elk分布式+ logstash日志监控+kibana监控

[root@server1 head]# vim /etc/elasticsearch/elasticsearch.yml
 68 discovery.zen.ping.unicast.hosts: ["server1", "server2","server3"]

server2
root@server2 ~]# ls
elasticsearch-2.3.3.rpm  jdk-8u121-linux-x64.rpm
[root@server2 ~]# yum install elasticsearch-2.3.3.rpm jdk-8u121-linux-x64.rpm  -y
[root@server2 ~]# vim /etc/elasticsearch/elasticsearch.yml
 17 cluster.name: my-bs
 23 node.name: server2
 43 bootstrap.mlockall: true
 54 network.host: 172.25.8.2
 68 discovery.zen.ping.unicast.hosts: ["server1", "server2","server3"]
[root@server2 ~]# vim /etc/security/limits.conf
elasticsearch soft memlock unlimited
elasticsearch hard memlock unlimited
[root@server2 ~]# /etc/init.d/elasticsearch start

server3
[root@server3 ~]# ls
elasticsearch-2.3.3.rpm  jdk-8u121-linux-x64.rpm
[root@server3 ~]# yum install -y elasticsearch-2.3.3.rpm  jdk-8u121-linux-x64.rpm
[root@server3 ~]# vim /etc/security/limits.conf
elasticsearch soft memlock unlimited
elasticsearch hard memlock unlimited
[root@server3 ~]# vim /etc/elasticsearch/elasticsearch.yml
 17 cluster.name: my-bs
 23 node.name: server3
 43 bootstrap.mlockall: true
 54 network.host: 172.25.8.3
 68 discovery.zen.ping.unicast.hosts: ["server1", "server2","server3"]
[root@server3 ~]# /etc/init.d/elasticsearch start
访问web  http://172.25.8.1:9200/_plugin/head/(刷新一下)
 
优化
[root@server1 ~]# vim /etc/elasticsearch/elasticsearch.yml
 24 node.master: true
 25 node.data: false
[root@server2 ~]# vim /etc/elasticsearch/elasticsearch.yml
24 node.master: false
25 node.data: true
[root@server3 ~]# vim /etc/elasticsearch/elasticsearch.yml
 24 node.master: false
 25 node.data: true
[root@server1 ~]# /etc/init.d/elasticsearch restart
[root@server2 ~]# /etc/init.d/elasticsearch restart
[root@server3 ~]# /etc/init.d/elasticsearch restart
访问web  http://172.25.8.1:9200/_plugin/head/(刷新一下)
 
 
 

通过api命令添加数据
[root@server1 elk]# rpm -ivh logstash-2.3.3-1.noarch.rpm
[root@server1 elk]# cd /opt/logstash/
[root@server1 logstash]# bin/logstash -e 'input { stdin { } } output {stdout { } }'
Settings: Default pipeline workers: 1
Pipeline main started
hello world
2018-10-26T03:10:48.712Z server1 hello world
[root@server1 logstash]# bin/logstash -e 'input { stdin { } } output {stdout { codec => rubydebug } elasticsearch { hosts => ["172.25.8.1"] index => "logstash-%{+YYYY.MM.dd}" }  }'
Settings: Default pipeline workers: 1
Pipeline main started
duang
{
       "message" => "duang",
      "@version" => "1",
    "@timestamp" => "2018-10-26T03:14:44.572Z",
          "host" => "server1"
}

ot@server1 logstash]# cd /etc/logstash/conf.d/
[root@server1 conf.d]# vim bs.conf
input {
        stdin {}
}
 
output {
        stdout {
                codec => rubydebug
        }
        elasticsearch {
                hosts => ["172.25.8.1"]
                index => "logstash-%{+YYYY.MM.dd}"
        }
        file {
                path => "/tmp/tsetfile"
                codec => line { format => "custom format: %{message}"}
        }
}
[root@server1 conf.d]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/bs.conf
Settings: Default pipeline workers: 1
Pipeline main started
hello
{
       "message" => "hello",
      "@version" => "1",
    "@timestamp" => "2018-10-26T03:32:12.888Z",
          "host" => "server1"
}
duang duang
{
       "message" => "duang duang",
      "@version" => "1",
    "@timestamp" => "2018-10-26T03:32:18.748Z",
          "host" => "server1"
}
^CSIGINT received. Shutting down the agent. {:level=>:warn}
stopping pipeline {:id=>"main"}
Pipeline main has been shutdown
访问web
[root@server1 conf.d]# cat /tmp/tsetfile
custom format: hello
custom format: duang duang
 
[root@server1 conf.d]# vim ss.conf
input {
        file {
                path => "/var/log/messages"
                start_position => "beginning"
        }
}
 
output {
#       stdout {
#               codec => rubydebug
#       }
        elasticsearch {
                hosts => ["172.25.8.1"]
                index => "messages-%{+YYYY.MM.dd}"
        }
#        file {
#                path => "/tmp/tsetfile"
#                codec => line { format => "custom format: %{message}"}
#        }
}
[root@server1 conf.d]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/ss.conf
Settings: Default pipeline workers: 1
Pipeline main started
LOL
LOLOLOLOLOLOLOLOLOLOLOLOLOLOLOL
LOLOLOLOLOL
LOLOLLOLOLOLOLOOL
LOLOL
^CSIGINT received. Shutting down the agent. {:level=>:warn}
stopping pipeline {:id=>"main"}
Pipeline main has been shutdown
访问web
 
[root@server1 conf.d]# vim ss.conf
[root@server1 conf.d]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/ss.conf

[root@server2 ~]# vim /etc/rsyslog.conf
 13 $ModLoad imudp
 14 $UDPServerRun 514
 17 $ModLoad imtcp
 18 $InputTCPServerRun 514
 81 *.*  @@172.25.8.1:514
[root@server2 ~]# /etc/init.d/rsyslog restart
访问web
 
[root@server1 log]# cd /etc/logstash/conf.d/
[root@server1 conf.d]# vim bs.conf
input {
        file {
                path => "/var/log/elasticsearch/my-bs.log"
                start_position => "beginning"
        }
}

filter {
        multiline {
                pattern => "^\["
                negate => "true"
                what => "previous"
        }
}
output {
        elasticsearch {
                hosts => ["172.25.8.1"]
                index => "bs-%{+YYYY.MM.dd}"
        }
}
[root@server1 conf.d]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/bs.conf
访问web

vim bs.conf
input {
        file {
                path => "/var/log/elasticsearch/my-bs.log"
                start_position => "beginning"
                codec => multiline {
                        pattern => "^\["
                        negate => "true"
                        what => "previous"
                }
        }
}
output {
        elasticsearch {
                hosts => ["172.25.8.1"]
                index => "bs-%{+YYYY.MM.dd}"
        }
}
 
httpd日志监控
nput {
        file {
                path => "/var/log/httpd/access_log"
                start_position => "beginning"
}
filter {
        grok {
                match => { "message" => "%{COMBINEDAPACHELOG}"}
        }
}
output {
        elasticsearch {
                hosts => ["172.25.8.1"]
                index => "apache-%{+YYYY.MM.dd}"
        }
}
/opt/logstash/bin/logstash -f /etc/logstash/conf.d/bs.conf
 
 
nginx日志监控
[root@server1 ~]# /etc/init.d/httpd stop
[root@server1 ~]# /etc/init.d/nginx start
input {
        file {
                path => "/var/log/nginx/access.log"
                start_position => "beginning"
        }
}
filter {
        grok {
                match => { "message" => "%{COMBINEDAPACHELOG}  %{QS:xforward}" }
        }
}
output {
        elasticsearch {
                hosts => ["172.25.8.1"]
                index => "nginx-%{+YYYY.MM.dd}"
        }
}
ot@server1 conf.d]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/bs.conf
fangwen web

kibana
[root@server1 elk]# rpm -ivh kibana-4.5.1-1.x86_64.rpm
[root@server1 elk]# cd /opt/kibana/config/
[root@server1 config]# vim kibana.yml
 15 elasticsearch.url: "http://172.25.8.1:9200"
 23 kibana.index: ".kibana"
[root@server1 config]# /etc/init.d/kibana start
web:172.25.8.1:5601
 
 
posted @ 2019-12-19 16:24  正义的朋友  阅读(930)  评论(0编辑  收藏  举报