ELK日志分析系统

ELK日志分析系统

在日常工作中会面临很多问题,一般通过工作经验和软件自带的日志或者系统日志来解决问题,如果1台或者几台服务器,我们可以通过 linux命令,tail、cat通过grep、awk等过滤去查询定位日志查问题,如果有几十台几百台的话这样的操作太繁琐效率低也不现实。所以建立出了一套集中式的方法

一个完整的集中式日志系统,需要包含以下几个主要特点:

  • 收集-能够采集多种来源的日志数据
  • 传输-能够稳定的把日志数据传输到中央系统
  • 存储-如何存储日志数据
  • 分析-可以支持 UI 分析
  • 警告-能够提供错误报告,监控机制

ELK提供了一整套解决方案,并且都是开源软件,之间互相配合使用,完美衔接,高效的满足了很多场合的应用。目前主流的一种日志系统。

ELK简介

ELK是三个开源软件的缩写,分别为:Elasticsearch 、 Logstash以及Kibana , 它们都是开源软件。不过现在还新增了一个Beats,它是一个轻量级的日志收集处理工具(Agent),Beats占用资源少,适合于在各个服务器上搜集日志后传输给Logstash,官方也推荐此工具,目前由于原本的ELK Stack成员中加入了 Beats 工具所以已改名为Elastic Stack。

Elasticsearch是个开源分布式搜索引擎,提供搜集、分析、存储数据三大功能。它的特点有:分布式,零配置,自动发现,索引自动分片,索引副本机制,restful风格接口,多数据源,自动搜索负载等。

Logstash 主要是用来日志的搜集、分析、过滤日志的工具,支持大量的数据获取方式。一般工作方式为c/s架构,client端安装在需要收集日志的主机上,server端负责将收到的各节点日志进行过滤、修改等操作在一并发往elasticsearch上去。

Kibana 也是一个开源和免费的工具,Kibana可以为 Logstash 和 ElasticSearch 提供的日志分析友好的 Web 界面,可以帮助汇总、分析和搜索重要数据日志。

Beats在这里是一个轻量级日志采集器,其实Beats家族有6个成员,早期的ELK架构中使用Logstash收集、解析日志,但是Logstash对内存、cpu、io等资源消耗比较高。相比 Logstash,Beats所占系统的CPU和内存几乎可以忽略不计。

ELK工作原理

ELK部署搭建

1、基础环境

1个主节点,2个数据节点,3台机器全部安装jdk8(openjdk即可)Yum install -y java-1.8.0-openjdk

虚拟机IP 部署工具 主机名
192.168.200.11 elasticsearch+kibana elk-1
192.168.200.12 elasticsearch+logstash elk-2
192.168.200.13 elasticsearch elk-3
2、配置三台主机的hosts文件

三台一样即可

[root@elk-1 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.200.11 elk-1
192.168.200.12 elk-2
192.168.200.13 elk-3
3、在三台虚拟机上部署elasticsearch

将elasticsearch上传到/root下并安装:

[root@elk-1 ~]# rpm -ivh elasticsearch-6.0.0.rpm    //其他两台也安装
warning: elasticsearch-6.0.0.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Updating / installing...
   1:elasticsearch-0:6.0.0-1          ################################# [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
 sudo systemctl start elasticsearch.service

修改三台的elasticsearch配置文件:

[root@elk-1 ~]# cat /etc/elasticsearch/elasticsearch.yml |grep -v ^#
cluster.name: ELK
node.name: elk-1
node.master: true
node.data: false
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.200.11
http.port: 9200
discovery.zen.ping.unicast.hosts: ["elk-1", "elk-2","elk-3"]

[root@elk-2 ~]# cat /etc/elasticsearch/elasticsearch.yml | grep -v ^#
cluster.name: ELK
node.name: elk-2
node.master: false
node.data: true
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.200.12
http.port: 9200
discovery.zen.ping.unicast.hosts: ["elk-1", "elk-2","elk-3"]

[root@elk-3 ~]# cat /etc/elasticsearch/elasticsearch.yml | grep -v ^#
cluster.name: ELK
node.name: elk-3
node.master: false
node.data: true
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.200.13
http.port: 9200
discovery.zen.ping.unicast.hosts: ["elk-1", "elk-2","elk-3"]

通过命令启动elasticsearch查看运行状态(三台命令相同,出现9200和9300则启动成功):

[root@elk-1 ~]# systemctl restart elasticsearch.service
[root@elk-1 ~]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      911/sshd            
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1002/master         
tcp6       0      0 192.168.200.11:9200     :::*                    LISTEN      12367/java          
tcp6       0      0 192.168.200.11:9300     :::*                    LISTEN      12367/java          
tcp6       0      0 :::22                   :::*                    LISTEN      911/sshd            
tcp6       0      0 ::1:25                  :::*                    LISTEN      1002/master    

检测集群状态:

[root@elk-1 ~]# curl '192.168.200.11:9200/_cluster/health?pretty'
{
  "cluster_name" : "ELK",
  "status" : "green",	//为green则代表健康没问题,yellow或者red	则是集群有问题
  "timed_out" : false,	//是否有超时
  "number_of_nodes" : 3, //集群中的节点数量
  "number_of_data_nodes" : 2,	//集群中data节点的数量
  "active_primary_shards" : 1,
  "active_shards" : 2,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}
4、部署kibana

在主节点11上部署kibana,将kibana的rpm包上传到/root下

[root@elk-1 ~]# rpm -ivh kibana-6.0.0-x86_64.rpm 
warning: kibana-6.0.0-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:kibana-6.0.0-1                   ################################# [100%]

修改kibana配置文件

[root@elk-1 ~]# cat /etc/kibana/kibana.yml | grep -v ^# | grep -v ^$
server.port: 5601
server.host: "192.168.200.11"
elasticsearch.url: "http://192.168.200.11:9200"

启动kibana

[root@elk-1 ~]# systemctl restart kibana.service
[root@elk-1 ~]#  ps -ef |grep kibana
kibana    12580      1 20 10:25 ?        00:00:02 /usr/share/kibana/bin/../node/bin/node --no-warnings /usr/share/kibana/bin/../src/cli -c /etc/kibana/kibana.yml
root      12597   2263  0 10:25 pts/1    00:00:00 grep --color=auto kibana
[root@elk-1 ~]# netstat -ntlp | grep node
tcp        0      0 192.168.200.11:5601     0.0.0.0:*               LISTEN      12580/node   

在浏览器访问192.168.200.11:5601

5、部署logstash

在elk-2上传logstash的rpm包到/root下并安装

[root@elk-2 ~]# rpm -ivh logstash-6.0.0.rpm 
warning: logstash-6.0.0.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:logstash-1:6.0.0-1               ################################# [100%]
Using provided startup.options file: /etc/logstash/startup.options
Successfully created system startup script for Logstash

修改logstash配置文件

[root@elk-2 ~]# vi /etc/logstash/logstash.yml
//修改第190行
http.host: "192.168.200.12"

配置logstash收集syslog日志

[root@elk-2 ~]# vim /etc/logstash/syslog.conf
input {
        file {
                path => "/var/log/messages" //需要为这个目录修改644权限
                type => "systemlog"
                start_position => "beginning"
                stat_interval => "3"
        }
}
output {
     if [type] == "systemlog" {
        elasticsearch {
            hosts => ["192.168.200.11:9200"]
            index => "system-log-%{+YYYY.MM.dd}"
        }
     }  
}
[root@elk-2 ~]# chmod 644 -R /var/log/messages 
[root@elk-2 ~]# chown -R logstash /var/lib/logstash/

检测配置文件是否错误

[root@elk-2 ~]#  ln -s /usr/share/logstash/bin/logstash /usr/bin 
[root@elk-2 ~]# logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf --config.test_and_exit
Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
Configuration OK

启动logstash,并查看端口

[root@elk-2 ~]# systemctl restart logstash.service 
[root@elk-2 ~]# netstat -ntlp | grep 9600
tcp6       0      0 192.168.200.12:9600     :::*                    LISTEN      12890/java   
6、在kibana上查看日志

使用elk-3远程登陆elk-2使其生成日志

[root@elk-1 ~]# curl '192.168.200.11:9200/_cat/indices?v'
health status index                 uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   .kibana               eL1dAxyBTr6TTGptG0z29g   1   1          1            0      7.3kb          3.6kb
green  open   system-log-2021.11.01 _0u6J8_TQK2xrYsUZqr_Qw   5   1      10330            0      4.5mb          2.3mb
[root@elk-1 ~]# curl -XGET/DELETE '192.168.200.11:9200/system-log-2021.11.01?pretty'
{
  "system-log-2021.11.01" : {
    "aliases" : { },
    "mappings" : {
      "systemlog" : {
        "properties" : {
          "@timestamp" : {
            "type" : "date"
          },
          "@version" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          },
          "host" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          },
          "message" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          },
          "path" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          },
          "type" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          }
        }
      }
    },
    "settings" : {
      "index" : {
        "creation_date" : "1635734784607",
        "number_of_shards" : "5",
        "number_of_replicas" : "1",
        "uuid" : "_0u6J8_TQK2xrYsUZqr_Qw",
        "version" : {
          "created" : "6000099"
        },
        "provided_name" : "system-log-2021.11.01"
      }
    }
  }
}
7、Logstash收集Nginx日志

在elk-2上安装Nginx

[root@elk-2 ~]# rpm -ivh nginx-1.16.1-1.el7.ngx.x86_64.rpm 
warning: nginx-1.16.1-1.el7.ngx.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 7bd9bf62: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:nginx-1:1.16.1-1.el7.ngx         ################################# [100%]

配置Logstash,检查文件是否正确

[root@elk-2 ~]# vim /etc/logstash/conf.d/nginx.conf
input {
  file {
   path => "/tmp/elk_access.log"
   start_position => "beginning"
   type => "nginx"
  }
}
filter {
    grok {
        match => { "message" => "%{IPORHOST:http_host} %{IPORHOST:clientip} - % {USERNAME:remote_user} \[%{HTTPDATE:timest
amp}\] \"(?:%{WORD:http_verb} %{NOTSPACE:http_request}(?: HTTP/%{NUMBER:http_version})?|%{DATA:raw_http_request})\" %{NUMB
ER:response} (?:%{NUMBER:bytes_read}|-) %{QS:referrer} %{QS:agent} %{QS:xforwardedfor} %{NUMBER:request_time:float}"}
}
geoip {
    source => "clientip"
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
    hosts => ["192.168.200.11:9200"]
index => "nginx-test-%{+YYYY.MM.dd}"
  }
}
[root@elk-2 ~]# logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/nginx.conf --config.test_and_exit
Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
Configuration OK

编辑监听Nginx日志配置文件

[root@elk-1 ~]# vi /etc/nginx/conf.d/elk.conf 
server {
        listen 80;
        server_name elk.com;

        location / {
            proxy_pass      http://192.168.40.11:5601;
            proxy_set_header Host   $host;
            proxy_set_header X-Real-IP      $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
        access_log  /tmp/elk_access.log main2;
}

修改Nginx日志配置文件

[root@elk-1 ~]# vim /etc/nginx/nginx.conf 
//在http里添加以下内容
log_format main2 '$http_host $remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$upstream_addr" $request_time';
[root@elk-2 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@elk-2 ~]# systemctl start nginx
[root@elk-2 ~]# systemctl restart logstash
8、使用beats采集日志

在elk-3上安装Beats

[root@elk-3 ~]# rpm -ivh filebeat-6.0.0-x86_64.rpm 
warning: filebeat-6.0.0-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:filebeat-6.0.0-1                 ################################# [100%]

修改Beats的配置文件

[root@elk-3 ~]#  vim /etc/filebeat/filebeat.yml 
filebeat.prospectors:
#enabled: false //注释掉该参数
paths:
- /var/log/elasticsearch/ELK.log	//此处可自行改为想要监听的日志文件
output.elasticsearch:
  hosts: ["192.168.40.11:9200"]
[root@elk-3 ~]#  systemctl start  filebeat

在elk-1上使用curl '192.168.200.11:9200/_cat/indices?v’

[root@elk-1 ~]# curl '192.168.200.11:9200/_cat/indices?v'
health status index                     uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   nginx-test-2021.11.01     aZqM9gJ0RgqwZCw8Zfmr9w   5   1      10544            0      3.1mb          1.6mb
green  open   .kibana                   eL1dAxyBTr6TTGptG0z29g   1   1          2            0     14.1kb            7kb
green  open   system-log-2021.11.01     _0u6J8_TQK2xrYsUZqr_Qw   5   1      20877            0      9.3mb          4.9mb
green  open   filebeat-6.0.0-2021.11.01 u0ZqpY7iTzC5B4nL2bRlFQ   3   1         59            0     80.2kb         31.4kb
posted @ 2021-11-01 11:38  殇黯瞳  阅读(439)  评论(0编辑  收藏  举报