简介
日志服务器
提高安全性
集中存放日志
缺陷:对日志的分析困难
ELK日志分析系统
Elasticsearch:存储,索引池
Logstash:日志收集器
Kibana:数据可视化
日志处理步骤
1,将日志进行集中化管理
2,将日志格式化(Logstash)并输出到Elasticsearch
3,对格式化后的数据进行索引和存储(Elasticsearch)
4,前端数据的展示(Kibana)
Elasticsearch的概述
提供了一个分布式多用户能力的全文搜索引擎
Elasticsearch的概念
接近实时
集群
节点
索引:索引(库)-->类型(表)-->文档(记录)
分片和副本
Logstash介绍
一款强大的数据处理工具,可以实现数据传输、格式处理、格式化输出
数据输入、数据加工(如过滤,改写等)以及数据输出
LogStash主要组件
Shipper
Indexer
Broker
Search and Storage
Web Interface
Kibana介绍
一个针对Elasticsearch的开源分析及可视化平台
搜索、查看存储在Elasticsearch索引中的数据
通过各种图表进行高级数据分析及展示
Kibana主要功能
Elasticsearch无缝之集成
整合数据,复杂数据分析
让更多团队成员受益
接口灵活,分享更容易
配置简单,可视化多数据源
简单数据导出
实验环境
1、在node1,node2上安装elasticsearch(操作相同,只演示一台)
[[email protected] ~]# vim /etc/hosts ##配置解析名
192.168.52.133 node1
192.168.52.134 node2
[[email protected] ~]# systemctl stop firewalld.service ##关闭防火墙
[[email protected] ~]# setenforce 0 ##关闭增强型安全功能
[[email protected] ~]# java -version ##查看是否支持Java
[[email protected] ~]# mount.cifs //192.168.100.100/tools /mnt/tools/ ##挂载
Password for [email protected]//192.168.100.100/tools:
[[email protected] ~]# cd /mnt/tools/elk/
[[email protected] elk]# rpm -ivh elasticsearch-5.5.0.rpm ##安装
警告:elasticsearch-5.5.0.rpm: 头V4 RSA/SHA512 Signature, 密钥 ID d88e42b4: NOKEY
准备中... ################################# [100%]
Creating elasticsearch group... OK
Creating elasticsearch user... OK
正在升级/安装...
1:elasticsearch-0:5.5.0-1 ################################# [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
sudo systemctl start elasticsearch.service
[[email protected] elk]# systemctl daemon-reload ##重载守护进程
[[email protected] elk]# systemctl enable elasticsearch.service ##开机自启
Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.
[[email protected] elk]# cd /etc/elasticsearch/
[[email protected] elasticsearch]# cp elasticsearch.yml elasticsearch.yml.bak ##备份
[[email protected] elasticsearch]# vim elasticsearch.yml ##修改配置文件
cluster.name: my-elk-cluster ##集群名
node.name: node1 ##节点名,第二个节点为node2
path.data: /data/elk_data ##数据存放位置
path.logs: /var/log/elasticsearch/ ##日志存放位置
bootstrap.memory_lock: false ##不在启动时锁定内存
network.host: 0.0.0.0 ##提供服务绑定的IP地址,为所有地址
http.port: 9200 ##端口号为9200
discovery.zen.ping.unicast.hosts: ["node1", "node2"] ##集群发现通过单播实现
[[email protected] elasticsearch]# grep -v "^#" /etc/elasticsearch/elasticsearch.yml ##检查配置是否正确
cluster.name: my-elk-cluster
node.name: node1
path.data: /data/elk_data
path.logs: /var/log/elasticsearch/
bootstrap.memory_lock: false
network.host: 0.0.0.0
http.port: 9200
discovery.zen.ping.unicast.hosts: ["node1", "node2"]
[[email protected] elasticsearch]# mkdir -p /data/elk_data ##创建数据存放点
[[email protected] elasticsearch]# chown elasticsearch.elasticsearch /data/elk_data/ ##给权限
[[email protected] elasticsearch]# systemctl start elasticsearch.service ##开启服务
[[email protected] elasticsearch]# netstat -ntap | grep 9200 ##查看开启情况
tcp6 0 0 :::9200 :::* LISTEN 83358/java
[[email protected] elasticsearch]#查看node1节点信息
查看node2节点信息
2、在浏览器上检查健康和状态
node1健康检查
node2健康检查
node1状态
node2状态
3、在node1,node2上安装node组件依赖包(操作相同,只演示一个)
[[email protected] elasticsearch]# yum install gcc gcc-c++ make -y ##安装编译工具
[[email protected] elasticsearch]# cd /mnt/tools/elk/
[[email protected] elk]# tar xf node-v8.2.1.tar.gz -C /opt/ ##解压插件
[[email protected] elk]# cd /opt/node-v8.2.1/
[[email protected] node-v8.2.1]# ./configure ##配置
[[email protected] node-v8.2.1]# make && make install ##编译安装4、在node1,node2上安装phantomjs前端框架
[[email protected] node-v8.2.1]# cd /mnt/tools/elk/
[[email protected] elk]# tar xf phantomjs-2.1.1-linux-x86_64.tar.bz2 -C /usr/local/src/
##解压到/usr/local/src下
[[email protected] elk]# cd /usr/local/src/phantomjs-2.1.1-linux-x86_64/bin/
[[email protected] bin]# cp phantomjs /usr/local/bin/ ##编译系统识别5、在node1,node2上安装elasticsearch-head数据可视化
[[email protected] bin]# cd /mnt/tools/elk/
[[email protected] elk]# tar xf elasticsearch-head.tar.gz -C /usr/local/src/ ##解压
[[email protected] elk]# cd /usr/local/src/elasticsearch-head/
[[email protected] elasticsearch-head]# npm install ##安装
npm WARN [email protected] license should be a valid SPDX license expression
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
added 71 packages in 7.262s
[[email protected] elasticsearch-head]# 6、修改配置文件
[[email protected] elasticsearch-head]# cd ~
[[email protected] ~]# vim /etc/elasticsearch/elasticsearch.yml
#末行插入
http.cors.enabled: true ##开启跨域访问支持,默认为false
http.cors.allow-origin: "*" ##跨域访问允许的域名地址
[[email protected] ~]# systemctl restart elasticsearch.service ##重启
[[email protected] ~]# cd /usr/local/src/elasticsearch-head/
[[email protected] elasticsearch-head]# npm run start & ##后台运行数据可视化服务
[1] 83664
[[email protected] elasticsearch-head]#
> [email protected] start /usr/local/src/elasticsearch-head
> grunt server
Running "connect:server" (connect) task
Waiting forever...
Started connect web server on http://localhost:9100
[[email protected] elasticsearch-head]#
[[email protected] elasticsearch-head]# netstat -ntap | grep 9200
tcp6 0 0 :::9200 :::* LISTEN 83358/java
[[email protected] elasticsearch-head]# netstat -ntap | grep 9100
tcp 0 0 0.0.0.0:9100 0.0.0.0:* LISTEN 83674/grunt
[[email protected] elasticsearch-head]# 7、在浏览器上连接并查看健康值状态
node1
node2
8、在node1上创建索引
[[email protected] ~]# curl -XPUT ‘localhost:9200/index-demo/test/1?pretty&pretty‘ -H ‘content-Type: application/json‘ -d ‘{"user":"zhangsan","mesg":"hello world"}‘
##创建索引信息
{
"_index" : "index-demo",
"_type" : "test",
"_id" : "1",
"_version" : 1,
"result" : "created",
"_shards" : {
"total" : 2,
"successful" : 2,
"failed" : 0
},
"created" : true
}
[[email protected] ~]# 
9、在Apache服务器上安装logstash,多elasticsearch进行对接
[[email protected] ~]# systemctl stop firewalld.service
[[email protected] ~]# setenforce 0
[[email protected] ~]# yum install httpd -y ##安装服务
[[email protected] ~]# systemctl start httpd.service ##启动服务
[[email protected] ~]# java -version
[[email protected] ~]# mount.cifs //192.168.100.100/tools /mnt/tools/ ##挂载
Password for [email protected]//192.168.100.100/tools:
[[email protected] ~]# cd /mnt/tools/elk/
[[email protected] elk]# rpm -ivh logstash-5.5.1.rpm ##安装logstash
警告:logstash-5.5.1.rpm: 头V4 RSA/SHA512 Signature, 密钥 ID d88e42b4: NOKEY
准备中... ################################# [100%]
正在升级/安装...
1:logstash-1:5.5.1-1 ################################# [100%]
Using provided startup.options file: /etc/logstash/startup.options
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
Successfully created system startup script for Logstash
[[email protected] elk]# systemctl start logstash.service ##开启服务
[[email protected] elk]# systemctl enable logstash.service ##开机自启
Created symlink from /etc/systemd/system/multi-user.target.wants/logstash.service to /etc/systemd/system/logstash.service.
[[email protected] elk]# ln -s /usr/share/logstash/bin/logstash /usr/local/bin/ ##便于系统识别
[[email protected] elk]# 10、将系统日志文件输出到elasticsearch
[[email protected] elk]# chmod o+r /var/log/messages ##给其他用户读权限
[[email protected] elk]# vim /etc/logstash/conf.d/system.conf ##创建文件
input {
file{
path => "/var/log/messages" ##输出目录
type => "system"
start_position => "beginning"
}
}
output {
elasticsearch {
#输入地址指向node1节点
hosts => ["192.168.13.129:9200"]
index => "system-%{+YYYY.MM.dd}"
}
}
[[email protected] elk]# systemctl restart logstash.service ##重启服务
##也可以用数据浏览查看详细信息11、在node1服务器上安装kibana数据可视化
[[email protected] ~]# cd /mnt/tools/elk/
[[email protected] elk]# rpm -ivh kibana-5.5.1-x86_64.rpm ##安装
警告:kibana-5.5.1-x86_64.rpm: 头V4 RSA/SHA512 Signature, 密钥 ID d88e42b4: NOKEY
准备中... ################################# [100%]
正在升级/安装...
1:kibana-5.5.1-1 ################################# [100%]
[[email protected] elk]# cd /etc/kibana/
[[email protected] kibana]# cp kibana.yml kibana.yml.bak ##备份
[[email protected] kibana]# vim kibana.yml ##修改配置文件
server.port: 5601 ##端口号
server.host: "0.0.0.0" ##监听任意网段
elasticsearch.url: "http://192.168.13.129:9200" ##本机节点地址
kibana.index: ".kibana" ##索引名称
[[email protected] kibana]# systemctl start kibana.service ##开启服务
[[email protected] kibana]# systemctl enable kibana.service ##开机自启
Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /etc/systemd/system/kibana.service.
[[email protected] elk]#
[[email protected] elk]# netstat -ntap | grep 5601 ##查看端口
tcp 0 0 127.0.0.1:5601 0.0.0.0:* LISTEN 84837/node
[[email protected] elk]# 12、浏览器访问kibana
13、在apache服务器中对接apache日志文件,进行统计
[[email protected] elk]# vim /etc/logstash/conf.d/apache_log.conf ##创建配置文件
input {
file{
path => "/etc/httpd/logs/access_log" ##输入信息
type => "access"
start_position => "beginning"
}
file{
path => "/etc/httpd/logs/error_log"
type => "error"
start_position => "beginning"
}
}
output {
if [type] == "access" { ##根据条件判断输出信息
elasticsearch {
hosts => ["192.168.13.129:9200"]
index => "apache_access-%{+YYYY.MM.dd}"
}
}
if [type] == "error" {
elasticsearch {
hosts => ["192.168.13.129:9200"]
index => "apache_error-%{+YYYY.MM.dd}"
}
}
}
[[email protected] elk]# logstash -f /etc/logstash/conf.d/apache_log.conf
##根据配置文件配置logstach14、访问网页信息,查看kibana统计情况
只有error日志
浏览器访问Apache服务
生成access日志
##选择management>Index Patterns>create index patterns
##创建apache两个日志的信息在kibana创建access访问日志
在kibana创建error访问日志
查看access日志统计情况
查看error日志统计情况
实验成功!!!
原文地址:https://blog.51cto.com/14449541/2461909
时间: 2024-10-10 20:40:41