第一种情况
安装logstash直接传输到kibana
这是最简单的一种ELK架构方式。优点是搭建简单,易于上手。缺点是Logstash耗资源较大,运行占用CPU和内存高。另外没有消息队列缓存,存在数据丢失隐患。
[root@elk-node-1 config]# cat logstash.conf
input {
file {
path => "/opt/app/nginx/logs/elk.log"
type => "nginx"
start_position => "beginning"
}
#系统日志
file {
path => "/var/log/cron"
type => "system"
start_position => "beginning"
}
}
output {
#输出时;如果等于nginx则输出"nginx-%{+YYYY.MM.dd}"
if [type] == "nginx" {
elasticsearch {
hosts => ["10.0.0.61:9200"]
index => "test-yunshi-ht-nginx-%{+YYYY.MM.dd}"
}
}
if [type] == "system" {
elasticsearch {
hosts => ["10.0.0.61:9200"]
index => "test-yunshi-ht-cron-%{+YYYY.MM.dd}"
}
}
}
第二种情况
安装Filebeat直接传送到kibana
[root@elk-node-1 filebeat]# cat filebeat.yml|egrep -v "^$|^#|#"
filebeat.inputs:
- type: log
enabled: true
paths:
- /opt/app/nginx/logs/elk.log
- /var/log/cron
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
output.elasticsearch:
hosts: ["172.16.1.61:9200"]
第三种情况
安装Filebeat和logstash
Filebeat收集到日志传输到logstash再显示到kibana
此种架构将收集端logstash替换为beats,更灵活,消耗资源更少,扩展性更强。同时可配置Logstash 和Elasticsearch 集群用于支持大集群系统的运维日志数据监控和查询
logstash配置:logstash.conf
[root@elk-node-1 config]# cat logstash.conf
input {
beats {
port => "5044"
}
}
output {
stdout {codec => rubydebug}
#输出时;如果等于nginx则输出"nginx-%{+YYYY.MM.dd}"
elasticsearch {
hosts => ["10.0.0.61:9200"]
index => "test-yunshi-ht-nginx-%{+YYYY.MM.dd}"
}
}
[root@elk-node-1 filebeat]# cat filebeat.yml|egrep -v "^$|^#|#"
filebeat.inputs:
- type: log
enabled: true
paths:
- /opt/app/nginx/logs/elk.log
- /var/log/cron
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
output.logstash:
hosts: ["10.0.0.61:5044"]