ELK04 ELK综合案例, logstash写入mysql, kibana访问验证 ubuntu使用

6 ELK 综合实战案例

6.1 Filebeat 收集Nginx日志利用 Redis 缓存发送至 Elasticsearch

 图上ip地址仅供参考

6.1.2.2 修改 Filebeat 配置

#安装redis(访问0.0.0.0和密码123456),nginx(访问日志json格式)

[root@ubuntu ~]#vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/nginx/access_json.log
  json.keys_under_root: true #默认False会将json数据存储至message,改为true则会独立message外存储
  json.overwrite_keys: true  #设为true,覆盖默认的message字段,使用自定义json格式中的key
  tags: ["nginx-access"]
  
- type: log
  enabled: true
  paths:
    - /var/log/nginx/error.log
  tags: ["nginx-error"]
  
- type: log
  enabled: true
  paths:
    - /var/log/syslog
  tags: ["syslog"]
  
output.redis:
  hosts: ["10.0.0.154:6379"]
  password: "123456"
  db: "0"
  key: "filebeat" #所有日志都存放在key名称为filebeat的列表中,llen filebeat可查看长度,即日志记录数
  
[root@ubuntu ~]#systemctl restart filebeat.service

#查看redis
[root@ubuntu ~]#redis-cli -a 123456
127.0.0.1:6379> keys *
1) "filebeat"
127.0.0.1:6379> llen filebeat    #多少条数据
(integer) 91

6.1.4 安装并配置logstash收集Redis数据发送至Elasticsearch

#把之前的配置移走,防干扰
[root@ubuntu conf.d]#mv app_filebeat_filter_es.conf bak

#注意:必须删除下面的文件中注释
[root@logstash ~]#vim /etc/logstash/conf.d/redis-to-es.conf 
input {
 redis {
   host => "10.0.0.154"
   port => "6379"
   password => "123456"
   db => "0"
   key => "filebeat"
   data_type => "list"
 }
}
filter {
  if "nginx-access" in [tags] {
   geoip {
     source => "clientip"      #日志必须是json格式,且有一个clientip的key
     target => "geoip"
     #database => "/etc/logstash/conf.d/GeoLite2-City.mmdb"   #指定数据库文件,可选(可下最新数据)
     add_field => ["[geoip][coordinates]","%{[geoip][geo][location][lon]}"] 
#8.X添加经纬度字段包括经度,使用时删除注释(配合kibana画地图用,格式要求,不用就不用加)
     add_field => ["[geoip][coordinates]","%{[geoip][geo][location][lat]}"] 
#8.X添加经纬度字段包括纬度(配合kibana画地图用,格式要求,不用就不用加)
      #add_field => ["[geoip][coordinates]", "%{[geoip][longitude]}"]         
#7,X添加经纬度字段包括经度
      #add_field => ["[geoip][coordinates]", "%{[geoip][latitude]}"]         
#7,X添加经纬度字段包括纬度
   }
   #转换经纬度为浮点数,注意:8X必须做,7.X 可不做此步(配合kibana画地图用,不用就不用加)
   mutate {
     convert => [ "[geoip][coordinates]", "float"]       
   }
 }
 mutate {    #不重要,不转不影响
   convert => ["upstreamtime","float"]
 }
}
output {
    if "syslog" in [tags] {
       elasticsearch {
           hosts => ["10.0.0.151:9200","10.0.0.152:9200","10.0.0.153:9200"]
           index => "syslog-%{+YYYY.MM.dd}"
       }
   }
    if "nginx-access" in [tags] {
       elasticsearch {
           hosts => ["10.0.0.151:9200","10.0.0.152:9200","10.0.0.153:9200"]
           index => "nginxaccess-%{+YYYY.MM.dd}"
           #注意:7.x之前版本地图功能要求必须使用 logstash 开头的索引名称
           template_overwrite => true    #防止名称相同,覆盖
       }
       stdout {    #有没有无所谓
         codec => "rubydebug"
       }
   }
    if "nginx-error" in [tags] {
       elasticsearch {
           hosts => ["10.0.0.151:9200","10.0.0.152:9200","10.0.0.153:9200"]
           index => "nginxerrorlog-%{+YYYY.MM.dd}"
           template_overwrite => true
       }
   }
}

#logstash取一条数据,redis会少一条数据
[root@logstash ~]#systemctl restart logstash

#redis的数据全部被取走,清空了

6.2 Filebeat 收集Nginx日志并写入 Kafka 缓存发送至 Elasticsearch

6.2.2 Filebeat 收集 Nginx 的访问和错误日志并发送至 kafka

[root@web1 ~]#vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/nginx/access_json.log
  json.keys_under_root: true
  json.overwrite_keys: true
  tags: ["nginx-access"]
  
- type: log
  enabled: true
  paths:
    - /var/log/nginx/error.log 
  tags: ["nginx-error"]
  
- type: log
  enabled: true
  paths:
    - /var/log/syslog 
  tags: ["syslog"]
  
output.kafka:    #这测试单机kafka能写入topic但没法读,集群没问题
  hosts: ["10.0.0.156:9092", "10.0.0.157:9092", "10.0.0.158:9092"]
  topic: filebeat-log   #指定kafka的topic
  partition.round_robin:
    reachable_only: true #true表示只发布到可用的分区,false时表示所有分区,如果一个节点down会导致block
  required_acks: 1  #如果为0,表示不确认,错误消息可能会丢失,1等待写入主分区(默认),-1等待写入副本分区
  compression: gzip  
  max_message_bytes: 1000000 #每条消息最大长度,以字节为单位,如果超过将丢弃

[root@web1 ~]#systemctl restart filebeat.service

#查看kafka是否有topic
[root@node1 ~]#/usr/local/kafka/bin/kafka-topics.sh --list --bootstrap-server 10.0.0.156:9092
filebeat-log
#在kafka查看是否有数据
[root@node1 ~]#/usr/local/kafka/bin/kafka-console-consumer.sh --topic filebeat-log --bootstrap-server 10.0.0.156:9092 --from-beginning

6.2.3 配置 Logstash 读取 Kafka 日志发送到 Elasticsearch

[root@ubuntu conf.d]#mv redis-to-es.conf bak
[root@logstash ~]#vim /etc/logstash/conf.d/kafka-to-es.conf
input {
 kafka {
   bootstrap_servers => "10.0.0.156:9092,10.0.0.157:9092,10.0.0.158:9092"
   topics => "filebeat-log"
   codec => "json"
    #group_id => "logstash" #消费者组的名称(多个logstash要分组,防止重复消费)
    #consumer_threads => "3" #建议设置为和kafka的分区相同的值为线程数
    #topics_pattern => "nginx-.*" #通过正则表达式匹配topic,而非用上面topics=>指定固定值
 }
}
filter {
  if "nginx-access" in [tags] {
   geoip {
     source => "clientip"
     target => "geoip"
     add_field => ["[geoip][coordinates]","%{[geoip][geo][location][lon]}"]
     add_field => ["[geoip][coordinates]","%{[geoip][geo][location][lat]}"]
   }
   mutate {
     convert => [ "[geoip][coordinates]", "float"]
   }
 }
 mutate {
   convert => ["upstreamtime","float"]
 }
}
output {
  #stdout {}   #调试使用
  if "nginx-access" in [tags] {
   elasticsearch {
     hosts => ["10.0.0.151:9200"]
     index => "logstash-kafka-nginx-accesslog-%{+YYYY.MM.dd}"
   }
 }
if "nginx-error" in [tags] {
   elasticsearch {
     hosts => ["10.0.0.151:9200"]
     index => "logstash-kafka-nginx-errorlog-%{+YYYY.MM.dd}"
   }
 }
if "syslog" in [tags] {
   elasticsearch {
     hosts => ["10.0.0.151:9200"]
     index => "logstash-kafka-syslog-%{+YYYY.MM.dd}"
   }
 }
}
[root@logstash ~]#systemctl restart logstash.service 

 

6.3 通过坐标地图统计网站访问用户的 IP 所在城市

6.3.7 Kibana 创建地图数据

6.3.7.1 查看 Kibana 样例地图

kibana有样例数据

kibana首页下使用样例数据,点击其他样例数据集,下sample web logs,点击添加
在左侧分析下发现可以查看添加的样例数据集(参考格式)
左侧分析下点击maps,样例数据已经画好地图,点击即可查看

6.3.7.2 创建地图

kibana上画地图

左侧分析下点击maps,点击右侧创建地图,点击添加图层,选择数据(得是地理空间字段)
#7版本,地理数据直接可以使用了,但是8版本需要把地理数据转格式

#7.x支持 float格式,8.x支持geo_point类型。

8版本需要对地理数据进行转换

点击左侧management下的开发工具
在控制台下输入索引名,去get获取返回
GET /logstash-kafka-nginx-accesslog-2023.02.19
点击三角箭头,把返回的内容复制出来,做下修改
#下方类型应该是point,但是现在是float类型
"geoip": {
          "properties": {
            "coordinates": {
              "type": "float"    #只修改此行,原值为float改为geo_point
            },

#必须要先删除旧的索引数据,下面修改才能生效

执行下面操作生成索引模板,将上面的mappings部分内容(一直到"settings"前面)复制到下面,只修改"coordinates": { "type": "geo_point" } 部分
#在mappings上方追加下面的内容
PUT /_template/template_nginx_accesslog   #模板名称可以自定义
{
  "index_patterns" : [
      "logstash-kafka-nginx-accesslog-*"  #8.X数据视图对应的索引模式,匹配索引名称的模式
 ],
  "order" : 0,
  "aliases" : { },    #在mappings上面追加这些内容
  "mappings": {                 #复制mappings开始的行到settings行之前结束,并最后再加一
个 }
      "properties": {
     .......
        "geoip": {
          "properties": {
            "coordinates": {
              "type": "geo_point",      #只修改此行,原值为float改为geo_point
         .......
        "xff": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        }
      }
    }
}

#在重新生成索引(源头日志生成数据),看索引内容后面生成的就是geoip类型

#再查一次,看看geoip字段是否改过来了
GET logstash-kafka-nginx-accesslog-2023.02.19

kibana上画地图

左侧分析下点击maps,点击右侧创建地图,点击添加图层
先点文档,选择数据视图,点击地理空间字段,添加,点保存添加到仪表板
分享链接给别人

6.4 Logstash收集日志写入 MySQL 数据库

一般es都会定期删除旧数据,想保留的数据就存到mysql中

6.4.1 安装 MySQL 数据库

[root@es-node1 ~]#apt install mysql-server
[root@es-node1 ~]#sed -i '/127.0.0.1/s/^/#/' /etc/mysql/mysql.conf.d/mysqld.cnf
#[root@es-node1 ~]#vim /etc/mysql/mysql.conf.d/mysqld.cnf
#bind-address        = 0.0.0.0
#mysqlx-bind-address = 0.0.0.0
[root@es-node1 ~]#systemctl restart mysql.service 

6.4.2 创建库和表并授权用户登录

[root@es-node1 ~]#mysql
mysql> create database elk ;                                      #MySQL8.0以上默认就支持
#mysql> create database elk character set utf8 collate utf8_bin;  #MySQL5.7以下需要显示指定(默认Latin)
mysql> create user elk@"10.0.0.%" identified by '123456';
mysql> grant all privileges on elk.* to elk@"10.0.0.%";
mysql> flush privileges;

#创建表,字段对应需要保存的数据字段
mysql> use elk
mysql> create table elklog (clientip varchar(39),responsetime float(10,3),uri varchar(256),status  char(3),time timestamp default current_timestamp );
mysql> desc elklog;
+--------------+--------------+------+-----+-------------------+-------+
| Field       | Type         | Null | Key | Default           | Extra |
+--------------+--------------+------+-----+-------------------+-------+
| clientip     | varchar(39) | YES |     | NULL             |       |
| responsetime | float(10,3) | YES |     | NULL             |       |
| uri         | varchar(256) | YES |     | NULL             |       |
| status       | char(3)     | YES |     | NULL             |       |
| time         | timestamp   | NO   |     | CURRENT_TIMESTAMP |       |
+--------------+--------------+------+-----+-------------------+-------+
5 rows in set (0.00 sec)

6.4.3 测试用户从 Logstash 主机远程登录(可选)

[root@logstash1 ~]#apt -y install mysql-client
[root@logstash1 ~]#mysql -uelk -p123456 -h10.0.0.155 -e 'show databases'
mysql: [Warning] Using a password on the command line interface can be insecure.
+--------------------+
| Database           |
+--------------------+
| information_schema |
| elk               |
+--------------------+

6.4.4 Logstash 配置 mysql-connector-java 包

logstash连接mysql需要这个包
官方下载地址:https://dev.mysql.com/downloads/connector/ 
#点击Connetor/J,选择对应mysql版本,系统版本

#下载mysql-connector-j_8.0.33-1ubuntu22.04_all.deb
[root@logstash-ubuntu2204 ~]#dpkg -i mysql-connector-j_8.0.33-1ubuntu22.04_all.deb

[root@logstash-ubuntu2204 ~]#dpkg -L mysql-connector-j 
...
/usr/share/java
/usr/share/java/mysql-connector-j-8.0.33.jar

#2)复制jar文件到logstash指定的目录下
[root@logstash-ubuntu2204 ~]#mkdir -p /usr/share/logstash/vendor/jar/jdbc 
[root@logstash-ubuntu2204 ~]#cp /usr/share/java/mysql-connector-j-8.0.33.jar /usr/share/logstash/vendor/jar/jdbc/

6.4.6 安装logstash-output-jdbc插件

#查看安装的插件,默认只有input-jdbc插件,需要安装output-jdbc插件
[root@logstash1 ~]#/usr/share/logstash/bin/logstash-plugin list|grep jdbc
......
logstash-integration-jdbc
 ├── logstash-input-jdbc    #当前只有input-jdbc
 ├── logstash-filter-jdbc_streaming
 └── logstash-filter-jdbc_static

#在线安装output-jdbc插件,可能会等较长时间
[root@logstash1 ~]#/usr/share/logstash/bin/logstash-plugin install logstash-output-jdbc
#离线安装
#如果无法在线安装,可以先从已经安装的主机导出插件,再导入
#导出插件
[root@ubuntu2204 ~]#/usr/share/logstash/bin/logstash-plugin prepare-offline-pack logstash-output-jdbc
#离线导入插件
[root@ubuntu2204 ~]#/usr/share/logstash/bin/logstash-plugin install file:///root/logstash-offline-plugins-8.12.2.zip

#删除插件
#[root@logstash1 ~]#/usr/share/logstash/bin/logstash-plugin remove logstash-output-jdbc

6.4.8 配置 Logstash 将日志写入数据库

[root@logstash ~]#vim /etc/logstash/conf.d/kafka-to-es.conf
input {
 kafka {
   bootstrap_servers => "10.0.0.156:9092,10.0.0.157:9092,10.0.0.158:9092"
   topics => "filebeat-log"
   codec => "json"
 }
}
filter {
  if "nginx-access" in [tags] {
   geoip {
      source => "clientip"
     target => "geoip"
     add_field => ["[geoip][coordinates]","%{[geoip][geo][location][lon]}"]
     add_field => ["[geoip][coordinates]","%{[geoip][geo][location][lat]}"]
   }
   mutate {
     convert => [ "[geoip][coordinates]", "float"]
   }
 }
 mutate {
   convert => ["upstreamtime","float"]
 }
}
output {
  if "nginx-access" in [tags] {
   elasticsearch {
     hosts => ["10.0.0.151:9200"]
     index => "logstash-kafka-nginx-accesslog-%{+YYYY.MM.dd}"
   }
   jdbc {    #追加mysql写入
     connection_string => "jdbc:mysql://10.0.0.155/elk?user=elk&password=123456&useUnicode=true&characterEncoding=UTF8"
     statement => ["INSERT INTO elklog (clientip,responsetime,uri,status) VALUES(?,?,?,?)","clientip","responsetime","uri","status"]
   }
 }
if "nginx-error" in [tags] {
   elasticsearch {
     hosts => ["10.0.0.151:9200"]
     index => "logstash-kafka-nginx-errorlog-%{+YYYY.MM.dd}"
   }
 }
if "syslog" in [tags] {
   elasticsearch {
     hosts => ["10.0.0.151:9200"]
     index => "logstash-kafka-syslog-%{+YYYY.MM.dd}"
   }
 }
}
#启动测试
[root@logstash ~]#logstash -f /etc/logstash/conf.d/kafka-to-es.conf

#filebeat端生成一些数据做测试
[root@ubuntu ~]#head -n11 access_json.log-20230221.0 >> /var/log/nginx/access_json.log
#查看mysql
[root@ubuntu ~]#mysql
mysql> use elk
#出现数据
mysql> select * from elklog;
+----------------+--------------+---------------+--------+---------------------+
| clientip       | responsetime | uri           | status | time                |
+----------------+--------------+---------------+--------+---------------------+
| 20.203.179.186 |        0.000 | /.git/config  | 302    | 2024-10-21 10:19:40 |
| 20.203.179.186 |        0.000 | /.git/config  | 302    | 2024-10-21 10:19:40 |
| 218.94.106.239 |        0.000 | /             | 302    | 2024-10-21 10:19:40 |

 

最后这个kibana谁都能打开不安全,可以用nginx反向代理,用它的basic账号验证功能

[root@ubuntu ~]#apt install nginx
[root@ubuntu ~]#vim /etc/nginx/sites-enabled/default
location / {
                #try_files $uri $uri/ =404;
                proxy_pass http://127.0.0.1:5601;
                auth_basic "kibana site";    #提示
                auth_basic_user_file conf.d/htpasswd;    #放密码的文件
        }
#生成密码文件
[root@ubuntu ~]#apt install apache2-utils
[root@ubuntu ~]#htpasswd -c -b /etc/nginx/conf.d/htpasswd xiaoming 123456
#还有其他人就再创建,第二次不能加-c
[root@ubuntu ~]#htpasswd -b /etc/nginx/conf.d/htpasswd xiaohong 123456

#浏览器输入, 即可验证登录
http://10.0.0.154/

#把kibana的配置允许远程访问改了
[root@ubuntu ~]#vim /etc/kibana/kibana.yml
#server.host: "0.0.0.0"    #注释掉,默认为localhost

[root@ubuntu ~]#systemctl restart kibana.service 

 

posted @ 2024-10-21 21:35  战斗小人  阅读(23)  评论(0编辑  收藏  举报