ELK 搭建及實戰(zhàn)
JDK1.8環(huán)境搭建和Kibana實戰(zhàn)部署
ELK介紹和JDK1.8環(huán)境搭建
實戰(zhàn)環(huán)境
- Centos7
- 關閉Iptables / firewalld
- 關閉Selinux
ELK功能
- Elasticsearch用來存儲數據
- Logstash用來收集數據
- Kibana用來展現數據
實戰(zhàn)環(huán)境
- 192.168.220.135 部署Kibana触机、ES
- 192.168.220.136 部署Logstash
- JDK1.8環(huán)境搭建
- 安裝JDK
- 配置環(huán)境變量
Yum安裝jdk1.8儡首,不建議
- 鏈接:https://www.elastic.co/downloads/logstash
- yum install java-1.8.0-openjdk -y
- Elasticsearch偏友、Logstash依賴于java環(huán)境
JDK的二進制安裝
- Jdk1.8二進制包下載路徑http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
- 下載賬號 2696671285@qq.com=Oracle123
- 解壓到對應安裝目錄/usr/local/或者/opt/
- 驗證安裝/usr/local/jdk1.8.0_201/bin/java -version
# 安裝命令
cd /usr/local/src
tar -zxf jdk-8u201-linux-x64.tar.gz
mv jdk1.8.0_201 /usr/local/
# 配置Java環(huán)境變量/etc/profile
export JAVA_HOME=/usr/local/jdk1.8.0_201/
export PATH=$PATH:$JAVA_HOME/bin
export CLASSPATH=.:$JAVA_HOME/lib/tools.jar:$JAVA_HOME/lib/dt.jar:$CLASSPATH\
# 驗證環(huán)境變量
java -version
Kibana 二進制安裝和啟動
ELK功能
- Kibana用來展現數據
- Elasticsearch用來存儲數據
- Logstash用來收集數據
ELK下載地址
- ELK6版本
- https://artifacts.elastic.co
- ELK下載比較慢位他,提供百度網盤的下載鏈接
資源下載地址和提取碼
鏈接:https://pan.baidu.com/s/1r4KsX9nKxuRbXWmdacAChg
提取碼:cxcx
實戰(zhàn)環(huán)境
- 192.168.237.135部署Kibana、ES
- 192.168.237.136部署Logstash
安裝Kibana
- 下載Kibana二進制包
- 解壓到/usr/local完成安裝
Kibana安裝腳本
cd /usr/local/src/
tar -zxf kibana-7.8.0-linux-x86_64.tar.gz
mv kibana-7.8.0-linux-x86_64 /usr/local/kibana-7.8.0
修改Kibana配置/usr/local/kibana-7.8.0/config/kibana.yml
server.port: 5601
server.host: "0.0.0.0"
#elasticsearch.url: "http://localhost:9200"
#elasticsearch.username: "user"
#elasticsearch.password: "pass"
Kibana的啟動和訪問
-
前臺啟動Kibana
/usr/local/kibana-7.8.0/bin/kibana --allow-root -
后臺啟動Kibana
nohup /usr/local/kibana-7.8.0/bin/kibana --allow-root >/tmp/kibana.log 2>/tmp/kibana.log & 訪問Kibana舞竿,需要開放5601端口
Kibana的安全說明
- 默認無密碼窿冯,也是誰都能夠訪問
- 如果使用云廠商,可以在安全組控制某個IP的訪問
- 建議借用Nginx實現用戶名密碼登錄
Kibana借用Nginx實現認證
默認的Kibana
- 任何人都能無密碼訪問Kibana
- 借用Nginx實現登錄認證
- Nginx控制源IP訪問、Nginx可以使用用戶名密碼的方式
Kibana借用Nginx來實現簡單認證
- Kibana監(jiān)聽在127.0.0.1
- 部署Nginx鄙皇,使用Nginx來轉發(fā)
Nginx編譯安裝
yum install -y lrzsz wget gcc gcc-c++ make pcre pcre-devel zlib zlib-devel
cd /usr/local/src
wget 'http://nginx.org/download/nginx-1.18.0.tar.gz'
tar -zxvf nginx-1.18.0.tar.gz
cd nginx-1.18.0
./configure --prefix=/usr/local/nginx && make && make install
Nginx環(huán)境變量設置
- export PATH=$PATH:/usr/local/nginx/sbin/
- 驗證環(huán)境變量
Nginx兩種限制
- 限制源IP訪問仰挣,比較安全,訪問的IP得不變
- 使用用戶名密碼的方式错蝴,通用
Nginx限制源IP訪問
vi /usr/local/nginx/conf/nginx.conf
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
server {
listen 5602;
location / {
allow 127.0.0.1;
allow 192.168.220.1;
deny all;
proxy_pass http://127.0.0.1:5601;
}
}
nginx -s reload
觀察訪問日志
- /usr/local/nginx/logs/access.log
- 如果被拒絕了可以在日志里找到源IP
Nginx配置使用用戶名密碼的方式
# 創(chuàng)建用戶名密碼文件
# 這里用戶名為 admin香椎, 密碼為 admin(需要使用openssl進行加密)
printf "admin:$(openssl passwd -1 admin)\n" >/usr/local/nginx/conf/htpasswd
vi /usr/local/nginx/conf/nginx.conf
location / {
# allow 127.0.0.1;
# allow 192.168.220.1;
# deny all;
auth_basic "elk auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
proxy_pass http://127.0.0.1:5601;
}
nginx -s reload
# 訪問測試
Elasticsearch實戰(zhàn)部署和使用入門
Elasticsearch二進制安裝和啟動
ELK功能
- Kibana用來展現數據
- Elasticsearch用來存儲數據
- Logstash用來收集數據
Elasticsearch
- 使用Java開發(fā),安裝方便
- Elasticsearch提供Http接口
- Elasticsearch提供集群模式
Kibana網頁訪問問題
- Kibana網頁在Elasticsearch還沒安裝前無法訪問
- 安裝完Elasticsearch就好了
Elasticsearch的安裝
- 下載二進制包
- 解壓到對應目錄完成安裝/usr/local/
- 目錄屬主更新為elk馍惹,Elasticsearch無法用root啟動
ES的安裝腳本
cd /usr/local/src
tar -zxf elasticsearch-7.8.0.tar.gz
mv elasticsearch-7.8.0 /usr/local/
Elasticsearch配置
vi /usr/local/elasticsearch-7.8.0/config/elasticsearch.yml
path.data: /usr/local/elasticsearch-7.8.0/data
path.logs: /usr/local/elasticsearch-7.8.0/logs
network.host: 127.0.0.1
http.port: 9200
JVM的內存限制更改jvm.options
vi /usr/local/elasticsearch-7.8.0/config/jvm.options/
-Xms128M
-Xmx128M
Elasticsearch的啟動万矾,得用普通用戶啟動
useradd -s /sbin/nologin elk
chown -R elk:elk /usr/local/elasticsearch-7.8.0/
su - elk -s /bin/bash
/usr/local/elasticsearch-7.8.0/bin/elasticsearch -d
驗證啟動是否成功
-
觀察日志
tail -f /usr/local/elasticsearch-7.8.0/logs/elasticsearch.log 觀察Kibana網頁
Elasticsearch啟動注意事項
Elasticsearch啟動注意
- Elasticsearch如果啟動在127.0.0.1的話,可以啟動成功
- Elasticsearch如果要跨機器通訊良狈,需要監(jiān)聽在真實網卡上
- 監(jiān)聽在真實網卡需要調整系統(tǒng)參數才能正常啟動
Elasticsearch監(jiān)聽在非127.0.0.1
- 監(jiān)聽在0.0.0.0或者內網地址
- 以上兩種監(jiān)聽都需要調整系統(tǒng)參數
vi /usr/local/elasticsearch-7.8.0/config/elasticsearch.yml
network.host: 0.0.0.0
ES啟動四個報錯的處理
[1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536]
[2]: max number of threads [3829] for user [elk] is too low, increase to at least [4096]
[3]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
[4]: the default discovery settings are unsuitable for production use; at least one of [discovery.seed_hosts, discovery.seed_providers, cluster.initial_master_nodes] must be configured
[elk@ES ~]$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 3818
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 3818
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
[elk@ES ~]$ cat /etc/security/limits.d/20-nproc.conf
# Default limit for number of user's processes to prevent
# accidental fork bombs.
# See rhbz #432903 for reasoning.
* soft nproc 4096
root soft nproc unlimited
[elk@ES ~]# sysctl -a | grep max_map_count
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.ens33.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
vm.max_map_count = 65530
錯誤1:最大文件打開數調整
vi /etc/security/limits.conf
* - nofile 65536
錯誤2: 最大打開進程數調整
vi /etc/security/limits.d/20-nproc.conf
* - nproc 4096
錯誤3:內核參數調整
vi /etc/sysctl.conf
vm.max_map_count = 262144
[root@ES ~]# sysctl -p
vm.max_map_count = 262144
錯誤4:ip替換host1等薪丁,多節(jié)點請?zhí)砑佣鄠€ip地址馅精,單節(jié)點可寫按默認來
vi /usr/local/elasticsearch-7.8.0/config/elasticsearch.yml
node.name: node-1 # 開放該行注釋
cluster.initial_master_nodes: ["node-1","node-2"] #這里的node-1為node-name配置的值
Caused by: java.lang.IllegalStateException: failed to obtain node locks, tried [[/usr/local/elasticsearch-7.8.0/data]] with lock id [0]; maybe these locations are not writable or mult
iple nodes were started without increasing [node.max_local_storage_nodes] (was [1])?尋找主要信息:failed to obtain node locks
ps aux | grep ‘elasticsearch
重啟 elasticsearch 可以看到監(jiān)聽在 0.0.0.0:9200和9300端口
su - elk -s /bin/bash
/usr/local/elasticsearch-7.8.0/bin/elasticsearch -d
netstat -lnp
tcp6 0 0 :::9200 :::* LISTEN 8167/java
tcp6 0 0 :::9300 :::* LISTEN 8167/java
訪問 192.168.237.135:9200 可以看到返回的json
Elasticsearch監(jiān)聽網卡建議
- 如果學習,建議監(jiān)聽在127.0.0.1
- 如果是云服務器的話漫玄,一定把9200和9300公網入口在安全組限制一下
- 自建機房的話压彭,建議監(jiān)聽在內網網卡,監(jiān)聽在公網會被入侵
用網頁訪問ES
Elasticsearch的基本操作
Elasticsearch的概念
索引 ->類似于 Mysql 中的數據庫
類型 ->類似于 Mysql 中的數據表
文檔 ->存儲數據
Elasticsearch的數據操作
手動 curl 操作 Elasticsearch 會比較難
借用 Kibana 來操作 Elasticsearch
測試Web接口(確保kibana 和 elasticsearch 都成功啟動)
瀏覽器訪問 kibana
Kibana操作:在 kibana 首頁菜單欄的 Management 中找到 Dev Tools壮不,輸入 GET / 運行,會看到es的返回
索引操作
創(chuàng)建索引
PUT /shijiange
刪除索引
DELETE /shijiange
獲取所有索引
GET /_cat/indices?v
Elasticsearch增刪改查
ES插入數據
PUT /shijiange/users/1
{
"name":"shijiange",
"age": 30
}
PUT /shijiange/users/2
{
"name":"justdoit",
"age": 20
}
ES查詢數據
GET /shijiange/users/1
GET /shijiange/_search?q=*
修改數據衡未、覆蓋, 此時會覆蓋 /user/1的所有內容
PUT /shijiange/users/1
{
"name": "justdoit",
"age": 45
}
ES刪除數據
DELETE /shijiange/users/1
修改某個字段、不覆蓋
POST /shijiange/users/2/_update
{
"doc": {
"age": 29
}
}
修改所有的數據
POST /shijiange/_update_by_query
{
"script": {
"source": "ctx._source['age']=30"
},
"query": {
"match_all": {}
}
}
增加一個字段
POST /shijiange/_update_by_query
{
"script":{
"source": "ctx._source['city']='hangzhou'"
},
"query":{
"match_all": {}
}
}
Logstash實戰(zhàn)部署和簡單使用
Logstash二進制安裝和啟動
ELK功能
Kibana用來展現數據
Elasticsearch用來存儲數據
Logstash用來收集數據
Logstash的安裝
依賴于Java環(huán)境
下載二進制安裝文件
解壓到對應目錄完成安裝/usr/local/
# Logstash的安裝腳本
cd /usr/local/src
tar -zxf logstash-7.8.0.tar.gz
mv logstash-7.8.0 /usr/local/
Logstash的JVM配置文件更新
vi /usr/local/logstash-7.8.0/config/jvm.options
-Xms200M
-Xmx200M
Logstash支持
Logstash分為輸入如失、輸出
輸入:標準輸入送粱、日志等
輸出:標準輸出、ES等
Logstash最簡單配置
vi /usr/local/logstash-7.8.0/config/logstash.conf
input{
stdin{}
}
output{
stdout{
codec=>rubydebug
}
}
Logstash 啟動和測試
# 前臺啟動logStash
/usr/local/logstash-7.8.0/bin/logstash -f /usr/local/logstash-7.8.0/config/logstash.conf
# 后臺啟動logStash
nohup /usr/local/logstash-7.8.0/bin/logstash -f /usr/local/logstash-7.8.0/config/logstash.conf >/tmp/logstash.log 2>/tmp/logstash.log &
[2020-07-13T02:16:32,349][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
shijiange
{
"host" => "Logstash",
"message" => "shijiange",
"@version" => "1",
"@timestamp" => 2020-07-13T06:19:46.926Z
}
logstash啟動較慢脆丁,因此使用 haveged 來調優(yōu)
yum install -y epel-release
yum install -y haveged
systemctl enable haveged
systemctl start haveged
Logstash讀取日志
vi /usr/local/logstash-7.8.0/config/logstash.conf
input {
file {
path => "/var/log/secure"
}
}
output{
stdout{
codec=>rubydebug
}
}
/var/log/secure 是登錄日志內容动雹,Logstash不會收集舊的日志,只會收集新的胰蝠,當新的shell登錄進服務器后,Logstash 會顯示登錄日志
[2020-07-13T02:31:35,125][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
/usr/local/logstash-7.8.0/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
"@timestamp" => 2020-07-13T06:32:12.536Z,
"path" => "/var/log/secure",
"host" => "Logstash",
"message" => "Jul 13 02:32:12 localhost sshd[1086]: Accepted password for root from 192.168.220.1 port 51120 ssh2",
"@version" => "1"
}
{
"@timestamp" => 2020-07-13T06:32:12.574Z,
"path" => "/var/log/secure",
"host" => "Logstash",
"message" => "Jul 13 02:32:12 localhost sshd[1086]: pam_unix(sshd:session): session opened for user root by (uid=0)",
"@version" => "1"
}
Logstash讀取日志發(fā)送到ES
實戰(zhàn)環(huán)境
- 192.168.220.135: es
- 192.168.220.136: logstash
Logstash和ES結合說明
- Logstash支持讀取日志發(fā)送到ES
- 但Logstash用來收集日志比較消耗內存躲庄,后面將對這個進行優(yōu)化
Logstash配置發(fā)送日志到ES數據庫 ( Logstash 要先配置 Nginx噪窘,然后啟動)
vi /usr/local/logstash-7.8.0/config/logstash.conf
input {
file {
path => "/usr/local/nginx/logs/access.log"
}
}
output {
elasticsearch {
hosts => ["http://192.168.220.135:9200"]
}
}
重載配置
# 重啟 logstash
ps -aux | grep logstash
root 1025 8.1 47.6 2383176 476408 pts/0 Sl+ 02:30 26:53 /usr/local/jdk1.8.0_251//bin/java
kill -1 1025
# 瀏覽器訪問 logstash 服務器地址效扫,會請求到nginx,access日志 logstash 會發(fā)送到 ES
# 此時在 kibana 中 GET /_cat/indices?v 能夠查到 es 多了一條 名為 logstash + 日期的索引
Logstash收集日志必要點
- 日志文件需要有新日志產生
- Logstash跟Elasticsearch要能通訊
Kibana上查詢數據
- GET /logstash-2019.02.20/_search?q=*
- Kibana上創(chuàng)建索引直接查看日志
kibana 菜單欄選擇 Discover 菌仁, 在Step 1 of 2: Define index pattern 的 Index pattern 中填入 logstash-* 查看所有日期的 logstash 日志少漆,點擊 next step辟狈。 Time Filter field name Refresh 選擇 @timestamp 點擊Create index pattern。 創(chuàng)建成功后 ,再點擊Discover 就可以看到直觀的索引數據
Kibana簡單查詢
- 根據字段查詢:message: "_msearch"
- 根據字段查詢:選中查詢
ELK流程
Logstash讀取日志 -> ES存儲數據 -> Kibana展現
ELK實戰(zhàn)分析Nginx日志
正則表達式基礎簡介
發(fā)送整行日志存在的問題
- 整行message一般我們并不關心
- 需要對message進行段拆分,需要用到正則表達式
正則表達式
- 使用給定好的符號去表示某個含義
- 例如.代表任意字符
- 正則符號當普通符號使用需要加反斜杠
正則的發(fā)展
- 普通正則表達式
- 擴展正則表達式
普通正則表達式
. 任意一個字符
* 前面一個字符出現0次或者多次
[abc] 中括號內任意一個字符
[^abc] 非中括號內的字符
[0-9] 表示一個數字
[a-z] 小寫字母
[A-Z] 大寫字母
[a-zA-Z] 所有字母
[a-zA-Z0-9] 所有字母+數字
[^0-9] 非數字
^xx 以xx開頭
xx$ 以xx結尾
\d 任何一個數字
\s 任何一個空白字符
擴展正則表達式,在普通正則符號再進行了擴展
? 前面字符出現0或者1次
+ 前面字符出現1或者多次
{n} 前面字符匹配n次
{a,b} 前面字符匹配a到b次
{,b} 前面字符匹配0次到b次
{a,} 前面字符匹配a或a+次
(string1|string2) string1或string2
簡單提取IP
-
1.1.1.1 114.114.114.114 255.277.277.277
1-3個數字.1-3個數字.1-3個數字.1-3個數字
[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}
Logstash正則分析Nginx日志
Nginx日志說明
-
192.168.220.1 - - [13/Jul/2020:22:57:22 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36"
訪問IP地址 - - [訪問時間] "請求方式(GET/POST) /請求URL" 狀態(tài)碼 響應body大小 "-" "Referer User Agent"
Logstash正則提取日志
- 需要懂得正則颂碘,Logstash支持普通正則和擴展正則
- 需要了解Grok,利用Kibana的Grok學習Logstash正則提取日志
Grok提取Nginx日志
- Grok使用
(?<xxx>提取內容)來提取xxx字段 - 提取客戶端IP:
(?<clientip>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) - 提取時間:
\[(?<requesttime>[^ ]+ \+[0-9]+)\]
Grok提取Nginx日志
(?<clientip>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) - - \[(?<requesttime>[^ ]+ \-?\+?[0-9]+)\] "(?<requesttype>[A-Z]+) (?<requesturl>[^ ]+) HTTP/\d.\d" (?<status>[0-9]+) (?<bodysize>[0-9]+) "[^"]+" "(?<ua>[^"]+)"
提取Tomcat等日志使用類似的方法
Logstash正則提取Nginx日志
vi /usr/local/logstash-7.8.0/config/logstash.conf
input {
file {
path => "/usr/local/nginx/logs/access.log"
}
}
filter {
grok {
match => {
"message" => '(?<clientip>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) - - \[(?<requesttime>[^ ]+ \-?\+?[0-9]+)\] "(?<requesttype>[A-Z]+) (?<requesturl>[^ ]+) HTTP/\d.\d" (?<status>[0-9]+) (?<bodysize>[0-9]+) "[^"]+" "(?<ua>[^"]+)"'
}
}
}
output {
elasticsearch {
hosts => ["http://192.168.220.135:9200"]
}
}
重啟 logstash 鼠证,進入 kibana 的 Discover 可以看到左側多出現了 Available fields
注意正則提取失敗的情況
echo "shijiange" >> /usr/local/nginx/logs/access.log、
會出現一個 tags 顯示 _grokparsefailure
Logstash正則提取出錯就不輸出到ES
vi /usr/local/logstash-7.8.0/config/logstash.conf
output{
if "_grokparsefailure" not in [tags] and "_dateparsefailure" not in [tags] {
elasticsearch {
hosts => ["http://192.168.220.135:9200"]
}
}
}
Logstash去除不需要的字段
去除字段注意
- 只能去除_source里的
- 非_source里的去除不了
- remove_field => ["message","@version","path"]
Logstash配置去除不需要的字段
vi /usr/local/logstash-7.8.0/config/logstash.conf
filter {
grok {
match => {
"message" => '(?<clientip>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) - - \[(?<requesttime>[^ ]+ \-?\+?[0-9]+)\] "(?<requesttype>[A-Z]+) (?<requesturl>[^ ]+) HTTP/\d.\d" (?<status>[0-9]+) (?<bodysize>[0-9]+) "[^"]+" "(?<ua>[^"]+)"'
}
remove_field => ["message","@version","path"]
}
}
去除字段
- 減小ES數據庫的大小
- 提升搜索效率
ELK覆蓋時間軸和全量分析Nginx
默認ELK時間軸
- 以發(fā)送日志的時間為準
- 而Nginx上本身記錄著用戶的訪問時間
- 分析Nginx上的日志以用戶的訪問時間為準量九,而不以發(fā)送日志的時間
Logstash分析所有Nginx日志(包括之前的日志)
vi /usr/local/logstash-7.8.0/config/logstash.conf
input {
file {
path => "/usr/local/nginx/logs/access.log"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
Logstash的filter里面加入配置24/Feb/2019:21:08:34 +0800
vi /usr/local/logstash-7.8.0/config/logstash.conf
input {
file {
path => "/usr/local/nginx/logs/access.log"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
grok {
match => {
"message" => '(?<clientip>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) - - \[(?<requesttime>[^ ]+ \-?\+?[0-9]+)\] "(?<requesttype>[A-Z]+) (?<requesturl>[^ ]+) HTTP/\d.\d" (?<status>[0-9]+) (?<bodysize>[0-9]+) "[^"]+" "(?<ua>[^"]+)"'
}
remove_field => ["message","@version","path"]
}
date {
match => ["requesttime", "dd/MMM/yyyy:HH:mm:ss Z"]
target => "@timestamp"
}
}
output {
elasticsearch {
hosts => ["http://192.168.220.135:9200"]
}
}
統(tǒng)計Nginx的請求和網頁顯示進行對比
cat /usr/local/nginx/logs/access.log |awk '{print $4}' |cut -b 1-19 |sort |uniq -c
測試
while true; do curl -d "aaaa=bbbb" http://192.168.220.136/get/users; sleep 1; done
不同的時間格式荠列,覆蓋的時候格式要對應
- 20/Feb/2019:14:50:06 -> dd/MMM/yyyy:HH:mm:ss
- 2016-08-24 18:05:39,830 -> yyyy-MM-dd HH:mm:ss,SSS
- 如果時間解析失敗载城,會報 _dateparsefailure 錯誤,此時 @timestamp 還原為日志發(fā)送時間
ELK架構引入Filebeat
Filebeat二進制安裝與啟動
Logstash收集日志
- 依賴于Java環(huán)境川队,用來收集日志比較重,占用內存和CPU
- Filebeat相對輕量呼寸,占用服務器資源小
- 一般選用Filebeat來進行日志收集
Filebeat的安裝
- 下載二進制文件
- 解壓移到對應的目錄完成安裝/usr/local/
Filebeat的二進制安裝
cd /usr/local/src/
tar -zxvf filebeat-7.8.0-linux-x86_64.tar.gz
mv filebeat-7.8.0-linux-x86_64 /usr/local/filebeat-7.8.0
部署服務介紹
- 192.168.220.135 部署Kibana猴贰、ES
- 192.168.220.136 部署Filebeat
Filebeat發(fā)送日志到ES配置/usr/local/filebeat-7.8.0/filebeat.yml
vi /usr/local/filebeat-7.8.0/filebeat.yml
filebeat.inputs:
- type: log
tail_files: true
backoff: "1s"
paths:
- /usr/local/nginx/logs/access.log
output:
elasticsearch:
hosts: ["192.168.220.135:9200"]
啟動Filebeat
-
前臺啟動
/usr/local/filebeat-7.8.0/filebeat -e -c /usr/local/filebeat-7.8.0/filebeat.yml -
后臺啟動
nohup /usr/local/filebeat-7.8.0/filebeat -e -c /usr/local/filebeat-7.8.0/filebeat.yml >/tmp/filebeat.log 2>&1 &
Kibana上查看日志數據
GET /filebeat-7.8.0-year.month.day-000001/_search?q=*
-
創(chuàng)建索引觀察
kibana 菜單欄的 Stack Management 中,點擊 Kibana 的Index Patterns 創(chuàng)建索引
Filebeat -> ES -> Kibana
- 適合查看日志
- 不適合具體日志的分析
Filebeat+Logstash新架構
Filebeat和Logstash說明
- Filebeat:輕量級瑟捣,但不支持正則栅干、不能移除字段等
- Logstash:比較重,但支持正則碱鳞、支持移除字段等
搭建架構演示
- Logstash -> Elasticsearch -> Kibana
- Filebeat -> Elasticsearch -> Kibana
- Filebeat -> Logstash -> Elasticsearch -> Kibana
部署服務介紹
- 192.168.220.135 部署Kibana、ES
- 192.168.220.136 部署Logstash贵白、Filebeat
Filebeat配置發(fā)往Logstash
vi /usr/local/filebeat-7.8.0/filebeat.yml
filebeat.inputs:
- type: log
tail_files: true
backoff: "1s"
paths:
- /usr/local/nginx/logs/access.log
output:
logstash:
hosts: ["192.168.220.136:5044"]
Logstash配置監(jiān)聽在5044端口崩泡,接收Filebeat發(fā)送過來的日志
vi /usr/local/logstash-7.8.0/config/logstash.conf
input {
file {
path => "/usr/local/nginx/logs/access.log"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
# 改為
input {
beats {
host => '0.0.0.0'
port => 5044
}
}
Kibana上查看數據
- GET /logstash/_search?q=*
- 創(chuàng)建索引觀察
kibana 菜單欄的 Stack Management 中,點擊 Kibana 的Index Patterns 創(chuàng)建索引
Logstash上移除不必要的字段
Filebeat發(fā)過來的無用字段比較多
remove_field => ["message","@version","path","beat","input","log","offset","prospector","source","tags"]
Filebeat批量部署比Logstash要方便得多
- Logstash監(jiān)聽在內網
- Filebeat發(fā)送給內網的Logstash
新架構
Filebeat(多臺) -> Logstash(正則) -> Elasticsearch(入庫) -> Kibana展現
ELK采集Json格式日志
Json的好處
- 原生日志需要做正則匹配呛伴,比較麻煩
- Json格式的日志不需要正則能直接分段采集
Nginx使用Json格式日志
vi /usr/local/nginx/conf/nginx.conf
#access_log logs/access.log main;
log_format json '{"@timestamp":"$time_iso8601",'
'"clientip":"$remote_addr",'
'"status":$status,'
'"bodysize":$body_bytes_sent,'
'"referer":"$http_referer",'
'"ua":"$http_user_agent",'
'"handletime":$request_time,'
'"url":"$uri"}';
access_log logs/access.log;
access_log logs/access.json.log json;
部署服務介紹
- 192.168.220.135 部署Kibana、ES
- 192.168.220.136 部署Logstash热康、Filebeat
Filebeat采集Json格式的日志
vi /usr/local/filebeat-7.8.0/filebeat.yml
filebeat.inputs:
- type: log
tail_files: true
backoff: "1s"
paths:
- /usr/local/nginx/logs/access.json.log
output:
logstash:
hosts: ["192.168.220.136:5044"]
Logstash解析Json日志
vi /usr/local/logstash-7.8.0/config/logstash.conf
input {
beats {
host => '0.0.0.0'
port => 5044
}
}
filter {
json {
source => "message"
remove_field => ["message","@version","path","beat","input","log","offset","prospector","source","tags"]
}
}
output {
elasticsearch {
hosts => ["http://192.168.220.135:9200"]
}
}
Filebeat采集多個日志
采集多個日志
- 收集單個Nginx日志
- 如果有采集多個日志的需求
Filebeat采集多個日志配置
vi /usr/local/filebeat-7.8.0/filebeat.yml
filebeat.inputs:
- type: log
tail_files: true
backoff: "1s"
paths:
- /usr/local/nginx/logs/access.json.log
fields:
type: access
fields_under_root: true
- type: log
tail_files: true
backoff: "1s"
paths:
- /var/log/secure
fields:
type: secure
fields_under_root: true
output:
logstash:
hosts: ["192.168.220.136:5044"]
Logstash如何判斷兩個日志
- Filebeat加入一字段用來區(qū)別
- Logstash使用區(qū)別字段來區(qū)分
Logstash通過type字段進行判斷
vi /usr/local/logstash-7.8.0/config/logstash.conf
input {
beats {
host => '0.0.0.0'
port => 5044
}
}
filter {
if [type] == "access" {
json {
source => "message"
remove_field => ["message","@version","path","beat","input","log","offset","prospector","source","tags"]
}
}
}
output{
if [type] == "access" {
elasticsearch {
hosts => ["http://192.168.220.135:9200"]
index => "access-%{+YYYY.MM.dd}"
}
}
else if [type] == "secure" {
elasticsearch {
hosts => ["http://192.168.220.135:9200"]
index => "secure-%{+YYYY.MM.dd}"
}
}
}
網頁上建立索引
- access索引
- secure索引
kibana 菜單欄的 Stack Management 中,點擊 Kibana 的Index Patterns 創(chuàng)建索引
ELK架構引入緩存Redis或Kafka
Redis服務器的編譯安裝
之前架構
Filebeat(多臺) -> Logstash(正則) -> Elasticsearch(入庫) -> Kibana展現
架構存在的問題
Logstash性能不足的時候
擴容Logstash污它,Filebeat的配置可能會不一致庶弃。(如果有多臺Logstash,不同的Filebeat需要配置到不同的Logstash)
架構優(yōu)化
Filebeat(多臺) Logstash
Filebeat(多臺) -> Redis歇攻、Kafka -> Logstash(正則) -> Elasticsearch(入庫) -> Kibana展現
Filebeat(多臺) Logstash
部署服務介紹
- 192.168.220.135: Kibana、ES
- 192.168.220.136: Logstash葬毫、Filebeat、Redis
Redis服務器搭建
yum install -y wget net-tools gcc gcc-c++ make tar openssl openssl-devel cmake
cd /usr/local/src
wget 'http://download.redis.io/releases/redis-4.0.9.tar.gz'
tar -zxf redis-4.0.9.tar.gz
cd redis-4.0.9
make
mkdir -pv /usr/local/redis/conf /usr/local/redis/bin
cp src/redis* /usr/local/redis/bin/
cp redis.conf /usr/local/redis/conf
驗證Redis服務器
- 更改Redis配置(bind贴捡、daemon村砂、dir、requirepass)
vi /usr/local/redis/conf/redis.conf
bind 0.0.0.0
daemonize yes
dir /tmp/
requirepass 1234qwer
密碼設置為1234qwer-
驗證set础废、get操作
Redis的啟動命令
/usr/local/redis/bin/redis-server /usr/local/redis/conf/redis.conf
Redis的簡單操作
/usr/local/redis/bin/redis-cli
auth '1234qwer'
set name shijiange
-
get name
[root@Logstash redis-4.0.9]# /usr/local/redis/bin/redis-cli 127.0.0.1:6379> info NOAUTH Authentication required. 127.0.0.1:6379> auth '1234qwer' OK 127.0.0.1:6379> info
Filebeat和Logstash間引入Redis
部署服務介紹
192.168.220.135: Kibana、ES
192.168.220.136: Logstash帘瞭、Filebeat蒿讥、Redis
Filebeat配置寫入到Redis
vi /usr/local/filebeat-7.8.0/filebeat.yml
filebeat.inputs:
- type: log
tail_files: true
backoff: "1s"
paths:
- /usr/local/nginx/logs/access.json.log
fields:
type: access
fields_under_root: true
output.redis:
hosts: ["192.168.220.136"]
port: 6379
password: "1234qwer"
key: "access"
2020-07-24T01:08:07.223-0400 INFO instance/beat.go:310 Setup Beat: filebeat; Version: 7.8.0
2020-07-24T01:08:07.224-0400 INFO instance/beat.go:436 filebeat stopped.
2020-07-24T01:08:07.224-0400 ERROR instance/beat.go:958 Exiting: error initializing publisher: 1 error: setting 'output.redis.port' has been removed
Exiting: error initializing publisher: 1 error: setting 'output.redis.port' has been removed如果出現以上錯誤,可能是版本不匹配的問題芋绸,將redis版本升級,或者將filebeat版本降級适袜,這里降級為 6.0.6
此時可以看到 filebeat 的輸出為
2020-07-24T01:24:52.555-0400 INFO log/harvester.go:255 Harvester started for file: /usr/local/nginx/logs/access.json.log
2020-07-24T01:24:53.556-0400 INFO pipeline/output.go:95 Connecting to redis(tcp://192.168.220.136:6379)
2020-07-24T01:24:53.557-0400 INFO pipeline/output.go:105 Connection to redis(tcp://192.168.220.136:6379) established
查看 redis 中的記錄
127.0.0.1:6379> keys *
...
db0:keys=2,expires=0,avg_ttl=0
127.0.0.1:6379> keys *
1) "name"
2) "access"
127.0.0.1:6379> LRANGE access 0-1
(error) ERR wrong number of arguments for 'lrange' command
127.0.0.1:6379> LRANGE access 0 -1
1) "{\"@timestamp\":\"2020-07-24T05:24:52.555Z\",\"@metadata\":...
2) "{\"@timestamp\":\"2020-07-24T05:24:53.556Z\",\"@metadata\":...
Logstash從Redis中讀取數據
vi /usr/local/logstash-7.8.0/config/logstash.conf
input {
redis {
host => '192.168.220.136'
port => 6379
key => "access"
data_type => "list"
password => '1234qwer'
}
}
架構優(yōu)化
Filebeat(多臺) Logstash
Filebeat(多臺) -> Redis舷夺、Kafka -> Logstash(正則) -> Elasticsearch(入庫) -> Kibana展現
Filebeat(多臺) Logstash
