CeontOS 7.x ELK部署
系统环境
node1 kibana-6.3.2
node2 elasticsearch-6.3.2
node3 elasticsearch-6.3.2
node4 logstash-6.3.2
说明:将所有软件安装至/data目录下,并创建app用户运行服务。
1、elasticsearch安装前准备(node1、node2)
elasticsearch安装服务器调优
vim /etc/security/limits.conf * hard nofile 65536 * soft nofile 65536 * soft nproc 2048 * hard nproc 4096 vim /etc/sysctl.conf vm.max_map_count=262144 sysctl -p
2、解压elasticsearch-6.3.2
cd /data/;tar xf elasticsearch-6.3.2.tar.gz ;mv elasticsearch-6.3.2 es
3、es-6.3.2配置文件(node2只需修改“node.name”参数)
vim /data/es/config/elasticsearch.yml
cluster.name: my-elk-cluster node.name: node1 path.data: /data/es/data path.logs: /data/es/logs/ bootstrap.memory_lock: false network.host: 0.0.0.0 http.port: 9200 transport.tcp.port: 9300 transport.tcp.compress: true discovery.zen.ping.unicast.hosts: ["node1", "node2"]
es-7.2.0配置
cluster.name: my-elk-cluster node.name: node2 path.data: /data/es/data path.logs: /data/es/logs/ bootstrap.memory_lock: false network.host: 0.0.0.0 http.port: 9200 #discovery.zen.ping.unicast.hosts: ["node1", "node2"] discovery.seed_hosts: ["node1", "node2"] cluster.initial_master_nodes: ["node1", "node2"]
增强版
# 集群名称 cluster.name: my-elk-cluster # 该节点名称,与前面配置hosts保持一致 node.name: node1 # 数据 path.data: /data/es/data # 日志 path.logs: /data/es/logs/ # 指定该节点是否有资格被选举成为主节点 node.master: true # 指定该节点是否存储索引数据,默认为true node.data: true bootstrap.memory_lock: false # 监听全部ip,在实际环境中应为一个安全的ip network.host: 0.0.0.0 # es服务的端口号 http.port: 9200 # es集群通信端口号 transport.tcp.port: 9300 transport.tcp.compress: true # 配置自动发现 discovery.seed_hosts: ["node1:9300", "node2:9300"] # 主节点 一般配置为(n/2+1) cluster.initial_master_nodes: ["node1"]
4、node1、node2启动es服务
/data/es/bin/elasticsearch -d
查看节点信息:http://192.168.0.172:9200/
查看群集的健康状态:http://192.168.0.172:9200/_cluster/health?pretty
查看群集的状态信息:http://192.168.0.172:9200/_cluster/state?pretty
此方式查看集群状态不友好,可安装Elasticsearch-head插件更方便的管理集群
在node1安装Elasticsearch-head插件(需要提前安装node和phantomjs):
nodejs安装(下载需要的版本进行安装)
V12.x:#curl --silent --location https://rpm.nodesource.com/setup_12.x | bash - V8.x:#curl --silent --location https://rpm.nodesource.com/setup_8.x | bash - V7.x:#curl --silent --location https://rpm.nodesource.com/setup_7.x | bash - V6.x:#curl --silent --location https://rpm.nodesource.com/setup_6.x | bash - V5.x:#curl --silent --location https://rpm.nodesource.com/setup_5.x | bash - yum install -y nodejs node -v
phantomjs安装(官网下载http://phantomjs.org/download.html)
tar jxf phantomjs-2.1.1-linux-x86_64.tar.bz2 cd phantomjs-2.1.1-linux-x86_64/bin cp -a phantomjs /usr/local/bin/
Elasticsearch-head安装(https://github.com/mobz/elasticsearch-head)
unzip elasticsearch-head-master.zip cd elasticsearch-head-master npm install vim /etc/elasticsearch/elasticsearch.yml #编辑主配置文件,在任意位置添加如下两行: http.cors.enabled: true #添加该行,开启跨域访问支持 http.cors.allow-origin: "*" #添加该行,跨域访问允许的域名地址 #重启es 启动插件 npm run start &
kibana-6.3.2配置文件
server.port: 5601 server.host: "0.0.0.0" elasticsearch.url: "http://192.168.0.172:9200" kibana.index: ".kibana"
kibana-7.2.0配置文件
server.port: 5601 server.host: "0.0.0.0" #elasticsearch.url: "http://192.168.0.172:9200" elasticsearch.hosts: ["http://192.168.0.172:9200"] kibana.index: ".kibana" i18n.locale: "zh-CN"
启动
nohup /data/kibana-7.6.1/bin/kibana &
如果发现kibana中message数据显示不全在kibana的management=>advance setting里设置truncate:maxHeight为0
logstash配置(接手filebeat发送过来的日志)
config/pro.conf
input { beats { port => 5044 codec => json } } filter { } output { #if [message] =~ "ERROR" { #错误日志钉钉报警 if "ERROR" in [message] { http { url => "https://oapi.dingtalk.com/robot/send?axxxxxxxxx356ab336xxxxxxf642bbe99a35d30021514ec1" http_method => "post" #content_type => "pplication/json; charset=utf-8" mapping => { "msgtype" => "text" "text" => "{'content':'######%{[fields][service]}######\n%{message}\n########%{[fields][service]}########'}" } } } elasticsearch { hosts => ["http://192.168.0.172:9200"] index => "%{[fields][service]}-%{+YYYY-MM-dd}" #index => "%{fields.service}-%{+YYYY.MM.dd}" #user => "elastic" #password => "changeme" } }
启动
nohup bin/logstash -f config/pro.conf &
filebeat配置
filebeat.inputs: - type: log enabled: false paths: - /var/log/*.log - type: log enabled: true #日志路径 paths: - /data/log/access.log #日志tags tags: ["access"] #排除空行 exclude_lines: ['^$'] #java多行日志合并 multiline: pattern: '^\[[0-9]{2}-[0-9]{2}' negate: true match: after logstash中设置的index => "%{[fields][service]}-%{+YYYY-MM-dd}" fields: service: access filebeat.config.modules: path: ${path.config}/modules.d/*.yml reload.enabled: false setup.template.settings: index.number_of_shards: 1 output.logstash: hosts: ["172.18.6.193:5055"]
错误日志(日志中如果有"error"关键字的日志,进行多行合并,发送至kafka.)
filebeat.prospectors: - input_type: log paths: - /tmp/test.log include_lines: ['error'] multiline: pattern: '^\[' negate: true match: after output.kafka: enabled: true hosts: ["192.168.12.105:9092"] topic: logstash-errors-log
启动
nohup ./filebeat -e -c filebeat.yml &