elk安装(这个是初级的可以把这个套件安上)

http://udn.yyuap.com/doc/logstash-best-practice-cn/index.html

 

ELK其实并不是一款软件,而是一整套解决方案,是三个开源软件Elasticsearch,Logstash和Kibana。

Elasticsearch是一个实时的分布式搜索和分析引擎,它可以用于全文搜索以及分析。它是一个建立在全文搜索引擎ApacheLucene基础上的搜索引擎,便用java语言编写。

主要特点:实时分析;分布式实时文件 存储,并将每个字段都编入索引;文档导向,所有的对象全部是文档;高可用性,易扩展,支持集群(cluster)分片和复制(shards和replicas);支持JSON

集群:

分片和复制

Logstash:是一个具有实时渠道能力的数据收集引擎。

主要特点:几乎可以访问任何数据;可以和多种外部应用结合;支持弹性扩展

它由三个主要部分组成:shipper(发送日志数据);broker(收集数据,缺省内置redis)indexer(数据写入)

shipper是托运者的意思;很多运用场景都没有用logstash作为shipper,或者说没有用elasticsearch作为数据存储也就是说没有indexer(indexer有索引器的意思);logstash怎么配置logstash进程,然后运用到斧的日志管理架构中最合适它位置。

kibana:是一款基于apache开源协议,使用javascript语言编写,为elasticsearch提供分析和可视代的web平台。它可以在elasticsearch的索引中查找,交互数据,并生成各种维度的表图。

ELK协义体系结构。基本流程是shipper负责从各种数据源里采集数据,然后发送到broker,indexer将存放在broker中的数据再写入Elasticsearch,elasticsearch对这些数据创建索引,然后由kibana对其进行各种分析并以图表展示:

安装elasticsearch需要java8:先安装java8

解压即可,然后修改参数:

sh-4.1$ egrep -v '^#' config/elasticsearch.yml
cluster.name: iseastar
node.name: node_1
path.data: /usr/local/elasticsearch/data
path.logs: /usr/local/elasticsearch/logs
network.host: 123.xx.xx.xxx
http.port: 9200
sh-4.1$ pwd
/usr/local/elasticsearch

对系统参数调整:

sh-4.1# tail -1 /etc/sysctl.conf 
vm.max_map_count = 262144
#在/etc/sysctl.conf追加上面一条
#并执行命令:
sysctl -p
天配置文件中追加如下两行
sh-4.1# tail -2 /etc/security/limits.conf 
* hard nofile 65536
* soft nofile 65536
# cat /etc/security/limits.d/90-nproc.conf 
# Default limit for number of user's processes to prevent
# accidental fork bombs.
# See rhbz #432903 for reasoning.

*          soft    nproc     2048
root       soft    nproc     unlimited
#在这里修改

elasticsearch是一个近似实时的搜索平台,从索引文档到可搜索有些延迟,通常为1秒。

启动elasticsearch不能以root开启动,只能以普通用户启动

useradd elastic
 passwd elastic
改变目录的属组履主
chown -R elastic:elastic ELK/
以DEMO的方式启动:
./bin/elasticsearch

logstash安装很简单,解压做个软链接,然后修改一下配置文件:

lrwxrwxrwx   1 root    root      29 Nov 24 08:52 logstash -> /usr/local/ELK/logstash-5.0.1

测试logstash

sh-4.1# pwd
/usr/local/logstash
sh-4.1# ./bin/logstash -e 'input { stdin { } } output { stdout { } }'




Sending Logstash's logs to /usr/local/logstash/logs which is now configured via log4j2.properties
The stdin plugin is now waiting for input:
[2016-11-24T09:00:54,674][INFO ][logstash.pipeline        ] Starting pipeline {"id"=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>500}
[2016-11-24T09:00:54,710][INFO ][logstash.pipeline        ] Pipeline main started
[2016-11-24T09:00:54,764][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
2016-11-24T01:00:54.694Z iZ2zeiqn00z9x5uu126tjpZ 
2016-11-24T01:00:54.716Z iZ2zeiqn00z9x5uu126tjpZ 
2016-11-24T01:00:54.718Z iZ2zeiqn00z9x5uu126tjpZ 
2016-11-24T01:00:54.719Z iZ2zeiqn00z9x5uu126tjpZ 
2016-11-24T01:01:28.279Z iZ2zeiqn00z9x5uu126tjpZ 
2016-11-24T01:01:28.499Z iZ2zeiqn00z9x5uu126tjpZ 
2016-11-24T01:01:28.692Z iZ2zeiqn00z9x5uu126tjpZ 
2016-11-24T01:01:30.136Z iZ2zeiqn00z9x5uu126tjpZ 
2016-11-24T01:01:30.992Z iZ2zeiqn00z9x5uu126tjpZ 

配置 logstash

sh-4.1# mkdir /usr/local/logstash/etc
sh-4.1# vim /usr/local/logstash/etc/hello_search.conf
sh-4.1# cat /usr/local/logstash/etc/hello_search.conf 
input {
    stdin {
        type =>"human"
 }
}

output {
    stdout {
        codec =>rubydebug
    }
    elasticsearch {
        host =>"123.57.15.154"
        port => 9200
    }

}
sh-4.1# 

启动: 有报错!!!!(先不管最后再解决)

 

sh-4.1# ./logstash -e 'input {stdin {} } output {stdout {} }'
Sending Logstash's logs to /usr/local/logstash/logs which is now configured via log4j2.properties
The stdin plugin is now waiting for input:
[2016-11-25T16:42:12,468][INFO ][logstash.pipeline        ] Starting pipeline {"id"=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>500}
[2016-11-25T16:42:12,485][INFO ][logstash.pipeline        ] Pipeline main started
[2016-11-25T16:42:12,554][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}

 

输入hello world

sh-4.1# ./logstash -e 'input {stdin {} } output {stdout {} }'
Sending Logstash's logs to /usr/local/logstash/logs which is now configured via log4j2.properties
The stdin plugin is now waiting for input:
[2016-11-25T16:42:12,468][INFO ][logstash.pipeline        ] Starting pipeline {"id"=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>500}
[2016-11-25T16:42:12,485][INFO ][logstash.pipeline        ] Pipeline main started
[2016-11-25T16:42:12,554][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
hello world!!!!
2016-11-25T08:48:10.336Z iZ2zeiqn00z9x5uu126tjpZ hello world!!!!
这里通过stdin输入信息,然后通过stdout输出信息。在输入hello world后logstash将处理后的信息输出到屏幕

 

# ./bin/logstash -e "input {stdin{}}output{stdout{codec=>rubydebug}}"
Sending Logstash's logs to /usr/local/logstash/logs which is now configured via log4j2.properties
The stdin plugin is now waiting for input:
[2016-11-27T00:39:15,990][INFO ][logstash.pipeline        ] Starting pipeline {"id"=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>500}
[2016-11-27T00:39:16,022][INFO ][logstash.pipeline        ] Pipeline main started
[2016-11-27T00:39:16,175][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9601}
hello world
{
    "@timestamp" => 2016-11-26T16:39:25.365Z,
      "@version" => "1",
          "host" => "iZ2zeiqn00z9x5uu126tjpZ",
       "message" => "hello world",
          "tags" => []
}

 logstash提供了一个shell脚本叫logstash方便快速运行。它支持一下参数:

-e:意即执行。我们在"Hello World"的时候已经用过这个参数了。事实上你可以不写任何具体配置,直接运行:

./bin/logstash -e ''

达到相同效果。这个参数的默认值是下面这样:

input {
    stdin {}
}
output {
    stdout {}
}

--config或-f:意即文件。真实运用中,我们会写很长的配置,甚至可能超过shell所能支持的1024个字符长度。所以我们必把配置固化到文件,然后通过:

./bin/logstash -f file_name.conf
#这样的形式来运行

些外,logstash还担供一个方便我们规划和书写配置的小功能。你可以直接用:

./bin/logstash -f /etc/logstash.d/
来运行。loogstash会自动读取
/etc/logstsh.d/目录下所有的文本文件,然后在自己内存里拼接成一个完整的大配置文件,再去执行

--configtest 或 -t:意即测试。用来测试logstash读取到的配置文件语法是否能正常解析。logstash配置语法是用grammar.treetop定义的尤其是使用了上一条提到的读取目录方式折读者,尤其要提前测试。

./bin/logstash -t -f conf/st.conf 
Sending Logstash's logs to /usr/local/logstash/logs which is now configured via log4j2.properties
Configuration OK
[2016-11-27T01:26:26,665][INFO ][logstash.runner          ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash

 

 

sh-4.1# /usr/local/logstash/bin/logstash -f /usr/local/logstash/etc/hello_search.conf 
Sending Logstash's logs to /usr/local/logstash/logs which is now configured via log4j2.properties
[2016-11-24T10:52:45,880][ERROR][logstash.outputs.elasticsearch] Unknown setting 'host' for elasticsearch
[2016-11-24T10:52:45,883][ERROR][logstash.outputs.elasticsearch] Unknown setting 'port' for elasticsearch
[2016-11-24T10:52:45,891][ERROR][logstash.agent           ] fetched an invalid config {:config=>"input {\n\tstdin {\n\t\ttype => \"human\"\n\t}\n}\n\noutput {\n\tstdout {\n\t\tcodec => rubydebug\n\t}\n\telasticsearch {\n\t\thost => \"123.xxx.xxx.xxx\"\n\t\tport => 9200\n\t}\n\n}\n\n", :reason=>"Something is wrong with your configuration."}

再次配置logstash:

# cat conf/logstash.conf 
input {
    file {  
        type => "stagefalcon"
        tags => "falcon"
        path => "/var/log/facon/access.log"
        start_position => beginning
        sincedb_path => "/usr/local/logstash/conf/access.sincedb"
    }
}
output {
    stdout {}
    redis {
        host => "127.0.0.1"
        port => "6379"
        data_type => "list"
        key => "stagefalcon"
    }
}

 logstash启动成功:

/usr/local/logstash/bin/logstash -f /usr/local/logstash/conf/logstash.conf

 stdin: 标准输入

安装kibana

 这个很简单,也是解压就可以了,配置暂时用默认的,但要做两处修改:下面的ip是本机的外网ip

# egrep -v "(^#|^$)" /usr/local/kibana/config/kibana.yml
server.host: "123.xx.xx.xx"
elasticsearch.url: "http://123.xx.xx.xx:9200"

输入ip加端口:5601

 

logstash的相关插件下载:
https://github.com/logstash-plugins

 注意配置hosts文件:(布属elasticsearch的服务器)

# cat /etc/hosts
127.0.0.1 localhost
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.17x1.xx.1xx iZ2zx
xx171.6x105 elasticsearch
xx.57.15.xx elasticsearch

 

posted @ 2016-11-23 22:33  bass  阅读(1186)  评论(0编辑  收藏  举报