ELK介紹

???????? Elasticsearch是一款開源的分布式搜索引擎空民，提供搜集、分析、存儲數(shù)據(jù)界轩。

???????? 特點：分布式画饥，零配置，自動發(fā)現(xiàn)浊猾，索引自動分片抖甘，索引副本機制，restful風(fēng)格接口葫慎，多數(shù)據(jù)源等

???????? Logstash：作用于日志的搜集衔彻、分析、過濾日志的工具幅疼，支持大量的數(shù)據(jù)獲取方式米奸。

???????? 基于c/s架構(gòu)昼接，Client端（FileBeat）部署在需要收集日志的主機上爽篷，server端負(fù)責(zé)將收到的各節(jié)點日志進(jìn)行過濾、修改等操作再發(fā)往elasticsearch慢睡。

???????? Kibana 實現(xiàn)數(shù)據(jù)可視化逐工。在 Elastic Stack 中進(jìn)行導(dǎo)航，Kibana可以為 Logstash 和 ElasticSearch 提供的日志分析友好Web 界面漂辐，匯總泪喊、分析和搜索重要數(shù)據(jù)日志。

???????? Beats：收集髓涯、解析和傳輸數(shù)據(jù)等常用beat有：Filebeat袒啼，Packetbeat,Metricbeat,Auditbeat,Winlogbeat 此次我們將用Filebeat做Client端

???????? 注： Beats 和 Logstash 之間支持 SSL/TLS 加密傳輸，客戶端和服務(wù)器雙向認(rèn)證纬纪，保證了通信安全

???????? ELK整體架構(gòu)圖：

一蚓再、 ELK部署環(huán)境準(zhǔn)備

????? 1、 服務(wù)器環(huán)境準(zhǔn)備

??????????? 10.0.60.191 elk-master???????????????? 部署Role：Logstash, ES, Kibana

??????????? 10.0.60.192 Elasticsearch-n1??????? 部署Role：Elasticsearch

??????????? 10.0.60.193 Elasticsearch-n2??????? 部署Role：Elasticsearch

??????????? 10.0.60.195 ELK-Client????????????????? 部署Role：Filebeat

?????? 2包各、 安裝JDK

??????????? Elasticsearch摘仅、Logstash的部署都需要JDK環(huán)境的支持，分別在10.0.60.191-193上進(jìn)行安裝部署在oracle官方下載8版本以上的JDK版本

??????????? 這里選擇JDK14

官方下載地址：

https://download.oracle.com/otn-pub/java/jdk/14.0.2+12/205943a0976c4ed48cb16f1043c5c647/jdk-14.0.2_linux-x64_bin.tar.gz

?????tar?-zxvf?jdk-14.0.2_linux-x64_bin.tar.gz?-C?/usr/local/?

?????#解壓完畢后將JDK路徑增加到環(huán)境變量中

?????vim?/etc/profile?#文件定位到PATH處新增一行進(jìn)行增加環(huán)境變量

?????export?JAVA_HOME=/usr/jdk-14.0.2/

?????export?JRE_HOME=$JAVA_HOME/jre

?????export?CLASSPATH=.:$JAVA_HOME/lib:$JRE_HOME/lib:$CLASSPATH

?????export?PATH=$JAVA_HOME/bin:$JRE_HOME/bin:$PATH

?3问畅、 部署ELK之前需對操作系統(tǒng)調(diào)優(yōu)設(shè)置否則會提示報錯

?????#修改?limits.conf文件

?????vi?/etc/security/limits.conf

?????#增加以下內(nèi)容

?????*?soft?nofile?65536

?????*?hard?nofile?65536

?????*?soft?nproc??4096

?????*?hard?nproc??8192

?????#修改系統(tǒng)文件20-nproc.conf

?????vi?/etc/security/limits.d/20-nproc.conf

????優(yōu)化以下參數(shù)配置：??

??????*??????????soft????nproc?????4096

??????root???????soft????nproc?????unlimited

??????#調(diào)整內(nèi)核參數(shù)

??????vi?/etc/sysctl.conf

??????vm.max_map_count=262144??#限制一個進(jìn)程可以擁有的VMA數(shù)量

??????fs.file-max=655360???????#系統(tǒng)中可以同時打開的文件數(shù)目

??????#調(diào)整完畢需要重新加載內(nèi)核參數(shù)

?????sysctl?-p

4娃属、配置hosts記錄主機名解析工作（三臺主機都需要添加）

??????vi?/etc/hosts

??????10.0.60.191?elk-master????????????????

?????10.0.60.192?Elasticsearch-n1????????

?????10.0.60.193?Elasticsearch-n2

5、關(guān)閉linux firewall护姆、Selinux

??????sed?-i?"s/SELINUX=enforcing/SELINUX=disabled/g"?/etc/selinux/config

??????setenforce?0

??????systemctl?stop?firewalld

??????systemctl?disable?firewalld

6矾端、創(chuàng)建普通用戶用于啟動elk使用這里我們就以elk為用戶名進(jìn)行創(chuàng)建

??????useradd?elk???#默認(rèn)會創(chuàng)建同步用戶組

7、 創(chuàng)建ELK安裝目錄：

??????mkdir?/usr/local/elk

??????chown?-R?elk:elk?/usr/local/elk

? 8卵皂、通過elastic官網(wǎng)下載elk所需安裝包

?????????????????? 下載完畢后解壓至/usr/local/elk下

??????#master

??????wget?https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.8.0-linux-x86_64.tar.gz

??????wget?https://artifacts.elastic.co/downloads/logstash/logstash-7.8.0.tar.gz

??????wget?https://artifacts.elastic.co/downloads/kibana/kibana-7.8.0-linux-x86_64.tar.gz

??????tar?-zxvf?elasticsearch-7.8.0-linux-x86_64.tar.gz?-C?/usr/local/elk?&&?\

??????tar?-zxvf?logstash-7.8.0.tar.gz??-C?/usr/local/elk?&&?\

??????tar?-zxvf?kibana-7.8.0-linux-x86_64.tar.gz?-C?/usr/local/elk

??????#將elasticsearch-7.8.0-linux-x86_64.tar.gz利用scp復(fù)制到其他兩臺node上

二秩铆、部署Elasticsearch集群

?? 2.1、 切換到剛創(chuàng)建的elk用戶環(huán)境下配置elasticsearch

???????su?-?elk

?? 2.2渐裂、創(chuàng)建Elasticsearch數(shù)據(jù)目錄豺旬、日志目錄

???????mkdir?/usr/local/elk/elasticsearch-7.8.0/data???#此操作需在三臺服務(wù)器操作

???????mkdir?/usr/local/elk/elasticsearch-7.8.0/logs???#此操作需在三臺服務(wù)器操作

?? 2.3钠惩、編輯ES-Master節(jié)點配置文件：

???????vi?/usr/local/elk/elasticsearch-7.8.0/config/elasticsearch.yml

?????????#?ES集群名稱

?????????cluster.name:?escluster

?????????#?ES節(jié)點名稱

?????????node.name:?elk-master

?????????#?存放數(shù)據(jù)目錄

?????????path.data:?/usr/local/elk/elasticsearch-7.8.0/data

?????????#?存放日志目錄

?????????path.logs:?/usr/local/elk/elasticsearch-7.8.0/logs

?????????#?節(jié)點IP

?????????network.host:?10.0.60.191

?????????#?tcp端口

?????????transport.tcp.port:?9300

?????????#?http端口

?????????http.port:?9200

?????????#?ES節(jié)點列表，Master節(jié)點IP須在seed_hosts中

?????????discovery.seed_hosts:?["10.0.60.191:9300","10.0.60.192:9300","10.0.60.193:9300"]

?????????#?Master節(jié)點列表族阅，若有多個Master節(jié)點篓跛，則Master節(jié)點進(jìn)行配置

?????????cluster.initial_master_nodes:?["10.0.60.191:9300"]

?????????#?是否允許作為Master節(jié)點

?????????node.master:?true

?????????#?是否保存數(shù)據(jù)

?????????node.data:?true

?????????node.ingest:?false

?????????node.ml:?false

?????????cluster.remote.connect:?false

?????????#?是否開啟跨域功能

?????????http.cors.enabled:?true

?????????http.cors.allow-origin:?"*"

??? 2.4、編輯ES-Node01節(jié)點配置文件：

??????vi?/usr/local/elk/elasticsearch-7.8.0/config/elasticsearch.yml

?????????#?ES集群名稱

?????????cluster.name:?escluster

?????????#?ES節(jié)點名稱

?????????node.name:?elasticsearch-n1

?????????#?存放數(shù)據(jù)目錄

?????????path.data:?/usr/local/elk/elasticsearch-7.8.0/data

?????????#?存放日志目錄

?????????path.logs:?/usr/local/elk/elasticsearch-7.8.0/logs

?????????#?節(jié)點IP

?????????network.host:?10.0.60.192

?????????#?tcp端口

?????????transport.tcp.port:?9300

?????????#?http端口

?????????http.port:?9200

?????????#?ES節(jié)點列表坦刀，Master節(jié)點IP須在seed_hosts中

?????????discovery.seed_hosts:?["10.0.60.191:9300","10.0.60.192:9300","10.0.60.193:9300"]

?????????#?Master節(jié)點列表愧沟，若有多個Master節(jié)點，則Master節(jié)點進(jìn)行配置

?????????cluster.initial_master_nodes:?["10.0.60.191:9300"]

?????????#?是否允許作為Master節(jié)點

?????????node.master:?false

?????????#?是否保存數(shù)據(jù)

?????????node.data:?true

?????????node.ingest:?false

?????????node.ml:?false

?????????cluster.remote.connect:?false

?????????#?是否開啟跨域功能

?????????http.cors.enabled:?true

?????????http.cors.allow-origin:?"*"

? 2.5鲤遥、編輯ES-Node02節(jié)點配置文件：

??????vi?/usr/local/elk/elasticsearch-7.8.0/config/elasticsearch.yml

?????????#?ES集群名稱

?????????cluster.name:?escluster

?????????#?ES節(jié)點名稱

?????????node.name:?elasticsearch-n2

?????????#?存放數(shù)據(jù)目錄

?????????path.data:?/usr/local/elk/elasticsearch-7.8.0/data

?????????#?存放日志目錄

?????????path.logs:?/usr/local/elk/elasticsearch-7.8.0/logs

?????????#?節(jié)點IP

?????????network.host:?10.0.60.193

?????????#?tcp端口

?????????transport.tcp.port:?9300

?????????#?http端口

?????????http.port:?9200

?????????#?ES節(jié)點列表沐寺，Master節(jié)點IP須在seed_hosts中

?????????discovery.seed_hosts:?["10.0.60.191:9300","10.0.60.192:9300","10.0.60.193:9300"]

?????????#?Master節(jié)點列表，若有多個Master節(jié)點盖奈，則Master節(jié)點進(jìn)行配置

?????????cluster.initial_master_nodes:?["10.0.60.191:9300"]

?????????#?是否允許作為Master節(jié)點

?????????node.master:?false

?????????#?是否保存數(shù)據(jù)

?????????node.data:?true

?????????node.ingest:?false

?????????node.ml:?false

?????????cluster.remote.connect:?false

?????????#?是否開啟跨域功能

?????????http.cors.enabled:?true

?????????http.cors.allow-origin:?"*"

??? 2.6混坞、 配置完之后開始啟動ES

???????/usr/local/elk/elasticsearch-7.8.0/bin/elasticsearch?-d

??? 2.7、 啟動ES后利用curl檢查啟動情況也是通常部署時常用的檢查方法

??????[root@elk-master?~]#?curl?-X?GET?'http://10.0.60.191:9200/_cluster/health?pretty'

????????{

??????????"cluster_name"?:?"escluster",

??????????"status"?:?"green",

??????????"timed_out"?:?false,

??????????"number_of_nodes"?:?3,

??????????"number_of_data_nodes"?:?3,

??????????"active_primary_shards"?:?12,

??????????"active_shards"?:?24,

??????????"relocating_shards"?:?0,

??????????"initializing_shards"?:?0,

??????????"unassigned_shards"?:?0,

??????????"delayed_unassigned_shards"?:?0,

??????????"number_of_pending_tasks"?:?0,

??????????"number_of_in_flight_fetch"?:?0,

??????????"task_max_waiting_in_queue_millis"?:?0,

??????????"active_shards_percent_as_number"?:?100.0

??????????}

??????????#狀態(tài)值：Green代表服務(wù)正常

三钢坦、安裝kibana

????????? 3.1 修改Kibana配置文件

????cd?/usr/local/elk/kibana-7.8.0-linux-x86_64/config

?????vim?kibana.yml

?????#?指定kibana端口

?????server.port:?5601

?????#?監(jiān)聽地址

?????server.host:?"10.0.60.191"

?????#?指定ES集群的Master服務(wù)器ip地址究孕。

?????elasticsearch.hosts:?"http://10.0.60.191:9200/"

?????#?指定kibana存放日志文件路徑

?????logging.dest:/home/app/elk/kibana-7.8.0-linux-x86_64/logs/kibana.log

???? ? ?? 3.2、啟動kibana

??????nohup?/usr/local/elk/kibana-7.8.0-linux-x86_64/bin/kibana?&??#啟動過程中可通過tail?-f?nohup.out啟動是否存在報錯日志

四爹凹、 安裝filebeat

??????? 在10.0.60.195上面已經(jīng)安裝了nginx服務(wù)并運行厨诸，后面我們利用filebeat采集nginx請求日志

??????? 4.1、官網(wǎng)下載filebeat：

????wget?https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.8.0-linux-x86_64.tar.gz

????tar?-zxvf?filebeat-7.8.0-linux-x86_64.tar.gz?-C?/usr/local

??????? 4.2禾酱、配置filebeat.yml

?vim?/usr/local/filebeat-7.8.0/filebeat.yml

?#===========================?Filebeat?inputs?=============================

?filebeat.inputs:

?-?type:?log

???paths:

????-?/usr/local/nginx/logs/access.log

???fields:

????log_source:?nginx-access

?-?type:?log

???paths:

????-?/usr/local/nginx/logs/error.log

???fields:

????log_source:?nginx-error

?#==============================?Dashboards?=====================================

?setup.dashboards.enabled:?false

?#==============================?Kibana?=====================================

?#添加到libana

?setup.kibana:

???host:?"10.0.60.191:5601"

?#-----------------------------?Logstash?output?--------------------------------

?output.logstash:

???#?The?Logstash?hosts

???hosts:?["10.0.60.191:5044"]

???? 4.3微酬、 啟動filebeat

??cd?/usr/local/filebeat-7.8.0/?&&?nohup?./filebeat?-c?filebeat.yml?&

五、 安裝logstash角色：-------Master

??? 5.1颤陶、創(chuàng)建logstash.conf文件

?vim?/usr/local/elk/logstash-7.8.0/config/logstash.conf

?input?{

???beats?{

?????port?=>?5044???#指定端口5044颗管，filebeat配置中一致

???}

?}

?filter?{

???if?[fields][log_source]=="nginx-access"{

?????grok?{

???????match?=>?{

?????????"message"?=>?'%{IP:clientip}\s*%{DATA}\s*%{DATA}\s*\[%{HTTPDATE:requesttime}\]\s*"%{WORD:requesttype}.*?"\s*%{NUMBER:status:int}\s*%{NUMBER:bytes_read:int}\s*"%{DATA:requesturl}"\s*%{QS:ua}'

??????}

???????overwrite?=>?["message"]

?????}

???}

???if?[fields][log_source]=="nginx-error"{

?????grok?{

???????match?=>?{

?????????"message"?=>?'(?<time>.*?)\s*\[%{LOGLEVEL:loglevel}\]\s*%{DATA}:\s*%{DATA:errorinfo},\s*%{WORD}:\s*%{IP:clientip},\s*%{WORD}:%{DATA:server},\s*%{WORD}:\s*%{QS:request},\s*%{WORD}:\s*%{QS:upstream},\s*%{WORD}:\s*"%{IP:hostip}",\s*%{WORD}:\s*%{QS:referrer}'

???????}

???????overwrite?=>?["message"]

?????}

???}

?}

?output?{

???if?[fields][log_source]=="nginx-access"{

?????elasticsearch?{

???????hosts?=>?["http://10.0.60.191:9200"]

???????action?=>?"index"

???????index?=>?"nginx-access-%{+YYYY.MM.dd}"

????}

???}

???if?[fields][log_source]=="nginx-error"{

?????elasticsearch?{

???????hosts?=>?["http://10.0.60.191:9200"]

???????action?=>?"index"

???????index?=>?"nginx-error-%{+YYYY.MM.dd}"

????}

???}

???stdout?{?codec?=>?rubydebug?}

?}

?#這里我們自定義Index，elk中l(wèi)ogstash-*是為elk自帶索引可以試用一下

???? 5.2指郁、 啟動logstash

nohup?/usr/local/elk/logstash-7.8.0/bin/logstash?-f?/usr/local/elk/logstash-7.8.0/config/logstash.conf?&

???? 到目前為止elk環(huán)境已經(jīng)部署完畢忙上，接下來驗證一次

六、登錄Kibana平臺