Elasticsearch-Logstash-Kibana（一）环境搭建

更多关注 http://www.mknight.cn/post/615/
Elasticsearch-Logstash-Kibana（一）环境搭建
 Elasticsearch-Logstash-Kibana（二）数据可视化
 Elasticsearch-Logstash-Kibana（三）环配置优化

安装

环境依赖

To check your Java version, run the following command:

java -version

On systems with Java installed, this command produces output similar to the following:

java version "1.8.0_65"
Java(TM) SE Runtime Environment (build 1.8.0_65-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.65-b01, mixed mode)

简单说，当前elk版本只支持jdk 8.0版本。

导入源

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

新建repo文件

Add the following in your /etc/yum.repos.d/ directory in a file with a .repo suffix, for example logstash.repo

[logstash-6.x]
name=Elastic repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

yum 安装

And your repository is ready for use. You can install it with:

sudo yum install elasticsearch logstash kibana

elasticsearch

修改配置文件

vim /etc/elasticsearch/elasticsearch.yml

network.host: 192.168.1.40

#如果是6.0系统的Linux，需要加下面两行
bootstrap.memory_lock: false
bootstrap.system_call_filter: false

启动

 /etc/init.d/elasticsearch start

访问该IP端口，检查是否正常

image

gen

Kibana

修改配置文件

vim /etc/kibana/kibana.yml
elasticsearch.url: "http://192.168.1.40:30036"
server.host: "0.0.0.0"

启动

 /etc/init.d/kibana start

logstash

建立软链

ln -s /etc/logstash/ /usr/share/logstash/config

建立配置文件

vim /usr/share/logstash/config/conf.d/elk.conf

input {
    file {
        path => [ "/var/log/nginx/access.log" ]
        start_position => "beginning"
        ignore_older => 0
    }
}
filter {
    grok {
        match => { "message" => "%{NGINXACCESS}" }
    }
  geoip {
      source => "http_x_forwarded_for"
      target => "geoip"
      database => "/usr/share/logstash/plugin/GeoLite2-City.mmdb"
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
    }
    mutate {
      convert => [ "[geoip][coordinates]", "float" ]
      convert => [ "response","integer" ]
      convert => [ "bytes","integer" ]
      replace => { "type" => "nginx_access" }
      remove_field => "message"
    }
  useragent {
    source => "agent"
    target => "device"
  }
    date {
      match => [ "timestamp","dd/MMM/yyyy:HH:mm:ss Z"]
    }
    mutate {
      remove_field => "timestamp"
    }
}
output {
    elasticsearch {
        hosts => ["192.168.1.40:30005"]
        index => "logstash-mknight-nginx-%{+YYYY.MM.dd}"
    #以下6.0已经不支持
    #flush_size => 100
    sniffing => true
    }
    stdout {codec => rubydebug}
}

配置GeoIP

mkdir plugin
cd plugin
wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz
gzip -d GeoLite2-City.mmdb.gz

配置nginx变量

mkdir patterns
vim patterns/nginx

NGUSERNAME [a-zA-Z\.\@\-\+_%]+
NGUSER %{NGUSERNAME}
NGINXACCESS %{IPORHOST:clientip} - %{NOTSPACE:remote_user} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent} \"%{IPV4:http_x_forwarded_for}\"

启动

./bin/logstash -f config/conf.d/elk.conf

检查日志启动情况

tail -100 /var/log/logstash/logstash-plain.log

访问Kibana

建立索引

访问机器5601端口，设置index pattern，点击 create

image

配置Discover

点击 Discover 就可以看到导入的日志记录

image

另外，点击Avaliable Fields下面的字段，选择Add，就可以展示在记录中

image

这样elk的基本配置就完成了，后面的文章里说一下如何配置kibana的图表已经Dashboard。

问题整理：

Kibana

Kibana IP端口无法访问：

# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
#server.host: "localhost"
server.host: "0.0.0.0"

elasticsearch

elasticsearch 无法更改IP

image

问题原因：因为Centos6不支持SecComp，而ES5.2.1默认bootstrap.system_call_filter为true进行检测，所以导致检测失败，失败后直接导致ES不能启动。详见：https://github.com/elastic/elasticsearch/issues/22899
解决方法：在elasticsearch.yml中配置bootstrap.system_call_filter为false，注意要在Memory下面:
bootstrap.memory_lock: false
bootstrap.system_call_filter: false

max number of threads [2048] for user [elasticsearch] is too low, increase to at least [4096]

[1]: max number of threads [2048] for user [elasticsearch] is too low, increase to at least [4096]
[2]: system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk

解决：

vi /etc/security/limits.conf

添加如下内容:
* soft nofile 65536
* hard nofile 131072
* soft nproc 2048
* hard nproc 4096

Could not find logstash.yml

问题

WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs to console

解决

cd /usr/share/logstash
ln -s /etc/logstash ./config
设置配置文件实时生效，从而不用频繁地启停Logstash。修改/etc/logstash/logstash.yml：
config.reload.automatic: true

内存不足

Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00000000c5330000, 181207040, 0) failed; error='Cannot allocate memory'

内存不足：减少启动程序所需内存，或加大内存，如关闭一些程序。

GeoIP

mkdir plugin
cd plugin
wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz
gzip -d GeoLite2-City.mmdb.gz

更多关注 http://www.mknight.cn/post/615/