elk集群配置并破解x-pack

 

一、环境信息以及安装前准备

  主机信息(内存尽可能大点)

  

  软件版本

  

  部署前操作

关闭防火墙selinux等,开机自启关掉
同步时间服务器
[root@hk-elk-elastic5 java]# systemctl stop firewalld
[root@hk-elk-elastic5 java]# systemctl disable firewalld.service
[root@hk-elk-elastic5 java]# crontab -l
0 */8 * * *  /usr/sbin/ntpdate 10.20.1.1;/sbin/hwclock -w

 

、redis启动

  具体查看官网redis的启动和配置

、elasticsearch集群安装配置

  1、elk安装需要java环境以及创建elk用户

 

[root@hk-elk-elastic1 java]# rpm -ivh jdk-8u181-linux-x64.rpm
[root@hk-elk-elastic1 java]# vim /etc/profile    #配置java环境变量
JAVA_HOME=/usr/java/jdk1.8.0_181-amd64
CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
PATH=$JAVA_HOME/bin:$PATH
export PATH JAVA_HOME CLASSPATH
[root@hk-elk-elastic1 ~]# groupadd elastic
[root@hk-elk-elastic1 ~]# useradd -g elastic elastic
[root@hk-elk-elastic1 ~]# chown elastic:elastic /usr/local/elk -R  #给目录相关权限
[root@hk-elk-elastic1 ~]# chown elastic:elastic /data -R
[root@hk-elk-elastic1 ~]# mkdir /data/log -p  #创建data数据目录,以及log日志目录
  
[root@hk-elk-elastic1 java]# sudo -u elastic java -version  #用elastic查看是有有java权限
java version "1.8.0_181"
Java(TM) SE Runtime Environment (build 1.8.0_181-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.181-b13, mixed mode)

  2、安装以及配置elasticsearch(master) 

[root@hk-elk-elastic1 java]# cd /usr/local/elk/
[root@hk-elk-elastic1 elk]# tar -xf elasticsearch-6.3.0.tar.gz

##配置elasticsearch内存,最大不能超过32G,最好配置系统内存的一半
[root@hk-elk-elastic1 elk]# vim elasticsearch-6.3.0/config/jvm.options
-Xms8g
-Xmx8g

[root@hk-elk-elastic1 elk]# grep "^[a-z]" elasticsearch-6.3.0/config/elasticsearch.yml 
cluster.name: hk-elk-application    #集群名称
node.name: hk-elk-master1    #节点名  ##master2、master3只有此处的节点名不同,其余配置均一样
node.master: true    #担任master选举
node.data: false    #不作为data存储数据
path.data: /data    #data目录
path.logs: /data/log    #日志目录
network.host: 10.20.11.205        #监听ip
http.port: 9200    #监听端口
transport.tcp.port: 9300    #通信端口
discovery.zen.ping.unicast.hosts: ["10.20.11.205:9300","10.20.11.206:9300","10.20.11.207:9300"]    #master主机通信端口
discovery.zen.minimum_master_nodes: 2    #这个值为(master/2)+1,防止集群脑裂
discovery.zen.ping_timeout: 60s    #master之间的通信时间,考虑到网络因数,设置为60s

    安装以及配置elasticsearch(data)

[root@hk-elk-elastic4 elk]# grep "^[a-z]" elasticsearch-6.3.0/config/elasticsearch.yml 
cluster.name: hk-elk-application
node.name: hk-elk-data2  #节点名  ##data2只有此处节点名不同,其余配置均一样
node.master: false  #不担任master选举
node.data: true  #担任数据节点
path.data: /data
path.logs: /data/log
network.host: 10.20.11.209
http.port: 9200
transport.tcp.port: 9300
discovery.zen.ping.unicast.hosts: ["10.20.11.205:9300","10.20.11.206:9300","10.20.11.207:9300"]

  设置打开文件描述符、进程数、内存限制,以及内核参数

[root@hk-elk-elastic1 elk]# vim /etc/security/limits.conf
*       soft    nofile  65536
*       hard    nofile  65536
*      soft    memlock unlimited
*      hard    memlock unlimited
[root@hk-elk-elastic1 elk]# vim /etc/security/limits.d/20-nproc.conf
*          soft    nproc     20480
root       soft    nproc     unlimited

[root@hk-elk-elastic1 elk]# vim /etc/sysctl.conf
vm.max_map_count=655360
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
[root@hk-elk-elastic1 elk]# systemctl -p  #使用此命令,可使配置立即生效

    启动elasticsearch服务

[root@hk-elk-elastic1 elk]# cat /root/elastic.sh
sudo -u elastic /usr/local/elk/elasticsearch-6.3.0/bin/elasticsearch -d &&tailf /data/log/hk-elk-application.log

 


   通过屏幕输出看到服务启动并通过自动发现的模式,将其他节点添加进来,我们可以查看集群状态

[root@hk-elk-elastic1 elk]# curl -u  http://10.20.11.205:9200/_cat/health?v
              集群名称      状态    总数    data数
epoch      timestamp cluster            status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1540902792 20:33:12  hk-elk-application green           5         2     30  15    0    0        0             0                  -                100.0%

[root@hk-elk-elastic1 elk]# curl -u http://10.20.11.205:9200/_cat/nodes?v
ip           heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
10.20.11.205            4          65   0    0.00    0.01     0.05 mi        *      hk-elk-master1  ##该节点被选举为master
10.20.11.207            3          63   0    0.00    0.01     0.05 mi        -      hk-elk-master3
10.20.11.209            7          63   0    0.00    0.01     0.05 di        -      hk-elk-data2
10.20.11.208            8          63   0    0.00    0.03     0.05 di        -      hk-elk-data1
10.20.11.206            4          63   0    0.00    0.01     0.05 mi        -      hk-elk-master2

 

、安装配置kibana

 

[root@hk-elk-kibana elk]# tar -xf kibana-6.3.0-linux-x86_64.tar.gz ^C
[root@hk-elk-kibana elk]# grep "^[a-z]" kibana-6.3.0-linux-x86_64/config/kibana.yml 
server.port: 5601  #端口  
server.host: "10.20.11.215"  #监听ip  
elasticsearch.url: "http://10.20.11.205:9200"  #elasticsearch机器ip以及端口

[root@hk-elk-kibana elk]# cat /root/kibana.sh   #启动脚本
#!/bin/bash
/usr/local/elk/kibana-6.3.0-linux-x86_64/bin/kibana > /dev/null 2>&1 &

 

   可以看的到elasticsearch集群的相关主机信息等

 

、破解x-pack插件(#只供学习使用)

  由于在elasticsearch在6.3版本之后x-pack是默认安装好的,所以不再需要用户自己去安装

  1、生成新的x-pack-core-6.3.0.jar包,替换原有的项目包

 

[root@hk-elk-elastic1 elk]# vim LicenseVerifier.java
package org.elasticsearch.license; 
import java.nio.*; import java.util.*; 
import java.security.*; 
import org.elasticsearch.common.xcontent.*; 
import org.apache.lucene.util.*; 
import org.elasticsearch.common.io.*; 
import java.io.*; 

public class LicenseVerifier { 
    public static boolean verifyLicense(final License license, final byte[] encryptedPublicKeyData) {
        return true; 
    } 
    
    public static boolean verifyLicense(final License license)     { 
        return true; 
    } 
}
[root@hk-elk-elastic1 elk]# vim XPackBuild.java
package org.elasticsearch.xpack.core;
import org.elasticsearch.common.io.*;
 import java.net.*;
 import org.elasticsearch.common.*;
 import java.nio.file.*;
 import java.io.*; 
 import java.util.jar.*; 
 public class XPackBuild { 
    public static final XPackBuild CURRENT;
    private String shortHash; 
    private String date; 
    @SuppressForbidden(reason = "looks up path of xpack.jar directly") static Path getElasticsearchCodebase() { 
        final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
        try { return PathUtils.get(url.toURI()); }
        catch (URISyntaxException bogus) { 
            throw new RuntimeException(bogus); } 
        } 
        
    XPackBuild(final String shortHash, final String date) {
            this.shortHash = shortHash; 
            this.date = date; 
            } 
            
    public String shortHash() {
        return this.shortHash;
        } 
    public String date(){ 
        return this.date; 
        }
        
    static { 
        final Path path = getElasticsearchCodebase();
        String shortHash = null; 
        String date = null;
        Label_0157: { shortHash = "Unknown"; date = "Unknown"; 
    } 
    
    CURRENT = new XPackBuild(shortHash, date); 
    }
}
[root@hk-elk-elastic1 elk]# javac -cp "/usr/local/elk/elasticsearch-6.3.0/lib/elasticsearch-6.3.0.jar:/usr/local/elk/elasticsearch-6.3.0/lib/lucene-core-7.3.1.jar:/usr/local/elk/elasticsearch-6.3.0/modules/x-pack/x-pack-core/x-pack-core-6.3.0.jar" LicenseVerifier.java
[root@hk-elk-elastic1 elk]# javac -cp "/usr/local/elk/elasticsearch-6.3.0/lib/elasticsearch-6.3.0.jar:/usr/local/elk/elasticsearch-6.3.0/lib/lucene-core-7.3.1.jar:/usr/local/elk/elasticsearch-6.3.0/modules/x-pack/x-pack-core/x-pack-core-6.3.0.jar:/usr/local/elk/elasticsearch-6.3.0/lib/elasticsearch-core-6.3.0.jar"  XPackBuild.java
[root@hk-elk-elastic1 elk]# cp -a /usr/local/elk/elasticsearch-6.3.0/modules/x-pack/x-pack-core/x-pack-core-6.3.0.jar .
[root@hk-elk-elastic1 elk]# jar -xf x-pack-core-6.3.0.jar
[root@hk-elk-elastic1 elk]# rm -rf LicenseVerifier.java XPackBuild.java x-pack-core-6.3.0.jar
[root@hk-elk-elastic1 elk]# cp -a LicenseVerifier.class org/elasticsearch/license/
[root@hk-elk-elastic1 elk]# cp -a XPackBuild.class org/elasticsearch/xpack/core/
[root@hk-elk-elastic1 elk]# rm -rf LicenseVerifier.class XPackBuild.class
[root@hk-elk-elastic1 elk]# jar -cvf x-pack-core-6.3.0.jar *
[root@hk-elk-elastic1 elk]# cp -a x-pack-core-6.3.0.jar  /usr/local/elk/elasticsearch-6.3.0/modules/x-pack/x-pack-core/

[root@hk-elk-elastic1 elk]# vim /usr/local/elk/elasticsearch-6.3.0/config/elasticsearch.yml
xpack.security.enabled: false    #关闭x-pack安全验证(3台master都需要操作)

 

   2、重启elasticsearch服务,并上传license.json

[root@hk-elk-elastic1 config]# cat /root/license.json 
{"license":{"uid":"2e44e23c-7087-447b-9a0e-398b8b7a917c","type":"platinum","issue_date_in_millis":1532649600000,"expiry_date_in_millis":2544271999999,"max_nodes":100,"issued_to":"han jiang (www.zfcloud.com)","issuer":"Web Form","signature":"AAAAAwAAAA2elPtByKMPXHGshznoAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQCDbfLHMEJ/Bp4sIDNuTFk9IyxaUaxxxs3/EjU7urcHaU8X9tlxUICA2g4vnIcJ/nPcsZKxfq+j3wriz0DGtL0c4At2tzMEEuIdi1J7hLUxJz1GzQYCfaV84mIHeSeBObaTJF7ic03ef0t8kMztMk17/7/+mJWacqk9GES/wAQfaLzGxxX38sj6rpSG/jMlve7EIFHiGb22jGp8NDGuneooddESvrUth5lrm3tDTPWtM5Vf/RvTUJy4LX3PJsqrgZscx0n0cbXtjDHU4SAyvZ02govNAeZZFMKgmGXnLqpWXJGX3GOeN4I2xxky03NR4mPtPogsoA7EDALcIXFe+wr4","start_date_in_millis":1532649600000}}

[root@hk-elk-elastic1 elk]# curl -XPUT -u elastic:chageme 'http://10.20.11.205:9200/_xpack/license' -H "Content-Type: application/json" -d @license.json    #(3台master全部需要执行)
{"acknowledged":true,"license_status":"valid"}

 

 

   看到这说明破解成功,但是6.0以上的版本需要强制开始ssl传输,所以我们需要配置SSL。

、配置SSL并启动x-pack

  1、创建证书

 

  2、解压以及配置证书,拷贝到其他主机(master and data)

[root@hk-elk-elastic1 elk]# mkdir /tmp/cert
[root@hk-elk-elastic1 elk]# mv cert.zip /tmp/cert/
[root@hk-elk-elastic1 elk]# cd /tmp/cert/
[root@hk-elk-elastic1 elk]# unzip cert.zip Archive: cert.zip creating: ca/ inflating: ca/ca.crt inflating: ca/ca.key creating: elasticsearch/ inflating: elasticsearch/elasticsearch.crt inflating: elasticsearch/elasticsearch.key [root@hk-elk-elastic1 elk]# ll 总用量 8 drwxrwxr-x 2 elastic elastic 34 9月 20 13:47 ca -rw------- 1 elastic elastic 5157 9月 20 13:47 cert.zip drwxrwxr-x 2 elastic elastic 56 9月 20 13:47 elasticsearch [root@hk-elk-elastic1 elk]# mv ca/* /usr/local/elasticsearch/config/ [root@hk-elk-elastic1 elk]# mv elasticsearch/* /usr/local/elasticsearch/config/ [root@hk-elk-elastic1 elk]# cd /usr/local/elasticsearch/config/ [root@hk-elk-elastic1 elk]# ll -rct #最后四个 总用量 48 -rw-rw---- 1 elastic elastic 0 9月 19 16:15 users_roles -rw-rw---- 1 elastic elastic 0 9月 19 16:15 users -rw-rw---- 1 elastic elastic 197 9月 19 16:15 roles.yml -rw-rw---- 1 elastic elastic 473 9月 19 16:15 role_mapping.yml -rw-rw---- 1 elastic elastic 6380 9月 19 16:15 log4j2.properties -rw-rw---- 1 elastic elastic 2942 9月 19 16:15 jvm.options -rw-r----- 1 elastic elastic 2853 9月 19 16:15 elasticsearch.yml-bak -rw-rw---- 1 elastic elastic 207 9月 19 16:20 elasticsearch.keystore -rw-rw---- 1 elastic elastic 2905 9月 20 13:27 elasticsearch.yml -rw-rw-r-- 1 elastic elastic 1671 9月 20 13:57 ca.key -rw-rw-r-- 1 elastic elastic 1200 9月 20 13:57 ca.crt -rw-rw-r-- 1 elastic elastic 1675 9月 20 13:57 elasticsearch.key -rw-rw-r-- 1 elastic elastic 1237 9月 20 13:57 elasticsearch.crt [root@hk-elk-elastic1 elk]# scp -pr *.crt root@10.20.11.[206--209]:/usr/local/elk/elasticsearch-6.3.0/config/ [root@hk-elk-elastic1 elk]# scp -pr *.crt root@10.20.11.[206--209]:/usr/local/elk/elasticsearch-6.3.0/config/

 

   3、配置SSL,其他节点相同

[root@hk-elk-elastic1 elk]# grep "^[a-z]" /usr/local/elk/elasticsearch-6.3.0/config/elasticsearch.yml 
cluster.name: hk-elk-application
node.name: hk-elk-master1
node.master: true
node.data: false
path.data: /data
path.logs: /data/log
network.host: 10.20.11.205
http.port: 9200
transport.tcp.port: 9300
discovery.zen.ping.unicast.hosts: ["10.20.11.205:9300","10.20.11.206:9300","10.20.11.207:9300"]
discovery.zen.minimum_master_nodes: 2
discovery.zen.ping_timeout: 60s
xpack.security.enabled: true  #之前为false,现在需要打开
xpack.security.transport.ssl.enabled: true
xpack.ssl.key: elasticsearch.key  #路径需要自己写清楚
xpack.ssl.certificate: elasticsearch.crt
xpack.ssl.certificate_authorities: ca.crt

 

   4、重启elasticsearch服务

  我们需要配置kabana的用户密码

 

  5、创建elk集群相关的用户密码

[root@hk-elk-elastic1 elk]# ./elasticsearch-setup-passwords -h  #查看命令帮助 
Sets the passwords for reserved users

Commands
--------
auto - Uses randomly generated passwords          #主要命令选项,表示系统将使用随机字符串设置密码
interactive - Uses passwords entered by a user    #主要命令选项,表示使用用户输入的字符串作为密码

Non-option arguments:
command              

Option         Description        
------         -----------        
-h, --help     show help          
-s, --silent   show minimal output
-v, --verbose  show verbose output
root@hk-elk-elastic1 elk]# ./elasticsearch-setup-passwords auto  #为了演示效果,这里我们使用系统自动创建
Initiating the setup of passwords for reserved users elastic,kibana,logstash_system,beats_system.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y     #选择y


Changed password for user kibana                   #kibana角色和密码
PASSWORD kibana = SY8ubxQWUdFieDJNlJt6

Changed password for user logstash_system          #logstash角色和密码
PASSWORD logstash_system = h9MkqxtCfJYRBx3NTruQ

Changed password for user beats_system             #beast角色和密码
PASSWORD beats_system = KEPbjSJuSuXGWMsSAvxx

Changed password for user elastic                  #elasticsearch角色和密码
PASSWORD elastic = kijObt6nZkY9KU4CwJkn

 

 

 

   #用户密码先保存下来。

  kibana配置elasticsearch用户认证

[root@hk-elk-kibana elk]# grep "^elastic" /usr/local/elk/kibana-6.3.0-linux-x86_64/config/kibana.yml 
elasticsearch.url: "http://10.20.11.205:9200"
elasticsearch.username: "elastic"
elasticsearch.password: "kijObt6nZkY9KU4CwJkn"

 

   重启kibana,打开界面

   ##在这里我们选择用elastic用户登入,刚踩的坑,如果用kibana用户登入,里面索引的数据会看不到

 

、配置nginx日志,并配置logstash

  1、配置nginx日志格式。

 

[root@cc conf]# vim /usr/local/tengine/conf/nginx.conf  #配置elk的日志格式
log_format  ELK  '$remote_addr > ($hostname)$server_addr:$server_port - $remote_user [$time_local] $http_host "$request" '
                 '$status $body_bytes_sent "$http_referer" $upstream_status $upstream_addr $request_time $upstream_response_time '
                 '"$http_user_agent" "$http_x_forwarded_for"';

[root@cc conf]# vim /usr/local/tengine/conf/conf.d/test.conf  #配置使用ELK格式生成nginx日志
access_log /home/nginx/nginx.log ELK;

 

   2、搭建使用filebeat插件,将nginx日志发送到redis。

[root@cc~]# cd /usr/local/elk
[root@cc local]# tar -xf filebeat-6.3.1-linux-x86_64.tar.gz
[root@cc local]# cat filebeat-6.3.1-linux-x86_64/filebeat.yml | grep -v "#"

[root@cc local]# cat filebeat-6.3.1-linux-x86_64/filebeat.yml | grep -v "#"
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - '/home/nginx/*.log'
  tags: ["nginxlog"]
  document_type: nginxlog
  tail_files: true

output.redis: 
  hosts: ["10.20.11.200:6379","10.20.11.200:6379","10.20.11.202:6379"]  
  db: 2   #redis数据库的一个整数索引标识,redis不同于mysql有一个库的名字。redis总共0-15默认16个库。
  timeout: 5   #连接超时时间
  key: "default_list"  #以default_list的keys传输到redis

 

   3、搭建配置logstash。 

[root@hk-elk-logstash1 elk]# cd /usr/local/elk/
[root@hk-elk-logstash1 elk]# tar -xf logstash-6.3.0.tar.gz
[root@hk-elk-logstash1 elk]# vim /usr/local/elk/logstash-6.3.0/customconf/patterns/custompatterns  #自定义一些正则,因为有些字段可能会匹配不到
URIPARM1 [A-Za-z0-9$.+!*'|(){},~@#%&/=:;^\\_<>`?\-\[\]]*
URIPATH1 (?:/[\\A-Za-z0-9$.+!*'(){},~:;=@#% \[\]_<>^\-&?]*)+
HOSTNAME1 \b(?:[0-9A-Za-z_\-][0-9A-Za-z-_\-]{0,62})(?:\.(?:[0-9A-Za-z_\-][0-9A-Za-z-:\-_]{0,62}))*(\.?|\b)
STATUS ([0-9.]{0,3}[, ]{0,2})+
HOSTPORT1 (%{IPV4}:%{POSINT}[, ]{0,2})+
FORWORD (?:%{IPV4}[,]?[ ]?)+|%{WORD}
STATUS2  ([0-9]+(?:\.[0-9A-Fa-f]+))
STATUS1  (([0-9]+(?:\.[0-9A-Fa-f]+))[,  ]{0,3})+
NUMBER1 ([0-9][,  ]{0,2})+
WORD1 \w+
#--------------------------------waf-------------------------------
WAFTIMES (%{DAY} %{MONTH} %{MONTHDAY} %{TIME} CST %{YEAR})
#--------------------------------ossec------------------------------
ALERTTIME  %{YEAR} %{SYSLOGTIMESTAMP}

[root@hk-elk-logstash1 elk]# vim conf/logstash_nginx.conf
input{
         redis{
                        host => "10.20.11.200"
                        port => 6379
                        key => "default_list"
                        data_type => "list"
                        threads => 2
                        batch_count => 500
                        type => "nginxlog"
        }
         redis{
                        host => "10.20.11.201"
                        port => 6379
                        key => "default_list"
                        data_type => "list"
                        threads => 2
                        batch_count => 500
                        type => "nginxlog"
        }
         redis{
                        host => "10.20.11.202"
                        port => 6379
                        key => "default_list"
                        data_type => "list"
                        threads => 2
                        batch_count => 500
                        type => "nginxlog"
        }

}

filter {

    if [type]=="nginxlog"{
        grok {
             patterns_dir => "/usr/local/elk/logstash-6.3.0/customconf/patterns"
             #match => ["message", "%{IPORHOST:srcip} > \(%{HOSTNAME1:hostname}\)%{IPORHOST:dstip}(?::%{POSINT:dstport}) - (%{USERNAME:user}|-) \[%{HTTPDATE:requesttime}\] (%{HOSTNAME1:domain}|-) \"(?:%{WORD:requestmethod} %{URIPATH:url}(?:%{URIPARAM:params})?(?: HTTP/%
{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes:int}|-) \"(?:%{DATA:httpreferrer}|-)\" (%{STATUS:upstreamstatus}|-) (?:%{HOSTPORT1:upstreamaddr}|-) (%{BASE16FLOAT:upstreamresponsetime}|-) (%{STATUS:responsetime}|-) \"%{DATA:agent}\" \"(
%{FORWORD:x_forword_for}|-)\""]


           match => ["message", "%{IPORHOST:srcip} > \(%{HOSTNAME1:hostname}\)%{IPORHOST:dstip}(?::%{POSINT:dstport}) - (%{USERNAME:user}|-) \[%{HTTPDATE:requesttime}\] (%{HOSTNAME1:domain}|-) \"(?:%{WORD:requestmethod} %{URIPATH:url}(?:%{URIPARAM:params})?(?: HTTP/%{NU
MBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes:int}|-) \"(?:%{DATA:httpreferrer}|-)\" (%{NUMBER1:upstreamstatus}|-) (?:%{HOSTPORT1:upstreamaddr}|-|%{WORD1})(%{WORD1}){0,1} (%{STATUS1:upstreamresponsetime}|-) (%{STATUS2:responsetime}|-) \"
%{DATA:agent}\" \"(%{FORWORD:x_forword_for}|-)\""]
          }

        date {
             match => ["requesttime", "dd/MMM/yyyy:HH:mm:ss Z"]
               }
       }
}

output{
        elasticsearch {
                hosts => ["10.20.11.205:9200","10.20.11.206:9200","10.20.11.207:9200"]
                index => "logstash-%{type}-%{+YYYY.MM}"
                document_type => "%{type}"
                flush_size => 20000
                idle_flush_time => 10
                sniffing => true
                template_overwrite => true
                user =>        elastic 
                password => kijObt6nZkY9KU4CwJkn
        }
}


[root@hk-elk-logstash1 elk]# cat /root/logstash.sh   #启动脚本
#!/bin/bash
/usr/local/elk/logstash-6.3.0/bin/logstash -f /usr/local/elk/conf/logstash_nginx.conf > /dev/null 2>&1 &

[root@hk-elk-kibana elk]# curl -u elastic:kijObt6nZkY9KU4CwJkn http://10.20.11.205:9200/_cat/indices?v  #查看生成的索引
health status index                           uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   .kibana                         gU4UBd4TR1mAA-aECYpn0g   1   1          2            0     21.8kb         10.9kb
green  open   .triggered_watches              SgEPUJpGQQGNaoWzYt58Xw   1   1          0            0    891.1kb        439.7kb
green  open   .monitoring-es-6-2018.10.29     dVVc-OGmQvqn8m1DHhQrwQ   1   1      58062           12     54.1mb           27mb
green  open   .monitoring-es-6-2018.10.31     xxqkwEMZS8OFZ7qbjEVXPg   1   1      29072           36     35.1mb         17.5mb
green  open   .monitoring-kibana-6-2018.10.29 J2XYE2SRQh2IMv37beL1tg   1   1       5257            0      2.7mb          1.3mb
green  open   .security-6                     d0eHXJ53TY2LZLtdYbw-FA   1   1          6            0     43.9kb         21.9kb
green  open   .monitoring-kibana-6-2018.10.31 4xL0Hg5VQuCLPx1Pv9Kejw   1   1       1311            0    757.1kb        371.4kb
green  open   .watcher-history-7-2018.10.31   g5pNSZyzQGa7OQnNDUKcTw   1   1       1328            0      3.7mb          1.9mb
green  open   logstash-nginxlog-2018.10    otPefpY2SB-91e9SEJFlEw   5   1        622            0    916.4kb        432.2kb
green  open   .monitoring-es-6-2018.10.30     Nn2z9G7zRMWn64QzWkKj_g   1   1     143285          180    160.6mb         80.2mb
green  open   .watches                        nWHsiQKlRL-MWGtDVrsiLA   1   1          6            0    101.5kb         50.7kb
green  open   .watcher-history-7-2018.10.30   Knx0vwdcSmutrIxMeNUdlw   1   1       5831            0     16.6mb          8.3mb
green  open   .monitoring-kibana-6-2018.10.30 aLv88r9lST-WVRGb8t82MA   1   1       8208            0      4.2mb          2.1mb
green  open   .monitoring-alerts-6            DdteUg1_TR2DuPCdfnIqnA   1   1          1            0     12.3kb          6.1kb

  java应用使用

input{
         redis{
                        host => "10.20.11.200"
                        port => 6379
                        key => "logstash_csp"
                        data_type => "list"
                        threads => 1
                        #batch_count => 500
        }
         redis{
                        host => "10.20.11.201"
                        port => 6379
                        key => "logstash_csp"
                        data_type => "list"
                        threads => 1
                        #batch_count => 500
        }
         redis{
                        host => "10.20.11.202"
                        port => 6379
                        key => "logstash_csp"
                        data_type => "list"
                        threads => 1
                        #batch_count => 500
        }

}


output{
        elasticsearch {
                hosts => ["10.20.11.205:9200","10.20.11.206:9200","10.20.11.207:9200"]
                index => "logstash-%{appAlias}-%{+YYYY.MM}"
                user =>	elastic 
                password => kijObt6nZkY9KU4CwJkn
        }
}

[root@hk-elk-logstash1 elk]# cat /root/logstash.sh 
启动脚本
#!/bin/bash
/usr/local/elk/logstash_csp/bin/logstash -f /usr/local/elk/conf/logstash_csp.conf > /dev/null 2>&1 &
sleep 5


/usr/local/elk/logstash_tss/bin/logstash -f /usr/local/elk/conf/logstash_tss.conf > /dev/null 2>&1 &
sleep 5


/usr/local/elk/logstash_gateway/bin/logstash -f /usr/local/elk/conf/logstash_gateway.conf > /dev/null 2>&1 &
sleep 5


/usr/local/elk/logstash_source/bin/logstash -f /usr/local/elk/conf/logstash_source.conf > /dev/null 2>&1 &
sleep 5


/usr/local/elk/logstash_fk/bin/logstash -f /usr/local/elk/conf/logstash_fk.conf > /dev/null 2>&1 &
sleep 5

 针对日志目录比较多,可使用

 1 input {
 2     file {
 3         type => "nginx_access"
 4         path => [ "/var/log/nginx/json/www.aa_access.log" ]
 5         add_field => ["website", "www.aa.com"]        ##过滤可以使用website或者是appl来过滤分析数据
 6         add_field => ["appl", "aa"]
 7     }
 8 
 9 file {
10         type => "nginx_access"
11         path => [ "/var/log/nginx/json/www.bb_access.log" ]
12         add_field => ["website", "www.bb.com"]
13         add_field => ["appl", "bb"]
14     }
15     
16 
17 
18 filter {        
19         if [type] == "nginx_access" {
20         grok {
21     patterns_dir => "/usr/local/elk/logstash-6.3.0/customconf/patterns"
22     match => ["message", "%{IPORHOST:srcip} > \(%{HOSTNAME1:hostname}\)%{IPORHOST:dstip}(?::%{POSINT:dstport}) - (%{USERNAME:user}|-) \[%{HTTPDATE:requesttime}\] (%{HOSTNAME1:domain}|-) \"(?:%{WORD:requestmethod} %{URIPATH:url}(?:%{URIPARAM:params})?(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes:int}|-) \"(?:%{DATA:httpreferrer}|-)\" (%{NUMBER1:upstreamstatus}|-) (?:%{HOSTPORT1:upstreamaddr}|-|%{WORD1})(%{WORD1}){0,1} (%{STATUS1:upstreamresponsetime}|-) (%{STATUS2:responsetime}|-) \"%{DATA:agent}\" \"(%{FORWORD:x_forword_for}|-)\""]
23           }
24        date {
25        match => [ "requesttime" , "dd/MMM/YYYY:HH:mm:ss Z" ]
26            }
27     }
28     mutate{
29         convert => ["responsetime","float"]            ##将responsetime转换为float类型,方便图表分析,默认为string类型
30         convert => ["upstreamresponsetime","float"]
31         }
32 }
33 
34 output {
35         elasticsearch {
36                 hosts => ["10.20.11.205:9200","10.20.11.206:9200","10.20.11.207:9200"]
37                 index => "logstash-%{type}-%{+YYYY.MM.dd}"
38                 document_type => "%{type}"
39                 user => "elastic"
40                 password => "kijObt6nZkY9KU4CwJkn"
41         }
42 }
43 
44 启动
45 nohup ./bin/logstash -f ./conf.d -l logs &

 

  相关正则调试工具

ELK的手册
https://kibana.logstash.es/content/logstash/

在Elasticsearch查看索引索引名称:
curl 'localhost:9200/_cat/indices?v'
查看所有文档内容:
curl -i -XGET http://localhost:9200/_search?pretty
查询指定索引下的文档
curl -i -XGET http://localhost:9200/索引名称/_search?pretty
删除索引:
curl -XDELETE 'http://127.0.0.1:9200/索引名称'
查看文档总数:
curl -XGET 'http://localhost:9200/_count?pretty' -d '
{
    "query": {
        "match_all": {}
    }
}'
查看映射:
curl -i -XGET 'http://localhost:9200/logstash-nginxlog-2017.05.10/_mapping/nginxlog?pretty'
logstash-nginxlog-2017.05.10索引名称
nginxlog 索引类型

地图数据库下载地址:http://dev.maxmind.com/geoip/geoip2/geolite2/
备注:使用MaxMind DB

Kibana地图汉化:
http://www.jianshu.com/p/07b82092d4af
具体配置:
# vim /usr/local/ELK/kibana-5.4.1-linux-x86_64/config/kibana.yml
添加最后添加,
tilemap.url: 'http://webrd02.is.autonavi.com/appmaptile?lang=zh_cn&size=1&scale=1&style=7&x={x}&y={y}&z={z}'
注意:加载地图需要时间,不会立刻显示汉化后的地图。

正则测试器
http://grokdebug.herokuapp.com/
http://grok.qiexun.net/  ##国内源,访问速度比较快

https://regexper.com
正则表达式:
https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns
https://github.com/logstash-plugins/logstash-patterns-core/tree/master/patterns

 

 

 

   4、kibana添加索引

  Discover里面可以查看到相应的日志信息,可使用相应的字段过滤搜索。

 

关于分片的两个问题

  1) “我应该有多少个分片?”

  答: 每个节点的分片数量保持在低于每1GB堆内存对应集群的分片在20-25之间。

  2) “我的分片应该有多大”?

  答:分片大小为50GB通常被界定为适用于各种用例的限制。

 

posted @ 2018-10-30 20:41  jcici  阅读(939)  评论(0编辑  收藏  举报