ELK-LogStash安装

1、基础知识

1.1、LogStash作用

logstash就是借助于大量的功能插件,实现从数据源获取数据,然后将数据传输到elasticsearch

1.2、数据流程图

在图中我们可以明显看到,logstash组件至少包含两个插件:input和output,这两个主要用于信息的接入和输出。

注意:logstash 软件本身无序安装,它仅仅是一个软件运行命令程序,但是该软件的运行依赖于java环境

2、环境准备

2.1、主机准备

Ubuntu操作系统  内存:2G   CPU:1核
logstash 192.168.10.28

2.2、同步时间

# 设置时区
timedatectl set-timezone Asia/Shanghai

# 同步系统时间
apt install -y ntpdate cron
systemctl start cron
systemctl enable cron

cat << 'CAT_END' > /var/spool/cron/crontabs/root 
#ntp Server update
*/5 * * * * /usr/sbin/ntpdate ntp5.aliyun.com  2>&1 > /dev/null
#ntp end
CAT_END

ntpdate ntp5.aliyun.com

2.3、设置主机名

hostnamectl set-hostname logstash

3、JDK安装

3.1、准备软件

# 这里使用此版本
# openjdk-11.0.0.1_linux-x64_bin.tar.gz

mkdir /data/{softs,server} -p && cd /data/softs
curl -O https://download.java.net/openjdk/jdk11.0.0.1/ri/openjdk-11.0.0.1_linux-x64_bin.tar.gz

# es自带jdk,位置:/usr/share/elasticsearch/jdk

3.2、安装JDK软件

mkdir /data/{softs,server} -p
cd /data/softs
tar xf openjdk-11.0.0.1_linux-x64_bin.tar.gz -C /data/server/
ln -s /data/server/jdk-11.0.0.1 /usr/local/java

cat << 'CAT_END' >> /etc/profile
export JAVA_HOME=/usr/local/java
export LS_JAVA_HOME=/usr/share/logstash/jdk
export PATH=$JAVA_HOME/bin:$PATH
CAT_END
source /etc/profile
java -version

4、LogStash安装

4.1、方式1:yum、apt配置仓库安装

4.1.1、yum安装参考官网

4.1.2、apt安装参考官网

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt-get update && sudo apt-get install logstash

4.2、方式2:下载.deb包离线安装

wget https://artifacts.elastic.co/downloads/logstash/logstash-7.17.0-amd64.deb
wget https://artifacts.elastic.co/downloads/logstash/logstash-7.17.0-amd64.deb.sha512
shasum -a 512 -c logstash-7.17.0-amd64.deb.sha512 
dpkg -i logstash-7.17.0-amd64.deb

4.3、配置环境变量

cat << 'CAT_END' >/etc/profile.d/logstash.sh
export PATH=/usr/share/logstash/bin:$PATH
CAT_END
source /etc/profile.d/logstash.sh

4.4、配置目录结构介绍

root@logstash:~# dpkg -L logstash | grep -Ei '^/etc|install$'
/usr/share/logstash/bin/system-install    # 生成系统管理配置文件
/usr/share/logstash/lib/systeminstall
/etc
/etc/logstash
/etc/logstash/conf.d
/etc/logstash/log4j2.properties
/etc/logstash/startup.options       # 服务启动环境变量文件
/etc/logstash/jvm.options           # jvm相关配置
/etc/logstash/logstash.yml          # 服务配置文件
/etc/logstash/logstash-sample.conf  # 应用配置文件模板
/etc/logstash/pipelines.yml         # 管道配置文件

4.5、LogStash命令介绍

命令格式: logstash -e '启动参数'

启动参数:
input {
  stdin {}
} 
output {
  stdout {} 
}

参数解析:
input {}  # 用于接受信息的输入
output {} # 用于对内部的数据输出
stdin {}  # 表示屏幕上的标准输入
stdout {} # 表示屏幕的标准输出

4.6、实践1-简单的输入/输出测试

4.6.1、执行命令

# logstash -e 'input { stdin {} } output { stdout {} }'
hello world stdout  # 键盘输入内容
{
       "message" => "hello world stdout",
    "@timestamp" => 2023-06-05T14:51:40.877Z,
          "host" => "logstash",
      "@version" => "1"
}

4.6.2、结果属性解析

{
      "@version" => "1",                       # 版本信息
       "message" => "hello world stdout",      # 我们输入的内容
    "@timestamp" => 2023-06-05T14:08:56.953Z,  # 该条信息的时间戳
          "host" => "logstash"                 # 当前的主机信息
}

4.7、实践2 - 信息传递到ES

4.7.1、执行命令

# logstash -e 'input { stdin {} } output { elasticsearch { hosts => ["192.168.10.25:9200"] index => "message" } }'
[INFO ] 2023-06-05 22:34:22.896 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
The stdin plugin is now waiting for input:
[INFO ] 2023-06-05 22:34:22.990 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
hello logstash to elasticsearch  # 键盘输入数据,这里不用打印的,因为已经配置输出到ES

4.7.2、查询索引

root@logstash:~# curl -XGET 192.168.10.25:9200/_cat/indices
green open .geoip_databases XXPTSqh5R6C2rtMJavz-Pw 1 1 42 0 79.9mb 39.9mb
green open index_test       ZTwMpcwBTY259jKfg_K28g 1 1  0 0   454b   227b
green open index_test1      ZOK7dRzQQEiRRIZxikZMnQ 3 1  0 0  1.3kb   681b
green open message          ejA_96x8QyWUFOcP00SliA 1 1  1 0 10.8kb  5.4kb
green open username         PzODwVIJT1it-rrXYVSnLg 1 1  1 0  8.2kb  4.1kb

4.7.3、查询具体的数据

curl -XGET 192.168.10.25:9200/message?pretty
root@logstash:~# curl -XGET 192.168.10.25:9200/message/_search?pretty
{
  "took" : 1,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "message",
        "_type" : "_doc",
        "_id" : "EnAFjIgBr53uPqiLdUEk",
        "_score" : 1.0,
        "_source" : {
          "message" : "hello logstash to elasticsearch",
          "host" : "logstash",
          "@timestamp" : "2023-06-05T14:45:47.526Z",
          "@version" : "1"
        }
      }
    ]
  }
}

 

4.8、实践3 - 读取日志文件到es

4.8.1、file模块简介

logstash的信息采集模块支持file模块,可以通过指定日志文件,直接从文件中读取相关信息。
参考资料:https://www.elastic.co/guide/en/logstash/7.17/plugins-inputs-file.html

4.8.2、基本属性

path 指定文件路径
start_position 设定从文件的那个位置开始读取,可选值 -- beginning, end(默认)
type 传递信息的时候,增加一个额外的属性字段

4.8.3、input配置示例

file {
  path => "/var/log/syslog"
  start_position => "beginning"
  type => "elasticsearch"
}

4.8.4、增加日志文件

# 因为ubuntu系统此文件不存在,自己创建用于测试
echo "log 11111" > /var/log/syslog
echo "log 22222" >> /var/log/syslog

root@logstash:~# cat /var/log/syslog 
log 11111
log 22222

4.8.5、执行logstash命令 

logstash -e 'input { file{path => "/var/log/syslog" start_position => 
"beginning" type => "elasticsearch"} } output { elasticsearch { hosts => 
["192.168.10.25:9200"] index => "message" } }'

4.8.6、查看ES数据

5、LogStash服务文件

5.1、为什么要生成配置文件

以命令行的方式来进行启动太繁琐,我们最好还是以配置文件的方式来进行服务的启动管理,对于logstash来说,
它提供好了一个专门用于生成配置文件的命令 system
-install,我们只需要按照既定的配置文件规则,定制应用配置,
最后执行该命令,即可实现服务脚本的配置。

5.2、服务启动参数配置

5.2.1、配置startup.options 

root@logstash:~# vim /etc/logstash/startup.options
...
# Arguments to pass to logstash
LS_OPTS="--path.settings ${LS_SETTINGS_DIR} -f /etc/logstash/conf.d"
...
# 注意: -f 指定的是 logstash的应用配置文件(比如 logstash.conf)存放到的目录

5.2.2、修改配置文件 conf.d/logstash.conf

cp /etc/logstash/logstash-sample.conf /etc/logstash/conf.d/logstash.conf 
cat <<'CAT_END' > /etc/logstash/conf.d/logstash.conf 
input {
  file {
    path => "/var/log/syslog" 
    start_position => "beginning" 
    type=> "elasticsearch"
  }
}

output {
  elasticsearch {
    hosts => ["http://192.168.10.25:9200"]
    index => "logstash-test-%{+YYYY.MM.dd}"
  }
}
CAT_END

5.2.3、生成系统启动文件

# 以root用户执行下面的命令
system-install

#  cat /etc/systemd/system/logstash.service
[Unit]
Description=logstash

[Service]
Type=simple
User=logstash
Group=logstash
# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
# Prefixing the path with '-' makes it try to load, but if the file doesn't
# exist, it continues onward.
EnvironmentFile=-/etc/default/logstash
EnvironmentFile=-/etc/sysconfig/logstash
ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash" "-f" "/etc/logstash/conf.d"
Restart=always
WorkingDirectory=/
Nice=19
LimitNOFILE=16384

# When stopping, how long to wait before giving up and sending SIGKILL?
# Keep in mind that SIGKILL on a process can cause data loss.
TimeoutStopSec=infinity

[Install]
WantedBy=multi-user.target

# 注意:由于服务启动的时候,用户名和用户组都是 logstash ,所以,我们采集数据的文件必须是具备查看的权限

5.2.4、日志文件增加权限

chown logstash:logstash /var/log/syslog

5.2.5、启动logstash服务

systemctl daemon-reload
systemctl start logstash.service
systemctl status logstash.service

5.2.6、查看日志

root@logstash:~# ll /var/log/logstash/
total 24
drwxr-xr-x 2 logstash root     4096 Jun  6 12:02 ./
drwxr-xr-x 9 root     root     4096 Jun  6 09:28 ../
-rw-r--r-- 1 logstash logstash 3140 Jun  6 12:09 logstash-deprecation.log
-rw-r--r-- 1 logstash logstash    0 Jun  6 12:02 logstash-json.log
-rw-r--r-- 1 logstash logstash 8217 Jun  6 12:09 logstash-plain.log
-rw-r--r-- 1 logstash logstash    0 Jun  6 12:02 logstash-slowlog-json.log
-rw-r--r-- 1 logstash logstash    0 Jun  6 12:02 logstash-slowlog-plain.log

5.2.7、查看ES是否有数据

 

posted @ 2023-06-06 12:12  小粉优化大师  阅读(267)  评论(0编辑  收藏  举报