 2.2 packages
baseurl=http://packages.elasticsearch.org/logstash/2.2/centos
gpgcheck=1
gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch
enabled=1
2.6.2. 使用yum install安装logstash
$ sudo yum -y install logstash
注:
1、 logstash默认安装在/opt/logstash目录
2、 Logstash默认配置文件目录rpm -qc logstash
/etc/init.d/logstash
/etc/logrotate.d/logstash
/etc/sysconfig/logstash
2.6.3. 生成ssl证书
2.6.3.1. 根据ip生成
修改/etc/pki/tls/openssl.cnf文件,找到[ v3_ca ]节点。修改subjectAltName为IP:ELK安装机器IP。
sudo vim /etc/pki/tls/openssl.cnf
内容如下:
[ v3_ca ]
subjectAltName = IP: 192.168.0.228
切换到/etc/pki/tls目录,生成证书
$ cd /etc/pki/tls
$ sudo openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
2.6.3.2. 根据域名生成
$ cd /etc/pki/tls
$ sudo openssl req -subj '/CN=www.elk.com/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
2.6.4. Logstash配置
这里所有的配置均在/etc/logstash/conf.d目录下。
2.6.4.1. Input
创建一个beats input
$ sudo vim /etc/logstash/conf.d/02-beats-input.conf
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
这里使用beats input,监听在5044端口上,使用之前生成的证书文件。
2.6.4.2. Filter
为syslog创建一个filter
$ sudo vim /etc/logstash/conf.d/10-syslog-filter.conf
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
2.6.4.3. Output
将beat输入输出到elasticsearch
$ sudo vim /etc/logstash/conf.d/30-elasticsearch-output.conf
output {
elasticsearch {
hosts => ["192.168.0.228:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
2.6.5. 测试配置是否正确
$ sudo service logstash configtest
如果显示Configuration OK则表示没有任何语法错误。
2.6.6. 启动logstash并添加为开机自启动服务
$ sudo systemctl restart logstash
$ sudo chkconfig logstash on
2.6.7. 安装 Kibana Dashboards
$ curl -L -O http://download.elastic.co/beats/dashboards/beats-dashboards-1.2.2.zip
$ unzip beats-dashboards-1.2.2.zip
$ cd beats-dashboards-1.2.2/
$ vim ./load.sh
ELASTICSEARCH=http://192.168.0.228:9200
$ ./load.sh
执行完后会创建如下index pattern
[packetbeat-]YYYY.MM.DD
[topbeat-]YYYY.MM.DD
[filebeat-]YYYY.MM.DD
[winlogbeat-]YYYY.MM.DD
使用kibana时,选择filebeat模式
2.7. 安装Filebeat
https://www.elastic.co/guide/en/beats/filebeat/1.2/index.html
2.7.1. 导入elasticsearch公钥
$ sudo rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch
2.7.2. 创建elastic-beats.repo
$ sudo vim /etc/yum.repos.d/elastic-beats.repo
[beats]
name=Elastic Beats Repository
baseurl=https://packages.elastic.co/beats/yum/el/$basearch
enabled=1
gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch
gpgcheck=1
2.7.3. 安装filebeat
$ sudo yum -y install filebeat
或者
$ curl -L -O https://download.elastic.co/beats/filebeat/filebeat-1.2.2-x86_64.rpm
$ sudo rpm -vi filebeat-1.2.2-x86_64.rpm
注:rpm -qc filebeat查找filebeat核心配置文件为/etc/filebeat/filebeat.yml
2.7.4. 配置Filebeat
Filebeat默认安装后其配置文件为/etc/filebeat/filebeat.yml。该配置文件遵从yaml语法格式。有较强的缩进等语法。可使用下列网站进行校验
http://yaml-online-parser.appspot.com/
http://www.yamllint.com/
2.7.4.1. 一个简单的配置
2.7.4.1.1. 使用elasticsearch作为输出
filebeat:
prospectors:
-
paths:
- "/var/log/*.log"
output:
elasticsearch:
hosts: ["192.168.0.228:9200"]
以上配置表示filebeat收集/var/log/目录下所有以.log结尾的日志文件,输出到elasticsearch
2.7.4.1.2. 使用logstash作为输出
filebeat:
prospectors:
-
paths:
- "/var/log/*.log"
document_type: syslog
output:
logstash:
bulk_max_size: 1024
hosts:
- "192.168.0.228:5044"
tls:
certificate_authorities:
- /etc/pki/tls/certs/logstash-forwarder.crt
以上配置表示filebeat收集/var/log/目录下所有以.log结尾的日志文件,输出到logstash。其中document_type为之前在logstash中/etc/logstash/conf.d/10-syslog-filter.conf中定义的type类型。5044端口为之前在/etc/logstash/conf.d/02-beats-input.conf中为beats定义的port。certificate_authorities同理,不再赘述。
2.7.5. load filebeat template
$ curl -XPUT 'http://192.168.0.228:9200/_template/filebeat' -d@/etc/filebeat/filebeat.template.json
返回{"acknowledged":true}则表示成功。
删除filebeat template
$ curl -XDELETE 'http://192.168.0.228:9200/filebeat-*'
其中192.168.0.228:9200为elasticsearch服务。
2.7.6. 启动filebeat并添加为系统开机自启动服务
$ sudo systemctl start filebeat
$ sudo systemctl enable filebeat
2.7.7. 测试filebeat
$ curl -XGET 'http://192.168.0.228:9200/filebeat-*/_search?pretty'
{
"took" : 2,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 1159,
"max_score" : 1.0,
"hits" : [ {
"_index" : "filebeat-2016.05.17",
"_type" : "syslog",
"_id" : "AVS8XSsvMXchSyg0mTVB",
"_score" : 1.0,
"_source" : {
"message" : "May 16 21:35:11 c1 journal: Journal started",
"@version" : "1",
"@timestamp" : "2016-05-17T01:35:11.000Z",
"source" : "/var/log/messages",
"input_type" : "log",
"type" : "syslog",
"count" : 1,
"fields" : null,
"beat" : {
"hostname" : "c1",
"name" : "c1"
},
"offset" : 527932,
"host" : "c1",
"tags" : [ "beats_input_codec_plain_applied" ],
"syslog_timestamp" : "May 16 21:35:11",
"syslog_hostname" : "c1",
"syslog_program" : "journal",
"syslog_message" : "Journal started",
"received_at" : "2016-05-17T01:36:06.259Z",
"received_from" : "c1",
"syslog_severity_code" : 5,
"syslog_facility_code" : 1,
"syslog_facility" : "user-level",
"syslog_severity" : "notice"
}
}]
}
}
观察控制台输出,若有结果输出则表示配置成功,否则仔细检查配置。
2.7.8. Connect to Kibana
http://192.168.0.228/会要求输入用户名密码,输入之前设置的kibanaadmin/kibanaadmin后,会反向代理到http://192.168.0.228/app/kibana
第一次请求系统要求设置一个默认的index pattern。这里默认设置filebeat-*为默认。
依次点Settings->filebeat- ->★ 即可。
Discover
2.8. 安装topbeat
https://www.elastic.co/guide/en/beats/topbeat/current/index.html
2.8.1. 导入elasticsearch公钥
$ sudo rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch
2.8.2. 创建elastic-beats.repo
$ sudo vim /etc/yum.repos.d/elastic-beats.repo
[beats]
name=Elastic Beats Repository
baseurl=https://packages.elastic.co/beats/yum/el/$basearch
enabled=1
gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch
gpgcheck=1
2.8.3. 安装topbeat
$ sudo yum -y install topbeat
或
$ curl -L -O https://download.elastic.co/beats/topbeat/topbeat-1.2.2-x86_64.rpm
$ sudo rpm -vi topbeat-1.2.2-x86_64.rpm
注:rpm -qc topbeat 查找topbeat核心配置文件为/etc/topbeat/topbeat.yml
2.8.4. 配置Topbeat
$ sudo vim /etc/topbeat/topbeat.yml
output:
logstash:
hosts: ["192.168.0.228:5044"]
tls:
certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
这里配置同filebeat不再赘述。
2.8.5. load topbeat template
$ curl -XPUT 'http://192.168.0.228:9200/_template/topbeat' -d@/etc/topbeat/topbeat.template.json
返回{"acknowledged":true}则表示成功。
删除topbeat template
$ curl -XDELETE 'http://192.168.0.228:9200/topbeat-*'
其中192.168.0.228:9200为elasticsearch服务。
2.8.6. 启动topbeat并添加为系统开机自启动服务
$ sudo systemctl restart topbeat
$ sudo systemctl enable topbeat
2.8.7. 测试topbeat
$ curl -XGET 'http://192.168.0.228:9200/topbeat-*/_search?pretty'
{
"took" : 8,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 277442,
"max_score" : 1.0,
"hits" : [ {
"_index" : "topbeat-2016.05.17",
"_type" : "system",
"_id" : "AVS8XHQPMXchSyg0mTFD",
"_score" : 1.0,
"_source" : {
"@timestamp" : "2016-05-17T01:37:26.228Z",
"type" : "system",
"load" : {
"load1" : 4.07,
"load5" : 1.8,
"load15" : 0.68
},
"cpu" : {
"user" : 3126,
"user_p" : 0.0293,
"nice" : 3190,
"system" : 2627,
"system_p" : 0.0984,
"idle" : 156,
"iowait" : 2322,
"irq" : 0,
"softirq" : 485,
"steal" : 0
},
"mem" : {
"total" : 3009445888,
"used" : 948916224,
"free" : 2060529664,
"used_p" : 0.32,
"actual_used" : 664776704,
"actual_free" : 2344669184,
"actual_used_p" : 0.22
},
"swap" : {
"total" : 1610608640,
"used" : 0,
"free" : 1610608640,
"used_p" : 0
},
"count" : 1,
"beat" : {
"hostname" : "c1",
"name" : "c1"
},
"@version" : "1",
"host" : "c1",
"tags" : [ "beats_input_raw_event" ]
}
}]
}
}
返回类似如上信息则表示配置成功。
2.8.8. Connect to Kibana
使用Topbeat Dashboard
2.9. logstash扩展配置
首先得明确以下几点
1、 logstash安装在/opt/logstash
2、 logstash配置目录为/etc/logstash/conf.d
3、 确定存在名为02-beats-input.conf配置文件,该文件在上文之前创建配置过
4、 确定存在名为30-elasticsearch-output.conf配置文件,该文件在上文之前创建配置过
创建patterns
$ sudo mkdir -p /opt/logstash/patterns
$ sudo chown logstash: /opt/logstash/patterns
修改/etc/filebeat/filebeat.yml文件
filebeat:
prospectors:
-
document_type: syslog
paths:
- /var/log/secure
- /var/log/messages
-
document_type: sys-log
input_type: log
paths:
- /var/log/*.log
registry_file: /var/lib/filebeat/registry
logging:
files:
rotateeverybytes: 10485760
output:
logstash:
bulk_max_size: 1024
hosts:
- "192.168.0.228:5044"
tls:
certificate_authorities:
- /etc/pki/tls/certs/logstash-forwarder.crt
shipper: ~
2.9.1. Nginx日志配置
2.9.1.1. Logstash Patterns: Nginx
$ sudo mkdir -p /opt/logstash/patterns
sudo vim /opt/logstash/patterns/nginx
NGUSERNAME [a-zA-Z.@-+_%]+
NGUSER %{NGUSERNAME}
NGINXACCESS %{IPORHOST:clientip} %{NGUSER:ident} %{NGUSER:auth} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:"(?:%{URI:referrer}|-)"|%{QS:referrer}) %{QS:agent}
$ sudo chown logstash: /opt/logstash/patterns/nginx
2.9.1.2. Logstash Filter: Nginx
$ sudo vim /etc/logstash/conf.d/11-nginx-filter.conf
filter {
if [type] == "nginx-access" {
grok {
match => { "message" => "%{NGINXACCESS}" }
}
}
}
2.9.1.3. 重启logstash
$ sudo service logstash restart
2.9.1.4. Filebeat Prospector: Nginx
修改/etc/filebeat/filebeat.yml配置
$ sudo vim /etc/filebeat/filebeat.yml
filebeat:
prospectors:
-
document_type: nginx-access
paths:
- /var/log/nginx/access.log
registry_file: /var/lib/filebeat/registry
logging:
files:
rotateeverybytes: 10485760
output:
logstash:
bulk_max_size: 1024
hosts:
- "192.168.0.228:5044"
tls:
certificate_authorities:
- /etc/pki/tls/certs/logstash-forwarder.crt
shipper: ~
2.9.1.5. 重启filebeat
$ sudo service filebeat restart
2.9.1.6. kibana搜索效果图
2.9.2. Apache HTTP Web Server日志配置
2.9.2.1. Logstash Filter: Apache
$ sudo vi /etc/logstash/conf.d/12-apache.conf
filter {
if [type] == "apache-access" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}
}
2.9.2.2. 重启logstash
$ sudo service logstash restart
2.9.2.3. Filebeat Prospector: Apache
$ sudo vim /etc/filebeat/filebeat.yml
filebeat:
prospectors:
-
document_type: apache-access
input_type: log
paths:
- /var/log/apache2/access.log
registry_file: /var/lib/filebeat/registry
logging:
files:
rotateeverybytes: 10485760
output:
logstash:
bulk_max_size: 1024
hosts:
- "192.168.0.228:5044"
tls:
certificate_authorities:
- /etc/pki/tls/certs/logstash-forwarder.crt
shipper: ~
2.9.2.4. 重启filebeat
sudo service filebeat restart
2.9.3. Tomcat日志配置
参考链接
http://blog.kazaff.me/2015/06/05/%E6%97%A5%E5%BF%97%E6%94%B6%E9%9B%86%E6%9E%B6%E6%9E%84--ELK/
https://aggarwalarpit.wordpress.com/2015/12/03/configuring-elk-stack-to-analyse-apache-tomcat-logs/
https://www.systemcodegeeks.com/web-servers/apache/configuring-elk-stack-analyse-apache-tomcat-logs/
http://stackoverflow.com/questions/25429377/how-can-i-integrate-tomcat6s-catalina-out-file-with-logstash-elasticsearch
https://blog.codecentric.de/en/2014/10/log-management-spring-boot-applications-logstash-elastichsearch-kibana/
https://github.com/sdd330/tomcat-elk
https://blog.lanyonm.org/articles/2014/01/12/logstash-multiline-tomcat-log-parsing.html
https://spredzy.wordpress.com/2013/03/02/monitor-your-cluster-of-tomcat-applications-with-logstash-and-kibana/
2.9.3.1. 定义Logstash Patterns: Tomcat
$ vim /opt/logstash/patterns/tomcat
JAVACLASS (?:[a-zA-Z0-9-]+.)+[A-Za-z0-9$]+
JAVALOGMESSAGE (.*)
# MMM dd, yyyy HH:mm:ss eg: Jan 9, 2014 7:13:13 AM
CATALINA_DATESTAMP %{MONTH} %{MONTHDAY}, 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) (?:AM|PM)
# yyyy-MM-dd HH:mm:ss,SSS ZZZ eg: 2014-01-09 17:32:25,527 -0800
TOMCAT_DATESTAMP 20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) %{ISO8601_TIMEZONE}
CATALINALOG %{CATALINA_DATESTAMP:timestamp} %{JAVACLASS:class} %{JAVALOGMESSAGE:logmessage}
# 2014-01-09 20:03:28,269 -0800 | ERROR | com.example.service.ExampleService - something compeletely unexpected happened...
TOMCATLOG %{TOMCAT_DATESTAMP:timestamp} | %{LOGLEVEL:level} | %{JAVACLASS:class} - %{JAVALOGMESSAGE:logmessage}
2.9.3.2. 定义Logstash Filter: Tomcat
$ vim /etc/logstash/conf.d/13-tomcat.conf
filter {
if [type] == "tomcat_access" {
grok {
match => [ "message", "%{TOMCATLOG}", "message", "%{CATALINALOG}" ]
}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS Z", "MMM dd, yyyy HH:mm:ss a" ]
}
}
}
2.9.3.3. 重启logstash
$ sudo service logstash restart
2.9.3.4. Filebeat Prospector: Tomcat
修改/etc/filebeat/filebeat.yml配置
$ sudo vim /etc/filebeat/filebeat.yml
filebeat:
prospectors:
-
document_type: tomcat-access
input_type: log
paths:
- /home/vagrant/tomcat-7.0.69/logs/*.log
registry_file: /var/lib/filebeat/registry
logging:
files:
rotateeverybytes: 10485760
output:
logstash:
bulk_max_size: 1024
hosts:
- "192.168.0.228:5044"
tls:
certificate_authorities:
- /etc/pki/tls/certs/logstash-forwarder.crt
shipper: ~
2.9.3.5. 重启filebeat
$ sudo service filebeat restart
2.9.3.6. kibana搜索效果图
2.9.4. 最终配置
/etc/filebeat/filebeat.yml集各配置于一体的一个最终配置如下:
---
filebeat:
prospectors:
-
document_type: syslog
paths:
- /var/log/secure
- /var/log/messages
-
document_type: sys-log
input_type: log
paths:
- /var/log/*.log
-
document_type: nginx-access
paths:
- /var/log/nginx/access.log
-
document_type: apache-access
input_type: log
paths:
- /var/log/apache2/access.log
-
document_type: tomcat-access
input_type: log
paths:
- /home/vagrant/tomcat-7.0.69/logs/*.log
registry_file: /var/lib/filebeat/registry
logging:
files:
rotateeverybytes: 10485760
output:
logstash:
bulk_max_size: 1024
hosts:
- "192.168.0.228:5044"
tls:
certificate_authorities:
- /etc/pki/tls/certs/logstash-forwarder.crt
shipper: ~
2.10. 使用Kibana查询分析日志
这里注意涉及Discover、Visualize、Dashboard、Settings面板的使用。具体用法请结合官方文档。这里不再赘述。
系统日志
Nginx日志
2.11. Elasticsearch插件安装
https://www.elastic.co/guide/en/elasticsearch/plugins/current/installation.html
2.11.1. plugin命令介绍
Elasticsearch默认安装在/usr/share/elasticsearch路径下
进入到/usr/share/elasticsearch/bin目录。使用该目录下的plugin命令管理插件
使用./plugin -h命令会列出plugin命令选项的提示信息
./plugin install #安装插件
./plugin remove #移除插件
./plugin list #列出已安装插件列表
这里列出我常用的也是功能最为强大的三款插件
2.11.2. 安装head插件
$ sudo /usr/share/elasticsearch/bin/plugin install mobz/elasticsearch-head
访问http://192.168.0.228:9200/_plugin/head/
2.11.3. 安装bigdesk插件
$ sudo /usr/share/elasticsearch/bin/plugin install lukas-vlcek/bigdesk/2.5.0
访问http://192.168.0.228:9200/_plugin/bigdesk/
2.11.4. 安装kopf插件
$ sudo /usr/share/elasticsearch/bin/plugin install lmenezes/elasticsearch-kopf/2.1.2
访问http://192.168.0.228:9200/_plugin/kopf/
2.11.5. 插件列表
https://www.elastic.co/guide/en/elasticsearch/plugins/current/management.html
https://www.elastic.co/guide/en/elasticsearch/plugins/current/integrations.html
3. 参考资料
https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elk-stack-on-centos-7
https://www.digitalocean.com/community/tutorials/how-to-gather-infrastructure-metrics-with-topbeat-and-elk-on-centos-7
https://www.digitalocean.com/community/tutorials/adding-logstash-filters-to-improve-centralized-logging
https://www.digitalocean.com/community/tutorials/how-to-use-kibana-dashboards-and-visualizations
https://www.digitalocean.com/community/tutorials/how-to-map-user-location-with-geoip-and-elk-elasticsearch-logstash-and-kibana
4. 使用Elasticsearch做全文检索
当使用elasticsearch搜索中文时就需要安装中文分词器。
关于elasticsearch更多内容可参阅
https://github.com/sxyx2008/elasticsearch elasticsearch中文版,基于elasticsearch-1.7.1。集成常用的各种插件
https://github.com/sxyx2008/elasticsearch-jest-example ElasticSearch Java API编程接口
https://github.com/sxyx2008/elasticsearch/issues/2 elasticsearch analysis ansj分词器的安装及使用
https://github.com/sxyx2008/elasticsearch/issues/3 elasticsearch-jdbc插件的使用
https://github.com/sxyx2008/elasticsearch/issues/5 elasticsearch rest api快速上手