ELK 2(10月19日)

27.6 安装kibana
27.7 安装logstash
27.8 配置logstash
27.9 kibana上查看日志
27.10 收集nginx日志
27.11 使用beats采集日志

27.6 安装kibana

kun02上安装kibana

和安装elasticsearch一样都是可以通过安装yum源或者直接安装rpm包
参考官方文档 https://www.elastic.co/guide/en/elastic-stack/current/installing-elastic-stack.html

1
[root@kun02 ~]# yum install -y kibana

或者

1
2
[root@kun02 ~]# wget https://artifacts.elastic.co/downloads/kibana/kibana-6.4.2-x86_64.rpm
[root@kun02 src]# rpm -ivh kibana-6.4.2-x86_64.rpm

配置kibana

1
[root@kun02 src]# vim /etc/kibana/kibana.yml

添加下面参数

1
2
3
4
server.port: 5601
server.host: 192.168.80.102 
elasticsearch.url: "http://192.168.80.102:9200"  ##定义主节点IP端口
logging.dest: /var/log/kibana.log  ##定义kabana的日志,不定义默认输入到/var/log/messages

/etc/kibana/kibana.yml是kibana的配置文件 kibana默认监听5601端口

启动kibana

1
[root@kun02 src]# systemctl start kibana

问题 目录权限不够 不能写入/var/log

1
2
Oct 14 18:00:07 kun02 kibana: Error: EACCES: permission denied, open '/var/log/kibana.log'
Oct 14 18:00:07 kun02 systemd: kibana.service: main process exited, code=exited, status=1/FAILURE

解决 更改目录权限或者更改路径

1
[root@kun02 src]# chmod 757 /var/log/

查看是否监听端口

1
2
[root@kun02 src]# netstat -lntp |grep node
tcp        0      0 192.168.80.102:5601     0.0.0.0:*               LISTEN      4327/node

在浏览器上打开kibana

输入192.168.80.102:5601

27.7 安装logstash

在kun03上安装logstash

和安装elasticsearch一样都是可以通过安装yum源或者直接安装rpm包
参考官方文档 https://www.elastic.co/guide/en/elastic-stack/current/installing-elastic-stack.html

1
[root@kun03 ~]# yum install -y logstash

或者

1
2
[root@kun03 ~]# wget https://artifacts.elastic.co/downloads/logstash/logstash-6.4.2.rpm
[root@kun03 src]# rpm -ivh logstash-6.4.2.rpm

创建收集系统日志的配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@kun03 src]# vim /etc/logstash/conf.d/syslog.conf

input {
  syslog {
    type => "system-syslog"
host => "192.168.80.103"
port => "514"
  }
}
output {
stdout {
codec => "rubydebug"
}
}

自定义的收集日志配置文件路径是/etc/logstash/conf.d/ 配置文件以.conf结尾
type => "system-syslog" 指定类型是系统日志
port => 514 指定输入到本机的端口
codec => rubydebug 指定输入到当前终端上

检查自定义文件

1
2
3
[root@kun03 src]# cd /usr/share/logstash/bin/
[root@kun03 bin]# ./logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf --config.test_and_exit
Configuration OK  ##表示配置文件没错

elasticsearch kibana logstash filebeat的执行文件,插件都是在/usr/share/对应的目录下,日志在/var/log/对应的目录下,配置文件在/etc/对应目录下
--path.settings 指定/logstash主配置文件目录
-f 指定自定义的配置文件
--config.test_and_exit 检查并退出 不带此行就启动服务了logstash服务并前台输出 systemctl start logstash表示启动服务并后台执行

1
[root@kun03 bin]# ./logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf  ##启动启动logstash服务并在此终端输入信息

在另一个终端上设置信息输入的端口

1
[root@kun03 bin]# vim /etc/rsyslog.conf

添加下面参数

1
*.* @@192.168.80.103:514   ##日志表示所有信息内容输入到本机的10514端口中

/etc/rsyslog.conf 是系统日志的配置文件

1
[root@kun03 ~]# systemctl restart rsyslog

问题 没有日志输出

1
An unexpected error occurred! {:error=>#<ArgumentError: Path "/var/lib/logstash/queue" must be a writable directory.

解决 更改用户为logstash

1
[root@kun03 ~]# chown -R logstash /var/log/logstash /var/lib/logstash

查看是否监听514端口和9600端口

1
2
3
4
[root@kun03 ~]# netstat -lntp |grep 514
tcp6       0      0 :::514                :::*                    LISTEN      1834/java
[root@kun03 ~]# netstat -lntp |grep 9600
tcp6       0      0 127.0.0.1:9600          :::*                    LISTEN      1833/java

9600端口是logstash服务监听的端口

27.8 配置logstash

由于刚刚配置的收集日志配置文件只能在当前终端输出,并不能输出给es来让kibana成图。因此还需要更改配置文件

1
[root@kun03 bin]# vim /etc/logstash/conf.d/syslog.conf

更改为下面参数

1
2
3
4
5
6
7
8
9
10
11
12
13
input {
  syslog {
    type => "system-syslog"
host => "192.168.80.103"
port => "514"
  }
}
output {
  elasticsearch {
    hosts => ["192.168.80.102:9200"]
    index => "system-syslog-%{+YYYY.MM}"
  }
}

type => "system-syslog" 自定义名字
hosts => ["192.168.80.102:9200"] 输入到主节点kun02上
index => "system-syslog-%{+YYYY.MM}" 定义输入的格式是system-syslog-年年年年.月月的索引

启动logstash服务

1
[root@kun03 bin]# systemctl start logstash

问题 启动不了514端口

1
Oct 17 23:59:11 kun03 logstash: [2018-10-17T23:59:11,146][WARN ][logstash.inputs.syslog   ] syslog listener died {:protocol=>:tcp, :address=>"192.168.80.103:514", :exception=>#<SocketError: initialize: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:135:in `initialize'", "org/jruby/RubyIO.java:875:in `new'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:167:in `tcp_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:130:in `server'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:114:in `block in run'"]}

解决 更改logstash.service里面属主为root
参考文章 https://blog.csdn.net/bing0924/article/details/82858207

1
2
3
4
5
vim /etc/systemd/system/logstash.service
User=root
Group=root
[root@kun03 ~]# systemctl daemon-reload
[root@kun03 ~]# systemctl restart logstash

查看是否启动端口

1
2
3
[root@kun03 bin]# netstat -lntp
tcp6       0      0 :::514                :::*                    LISTEN      2059/java           
tcp6       0      0 127.0.0.1:9600          :::*                    LISTEN      2059/java

/var/log/logstash/logstash-plain.log 是logstash的日志路径 ,启动不了端口可以查看此日志文件

27.9 kibana上查看日志

查看文章 https://zhaoyanblog.com/archives/732.html

获取索引信息

格式:curl 'IP地址:9200/_cat/indices?v'

1
2
3
4
5
6
7
8
9
10
11
[root@kun02 ~]# curl '192.168.80.102:9200/_cat/indices?v'
health status index                      uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   system-syslog-2018.10      YPPbyuQORcSRvKZ3eCGzsA   5   1         13            0    195.1kb
```       
发现有索引说明logstash和elasticsearch正常通讯了 `v`表示表头

>获指定索引详细信息

格式:`curl -XGET 'IP地址:9200/索引名?pretty'`
``` 
[root@kun02 ~]# curl -XGET '192.168.80.102:9200/system-syslog-2018.10?pretty'

删除指定索引

格式:curl -XDELETE 'IP地址:9200/索引名'

1
2
[root@kun02 ~]# curl -XDELETE '192.168.80.102:9200/kibana_sample_data_flights'
{"acknowledged":true}

在浏览器访问kibana

点击Managerment,把刚刚查看到的索引填上 可以填system-syslog-* 来表示所有

回去Discover 已经发现有数据了

27.10 收集nginx日志

使用logstash收集Nginx的访问日志

步骤

在kun03上

1.安装Nginx并创建虚拟主机配置文件和定义访问日志的输入格式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@kun03 bin]# yum install -y nginx
[root@kun03 bin]# vim /etc/nginx/conf.d/elk.conf

server {
            listen 80;
            server_name elk.test.com;

            location / {
                proxy_pass      http://192.168.80.102:5601;
                proxy_set_header Host   $host;
                proxy_set_header X-Real-IP      $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            }
            access_log  /var/log/elk_access.log main2;
        }

此配置是本机80端口(elk.test.com)代理到192.168.80.102:5601上
access_log 定义访问日志路径和格式

1
[root@kun03 bin]# vim /etc/nginx/nginx.conf

在http里面添加

1
2
3
log_format main2 '$http_host $remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$upstream_addr" $request_time';

2.检查并启动Nginx服务

1
2
[root@kun03 bin]# nginx -t
[root@kun03 bin]# systemctl start nginx

问题 Nginx 无法读取PID

1
Oct 18 15:20:14 kun03 systemd: Failed to read PID from file /run/nginx.pid: Invalid argument

解决 参考文档 http://jiasule.v2ex.com/t/300986

1
2
3
4
[root@kun03 bin]# mkdir -p /etc/systemd/system/nginx.service.d
[root@kun03 bin]# printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
[root@kun03 bin]# systemctl daemon-reload
[root@kun03 bin]# systemctl restart nginx

在hosts上绑定域名还IP并使用浏览器访问

1
192.168.80.103 elk.test.com

查看是否产生访问日志

1
2
[root@kun03 bin]# tail /var/log/elk_access.log
elk.test.com 192.168.80.1 - - [18/Oct/2018:16:30:41 +0800] "GET /bundles/428687c29242d0d2f3d7ac7e09942921.svg HTTP/1.1" 304 0 "http://elk.test.com/app/kibana" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36" "192.168.80.102:5601" 0.013

3.创建收集Nginx访问日志的配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[root@kun03 bin]# vim /etc/logstash/conf.d/nginx.conf


input {
  file {
    path => "/var/log/elk_access.log"
    start_position => "beginning"
    type => "nginx"
  }
}
filter {
    grok {
        match => { "message" => "%{IPORHOST:http_host} %{IPORHOST:clientip} - %{USERNAME:remote_user} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:http_verb} %{NOTSPACE:http_request}(?: HTTP/%{NUMBER:http_version})?|%{DATA:raw_http_request})\" %{NUMBER:response} (?:%{NUMBER:bytes_read}|-) %{QS:referrer} %{QS:agent} %{QS:xforwardedfor} %{NUMBER:request_time:float}"}
    }
    geoip {
        source => "clientip"
    }
}
output {
    stdout { codec => rubydebug }
    elasticsearch {
        hosts => ["192.168.80.103:9200"]
  index => "nginx-test-%{+YYYY.MM.dd}"
  }
}

path 指定收集的来源文件路径 这里指Nginx的访问日志路径
start_position 从文章的哪里开始收集 beginning表示开头
type 自定义名字
filter 搜索的日志过滤为指定格式

4.检查配置文件并启动logstash服务

1
2
[root@kun03 bin]# ./logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/nginx.conf --config.test_and_exit
[root@kun03 bin]# systemctl start logstash

5.查看索引并在kibana上查看

在kun02上

1
2
3
[root@kun02 ~]# curl '192.168.80.102:9200/_cat/indices?v'
health status index                 uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   nginx-test-2018.10.18 dkGUAduQSoOnWoEMXsCu-A   5   1        147            0    401.8kb        200.9kb

6.在kibana上添加索引

Managerment —- Index Patterns —- Create Index Pattern —- 输入 nginx-test-*

27.11 使用beats采集日志

Beats是个轻量的数据采集器,它的家族成员有多个,其中filebeat是用来收集数据的。还可以来自定义beats
官网 https://www.elastic.co/cn/products/beats
成员下载地址 https://www.elastic.co/cn/downloads/beats

Beats成员

在kun04上安装filebeat来收集日志,并在屏幕上显示

1.下载并安装filebeat

1
2
[root@kun04 src]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.4.2-x86_64.rpm
[root@kun04 src]# rpm -ivh filebeat-6.4.2-x86_64.rpm

2.编辑filebeat配置文件

1
[root@kun04 src]# vim /etc/filebeat/filebeat.yml

filebeat.inputs: 修改下面参数 表示来源的数据

1
2
3
- type: log
  enabled: true
    - /var/log/messages

注意:每行开头都要上行后空两格
找到output.elasticsearch: 注释掉 并添加下面参数 表示当前终端输出

1
2
output.console:
  enable: true

3.在当前屏幕显示数据

1
[root@kun04 src]# /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml

-c 指定filebeat配置文件

让filebeat把数据输出到elastic上并启动为服务

1.配置filebeat配置文件

1
2
3
4
5
6
7
8
9
[root@kun04 src]# vim /etc/filebeat/filebeat.yml

filebeat.inputs:
- type: log
  paths:
    - /var/log/messages

output.elasticsearch:
  hosts: ["192.168.80.102:9200"]

2.启动filebeat服务

1
[root@kun04 src]# systemctl start filebeat

filebeat的日志路径是/var/log/filebeat/filebeat

3.在kun02上查看索引 

1
2
3
[root@kun02 ~]# curl '192.168.80.102:9200/_cat/indices?v'
health status index                     uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   filebeat-6.4.2-2018.10.19 xZHltcWtRQqB3a2QI599RQ   3   1       5796            0      1.6mb        861.9kb

注意:filebeat配置文件中是不需要添加索引参数 会自动生成索引

4.在kibana上添加filebeat索引

扩展知识

x-pack 收费,免费

http://www.jianshu.com/p/a49d93212eca
https://www.elastic.co/subscriptions

Elastic stack演进

http://70data.net/1505.html

基于kafka和elasticsearch,linkedin构建实时日志分析系统

http://t.cn/RYffDoE

使用redis

http://blog.lishiming.net/?p=463

ELK+Filebeat+Kafka+ZooKeeper 构建海量日志分析平台

https://www.cnblogs.com/delgyd/p/elk.html
http://www.jianshu.com/p/d65aed756587

logstash配置详细说明

https://blog.csdn.net/chenleiking/article/details/73563930
https://www.cnblogs.com/yincheng/p/logstash.html

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

欢迎光临<br><br>本博客是用来记录学习Linux Python Shell和Perl<br>谢谢大家