分布式日志ELK
ELK指的是Elasticsearch、 Logstash、Kibana
Elasticsearch 基于java,是个开源分布式搜索引擎,它的特点有:分布式,零配置,自动发现,索引自动分片,索引副本机制,restful风格接口,多数据源,自动搜索负载等。
Kibana 基于nodejs,也是一个开源和免费的工具,Kibana可以为Logstash和ElasticSearch提供的日志分析友好的Web 界面,可以汇总、分析和搜索重要数据日志。
Logstash 基于java,是一个开源的用于收集,分析和存储日志的工具。
Elasticsearch安装
-
到官网下载: (https://www.elastic.co/cn/downloads/elasticsearch (opens new window)) ,下载的是elasticsearch-7.12.0-linux-x86_64.tar.gz版本
-
解压到相应目录并且修改配置,注意端口修改成没被占用的,这里用的是9500
tar -zxvf elasticsearch-7.12.0-linux-x86_64.tar.gz -C /usr/local
cd /usr/local/elasticsearch-7.12.0/config/
vim elasticsearch.yml
node.name: node-1
path.data: /usr/local/elasticsearch-7.12.0/data
path.logs: /usr/local/elasticsearch-7.12.0/logs
network.host: 127.0.0.1
http.host: 0.0.0.0
http.port: 9500
discovery.seed_hosts: ["127.0.0.1"]
cluster.initial_master_nodes: ["node-1"]
3.创建es用户 因为ElasticSearch不支持Root用户直接操作,因此我们需要创建一个es用户
useradd es
chown -R es:es /usr/local/elasticsearch-7.12.0
4.切换用户成es进行启动操作
su - es
/usr/local/elasticsearch-7.12.0/bin/elasticsearch -d
5.在浏览器打开9500端口地址:http://ip:9500,如果出现了下面的信息,就表示已经成功
{
"name" : "node-1",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "-b181gOYQGyH8APU9sYN7A",
"version" : {
"number" : "7.12.0",
"build_flavor" : "default",
"build_type" : "tar",
"build_hash" : "78722783c38caa25a70982b5b042074cde5d3b3a",
"build_date" : "2021-03-18T06:17:15.410153305Z",
"build_snapshot" : false,
"lucene_version" : "8.8.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
Logstash安装
-
到官网下载: (https://www.elastic.co/cn/downloads/logstash (opens new window))
-
解压到相应目录
tar -zxvf logstash-7.12.0-linux-x86_64.tar.gz -C /usr/local
cd /usr/local/logstash-7.12.0/bin
vim logstash-elasticsearch.confinput {
stdin {}
}
output {
elasticsearch {
hosts => '120.78.129.95:9200'
}
stdout {
codec => rubydebug
}
}3.启动
./logstash -f logstash-elasticsearch.confKibana安装
1.到官网下载: (https://www.elastic.co/cn/downloads/kibana (opens new window))
2.解压到相应目录
tar -zxvf kibana-7.12.0-linux-x86_64.tar.gz -C /usr/local
mv /usr/local/kibana-7.12.0-linux-x86_64 /usr/local/kibana-7.12.03.修改配置
cd /usr/local/kibana-7.12.0/config
vim kibana.ymlserver.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://127.0.0.1:9500"]
kibana.index: ".kibana"
i18n.locale: "zh-CN"4.授权es用户
chown -R es:es /usr/local/kibana-7.12.0/5.启动,切换用户成es用户进行操作
su - es
/usr/local/kibana-7.12.0/bin/kibana &-
在浏览器打开
5601端口地址:
-
日志收集
-
对应服务器安装
logstash,配置规则,例如新建logstash-apache.conf[root@localhost config]# cd /usr/local/logstash-7.12.0/bin
[root@localhost bin]# vim logstash-apache.confinput {
file {
path => "/web/ieom/backend/start/logs/ieom-system/*.log"
start_position => beginning
sincedb_path => "/dev/null"
codec => multiline {
pattern => "^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}"
negate => true
auto_flush_interval => 3
what => previous
}
}
}
filter {
if [path] =~ "info" {
mutate { replace => { type => "sys-info" } }
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
} else if [path] =~ "error" {
mutate { replace => { type => "sys-error" } }
} else {
mutate { replace => { type => "random_logs" } }
}
}
output {
elasticsearch {
hosts => '127.0.0.1:9500'
}
stdout { codec => rubydebug }
}./logstash -f logstash-apache.conf停止启动方法:
[es@localhost ~]$ ps -ef|grep kibana
es 10079 1 1 14:43 ? 00:00:36 /usr/local/kibana-7.12.0/bin/../node/bin/node /usr/local/kibana-7.12.0/bin/../src/cli/dist
es 83267 76297 0 15:24 pts/3 00:00:00 grep --color=auto kibana
[es@localhost ~]$
[es@localhost ~]$ kill -9 10079
