-
ELK企业级日志分析平台
环境
主机
ip
角色
k8s1
192.168.81.10
cerebro
server1
192.168.81.11
elasticsearch
server2
192.168.81.12
elasticsearch
server3
192.168.81.13
elasticsearch
server4
192.168.81.14
logstash
server5
192.168.81.15
kibana
软件安装
[root@server1 ~]# rpm -ivh elasticsearch-7.6.1-x86_64.rpm修改配置
- [root@server1 ~]# cd /etc/elasticsearch/
- [root@server1 elasticsearch]# vim elasticsearch.yml
- cluster.name: my-es
- path.data: /var/lib/elasticsearch
- path.logs: /var/log/elasticsearch
- bootstrap.memory_lock: true
- network.host: 0.0.0.0
- http.port: 9200
- discovery.seed_hosts: ["server1", "server2", "server3"]
- cluster.initial_master_nodes: ["server1", "server2", "server3"]
修改系统限制
- [root@server1 ~]# vim /etc/security/limits.conf
- elasticsearch soft memlock unlimited
- elasticsearch hard memlock unlimited
- elasticsearch - nofile 65535
- elasticsearch - nproc 4096
修改systemd启动文件
- [root@server1 ~]# vim /usr/lib/systemd/system/elasticsearch.service
- [service]
- ...
- LimitMEMLOCK=infinity
- [root@server1 ~]# systemctl daemon-reload
- [root@server1 ~]# swapoff -a
- [root@server1 ~]# vim /etc/fstab
- #/dev/mapper/rhel-swap swap swap defaults 0 0
- [root@server1 ~]# systemctl daemon-reload
- [root@server1 ~]# systemctl enable --now elasticsearch
使用docker启动服务
- [root@k8s1 ~]# docker pull lmenezes/cerebro
- [root@k8s1 ~]# docker run -d --name cerebro -p 9000:9000 lmenezes/cerebro
elasticsearch集群角色分类
Master:主要负责集群中索引的创建、删除以及数据的Rebalance等操作。 Master不负责数据的索引和检索,所以负载较轻。当Master节点失联或 者挂掉的时候,ES集群会自动从其他Master节点选举出一个Leader。Data Node:主要负责集群中数据的索引和检索,一般压力比较大。Coordinating Node:原来的Client node,主要功能是来分发请求和合并结果的。所有节点默认就是Coordinating node,且不能关闭该属性。Ingest Node:专门对索引的文档做预处理。- [root@server1 ~]# systemctl stop elasticsearch.service
- [root@server1 ~]# vim /etc/elasticsearch/elasticsearch.yml
- node.master: true
- node.data: false
- node.ingest: true
- node.ml: false
- [root@server1 elasticsearch]# systemctl restart elasticsearch.service
- [root@server2 ~]# systemctl stop elasticsearch.service
- [root@server2 ~]# vim /etc/elasticsearch/elasticsearch.yml
- node.master: true
- node.data: true
- node.ingest: false
- node.ml: false
- [root@server2 ~]# systemctl restart elasticsearch.service
- [root@server3 ~]# systemctl stop elasticsearch.service
- [root@server3 ~]# vim /etc/elasticsearch/elasticsearch.yml
- node.master: true
- node.data: true
- node.ingest: false
- node.ml: false
- [root@server3 ~]# systemctl restart elasticsearch.service
elasticsearch节点优化
logstash
部署
- [root@server4 ~]# yum install -y jdk-11.0.15_linux-x64_bin.rpm
- [root@server4 ~]# yum install -y logstash-7.6.1.rpm
命令方式
标准输入到标准输出
[root@server4 bin]# /usr/share/logstash/bin/logstash -e 'input { stdin { } } output { stdout {} }'
标准输入到文件
- [root@server4 conf.d]# vim /etc/logstash/conf.d/file.conf
- input {
- stdin { }
- }
- output {
- file {
- path => "/tmp/logstash.txt" #输出的文件路径
- codec => line { format => "custom format: %{message}"} #定制数据格式
- }
- }
- [root@server4 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/file.conf
- [root@server4 conf.d]# cat /tmp/logstash.txt
elasticsearch-head插件
安装依赖
- [root@k8s1 ~]# yum install -y bzip2
- [root@k8s1 ~]# tar jxf phantomjs-2.1.1-linux-x86_64.tar.bz2
- [root@k8s1 ~]# cd phantomjs-2.1.1-linux-x86_64
- [root@k8s1 phantomjs-2.1.1-linux-x86_64]# cp bin/phantomjs /usr/local/bin/
- [root@k8s1 ~]# yum install -y fontconfig
- [root@k8s1 ~]# phantomjs
- phantomjs>
安装插件
- [root@k8s1 ~]# rpm -ivh nodejs-9.11.2-1nodesource.x86_64.rpm
- [root@k8s1 ~]# yum install -y unzip
- [root@k8s1 ~]# unzip elasticsearch-head-master.zip
- [root@k8s1 ~]# cd elasticsearch-head-master/
- [root@k8s1 elasticsearch-head-master]# npm install --registry=https://registry.npm.taobao.org
- [root@k8s1 elasticsearch-head-master]# vim _site/app.js
启动服务
[root@k8s1 elasticsearch-head-master]# npm run start &修改es配置
- [root@server1 ~]# vim /etc/elasticsearch/elasticsearch.yml
- http.cors.enabled: true
- http.cors.allow-origin: "*"
- [root@server1 ~]# systemctl restart elasticsearch.service
创建索引
elasticsearch输出插件
- [root@server4 conf.d]# pwd
- /etc/logstash/conf.d
- [root@server4 conf.d]# vim test.conf
- input {
- stdin { }
- }
- output {
- stdout {}
- elasticsearch {
- hosts => "192.168.81.11:9200"
- index => "logstash-%{+YYYY.MM.dd}"
- }
- }
- [root@server4 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
启动成功后录入数据,ctrl+c退出
file输入插件
- [root@server4 conf.d]# vim test.conf
- input {
- file {
- path => "/var/log/messages"
- start_position => "beginning"
- }
- }
- output {
- stdout {}
- elasticsearch {
- hosts => "192.168.81.11:9200"
- index => "syslog-%{+YYYY.MM.dd}"
- }
- }
- [root@server4 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
.sincedb文件保存文件读取进度,避免数据冗余读取
- [root@server4 conf.d]# cd /usr/share/logstash/data/plugins/file
- [root@server4 file]# ls -i /var/log/messages
- [root@server4 file]# cat .sincedb_452905a167cf4509fd08acb964fdb20c
sincedb文件一共6个字段
- inode编号
- 文件系统的主要设备号
- 文件系统的次要设备号
- 文件中的当前字节偏移量
- 最后一个活动时间戳(浮点数)
- 与此记录匹配的最后一个已知路径
删除后重新读取[root@server4 file]# rm -f .sincedb_452905a167cf4509fd08acb964fdb20csyslog 插件
logstash伪装成日志服务器
- [root@server4 conf.d]# vim syslog.conf
- input {
- syslog {}
- }
- output {
- stdout {}
- elasticsearch {
- hosts => "192.168.81.11:9200"
- index => "syslog-%{+YYYY.MM.dd}"
- }
- }
- [root@server4 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/syslog.conf
配置客户端日志输出
- [root@server1 ~]# vim /etc/rsyslog.conf
- $ModLoad imudp
- $UDPServerRun 514
- *.* @@192.168.56.14:514
- [root@server1 ~]# systemctl restart rsyslog.service
- [root@server1 ~]# logger server1
多行过滤插件
多行过滤可以把多行日志记录合并为一行事件
从server1拷贝模板文件
- [root@server1 elasticsearch]# cd /var/log/elasticsearch
- [root@server1 elasticsearch]# scp my-es.log server4:/var/log/
- [root@server4 conf.d]# vim test.conf
- input {
- file {
- path => "/var/log/my-es.log"
- start_position => "beginning"
- codec => multiline {
- pattern => "^\["
- negate => true
- what => previous
- }
- }
- }
- output {
- stdout {}
- elasticsearch {
- hosts => "192.168.81.11:9200"
- index => "myeslog-%{+YYYY.MM.dd}"
- }
- }
- [root@server4 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
grok过滤
- [root@server4 ~]# yum install -y httpd
- [root@server4 ~]# systemctl enablel --now httpd
- [root@server4 ~]# echo www.westos.org > /var/www/html/index.html
访问此站点生成日志信息
[root@k8s1 ~]# ab -c1 -n 100 http://192.168.81.14/index.html
- [root@server4 conf.d]# vim grok.conf
- input {
- file {
- path => "/var/log/httpd/access_log"
- start_position => "beginning"
- }
- }
- filter {
- grok {
- match => { "message" => "%{HTTPD_COMBINEDLOG}" }
- }
- }
- output {
- stdout {}
- elasticsearch {
- hosts => "192.168.81.11:9200"
- index => "apachelog-%{+YYYY.MM.dd}"
- }
- }
- [root@server4 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/grok.conf
kibana数据可视化
部署
- [root@server5 ~]# rpm -ivh kibana-7.6.1-x86_64.rpm
- [root@server5 ~]# cd /etc/kibana/
- [root@server5 kibana]# vim kibana.yml
- server.host: "0.0.0.0"
- elasticsearch.hosts: ["http://192.168.81.11:9200"]
- i18n.locale: "zh-CN"
- [root@server5 kibana]# systemctl enable --now kibana
访问web页面: http://192.168.81.15:5601
-
相关阅读:
JS 原型和原型链
Dubbo源码学习(九) 详解Dubbo里的SPI
游戏引擎,脚本管理模块
[事务]-事务概念/特性/并发问题/传播特性
python实现冒泡排序
全球第4大操作系统(鸿蒙)的软件后缀.hap
2022年全国大学生数学建模竞赛D题思路
【RabbitMQ实战】05 RabbitMQ后台管理
UG\NX二次开发 清除所有对象高亮
详解闲鱼推荐系统(长文收藏)
- 原文地址:https://blog.csdn.net/m0_64028800/article/details/134515403
