ELK初步学习-1

1. 实验环境

目的：使用ELK采集服务器的系统日志，并将数据可视化展示。
介于之前没有这方面的经验，先从简单的开始。

1.1. 准备工作

准备4台虚拟机，分别用于以下功能：

客户端。也就是要被采集的服务器，需要配置rsyslog服务。
- IP: 192.167.17.11
- 主机名: client.localdomain
- CPU: 1核
- 内存: 1G
- 硬盘: 40G
缓存服务。需要部署logstash服务和redis服务。配置尽量高一些，logstash服务依赖java环境，比较耗内存。
- IP: 192.167.17.12
- 主机名: redis.localdomain
- CPU: 4核
- 内存: 4G
- 硬盘: 40G
存储服务。需要部署logstash服务和elasticsearch服务。配置也尽量高一些。
- IP: 192.167.17.13
- 主机名: elasticsearch.localdomain
- CPU: 4核
- 内存: 4G
- 硬盘: 40G
展示服务。需要部署kibana服务。
- IP: 192.167.17.14
- 主机名: kibana.localdomain
- CPU: 2核
- 内存: 2G
- 硬盘: 40G

2. 客户端服务部署

配置非常简单。只需要改一个参数即可。

2.1. 修改rsyslog配置

文件路径：/etc/rsyslog.conf。一般在倒数第二行。

*.* @@192.168.17.12:514

2.2. 重启rsyslog服务

[root@client ~]# systemctl restart rsyslog.service

3. logstash服务和redis服务部署

3.1. 部署java环境

配置好yum源

[root@redis ~]# mv /etc/yum.repos.d/* /tmp/
[root@redis ~]# wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
[root@redis ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

安装java

[root@redis ~]# yum install java-11

配置java环境变量，文件路径：/etc/profile
在最后面加上：

JAVA_HOME=/usr/lib/jvm/java-11-openjdk-11.0.7.10-4.el7_8.x86_64
JRE_HOME=$JAVA_HOME
CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/lib
PATH=${JAVA_HOME}/bin:$PATH
export JAVA_HOME JRE_HOME CLASSPATH PATH

环境变量生效：重启机器或是source /etc/profile。

[root@redis ~]# echo $JAVA_HOME
/usr/lib/jvm/java-11-openjdk-11.0.7.10-4.el7_8.x86_64

3.2. 部署redis

由于官网的网速比较慢，我是用华为云镜像。

部署redis

[root@redis ~]# yum install redis

配置redis
文件路径：/etc/redis.conf。添加如下配置：

# 使redis后台运行，守护进程
daemonize yes
# 配置监听ip
bind 192.168.17.12

启动redis

[root@redis ~]# systemctl enable redis.service 
[root@redis ~]# systemctl start redis.service

3.3. 部署logstash

安装logstash

[root@redis ~]# yum install https://mirrors.huaweicloud.com/logstash/7.7.1/logstash-7.7.1.rpm

没有报错就说明安装成功了。
其中有一条警告 OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was...
从网上查到，这是一种内存回收机制，比较耗内存，我们改一下内存回收机制，修改文件/etc/logstash/jvm.options。
将 -XX:+UseConcMarkSweepGC 替换成 -XX:+UseG1GC

配置logstash
文件路径：/etc/logstash/conf.d/rsyslog2redis.conf

input {
  syslog {
    type => "rsyslog"
    host => "192.168.17.12"
    port => "514"
  }
}

output {
  redis {
    host => "192.168.17.12"
    port => "6379"
    db => "10"
    data_type => "list"
    key => "rsyslog"
  }
}

启动logstash服务
文件路径：/etc/sysconfig/logstash

LS_USER=root

简单的测试

[root@redis ~]# /usr/share/logstash/bin/logstash -e 'input { stdin { } } output { stdout {} }'
...省略WARN和INFO信息...
hello, world!!!
{
          "host" => "redis.localdomain",
    "@timestamp" => 2020-06-26T16:38:15.075Z,
      "@version" => "1",
       "message" => "hello, world!!!"
}

[root@redis ~]# systemctl enable logstash.service 
[root@redis ~]# systemctl start logstash.service

启动比较慢，大概需要2分钟。查看是否启动成功的方法。

[root@redis ~]# systemctl status logstash.service 
● logstash.service - logstash
   Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-06-27 00:20:52 CST; 1min 24s ago
 Main PID: 1473 (java)
   CGroup: /system.slice/logstash.service
           └─1473 /bin/java -Xms1g -Xmx1g -XX:+UseG1GC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccu...

Jun 27 00:20:52 redis.localdomain systemd[1]: Started logstash.
Jun 27 00:20:52 redis.localdomain systemd[1]: Starting logstash...
Jun 27 00:21:18 redis.localdomain logstash[1473]: WARNING: An illegal reflective access operation has occurred
Jun 27 00:21:18 redis.localdomain logstash[1473]: WARNING: Illegal reflective access by com.headius.backport9.mod...long)
Jun 27 00:21:18 redis.localdomain logstash[1473]: WARNING: Please consider reporting this to the maintainers of c...dules
Jun 27 00:21:18 redis.localdomain logstash[1473]: WARNING: Use --illegal-access=warn to enable warnings of furthe...tions
Jun 27 00:21:18 redis.localdomain logstash[1473]: WARNING: All illegal access operations will be denied in a futu...lease
Jun 27 00:21:55 redis.localdomain logstash[1473]: Sending Logstash logs to /var/log/logstash which is now configu...rties
Hint: Some lines were ellipsized, use -l to show in full.

3.4. 验证

验证client的日志是否存到了redis里面。
在客户端执行生成日志的命令：

[root@client ~]# logger "test"

在redis里面查看是否存储了日志：

[root@redis ~]# redis-cli -h 192.168.17.12
192.168.17.12:6379> ping
PONG
192.168.17.12:6379> info Keyspace
# Keyspace
db10:keys=1,expires=0,avg_ttl=0
192.168.17.12:6379> select 10
OK
192.168.17.12:6379[10]> keys *
1) "rsyslog"
192.168.17.12:6379[10]> llen rsyslog
(integer) 6
192.168.17.12:6379[10]> lindex rsyslog -1
"{\"severity\":6,\"timestamp\":\"Jun 27 00:50:01\",\"logsource\":\"client\",\"@timestamp\":\"2020-06-26T16:50:01.000Z\",\"@version\":\"1\",\"pid\":\"27036\",\"host\":\"192.168.17.11\",\"severity_label\":\"Informational\",\"type\":\"rsyslog\",\"facility\":9,\"facility_label\":\"clock\",\"priority\":78,\"program\":\"CROND\",\"message\":\"(root) CMD (/usr/lib64/sa/sa1 1 1)\\n\"}"
192.168.17.12:6379[10]> exit
[root@redis ~]#

4. logstash服务和elasticsearch服务部署

4.1. 部署java环境

略。与3.1相同

4.2. 部署elasticsearch

安装elasticsearch

[root@elasticsearch ~]# yum install https://mirrors.huaweicloud.com/elasticsearch/7.7.1/elasticsearch-7.7.1-x86_64.rpm

配置elasticsearch
配置文件：/etc/elasticsearch/elasticsearch.yml

[root@elasticsearch ~]# cat /etc/elasticsearch/elasticsearch.yml |grep ^[a-z]
cluster.name: es
node.name: es-node01
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: false
network.host: 192.168.17.13
http.port: 9200
discovery.seed_hosts: ["192.168.17.13"]
cluster.initial_master_nodes: ["es-node01"]
http.cors.enabled: true
http.cors.allow-origin: "*"

配置文件：/usr/lib/systemd/system/elasticsearch.service
添加如下参数，将启动时间延长，不然会导致因启动时间长，而无法启动。

TimeoutStartSec=900

启动elasticsearch

[root@elasticsearch ~]# systemctl daemon-reload
[root@elasticsearch ~]# systemctl enable elasticsearch.service
[root@elasticsearch ~]# systemctl start elasticsearch.service

启动成功后，测试访问http://192.168.17.13:9200/

[root@elasticsearch ~]# curl http://192.168.17.13:9200/
{
  "name" : "es-node01",
  "cluster_name" : "es",
  "cluster_uuid" : "UiO2khJYSMychDOkLPxM4g",
  "version" : {
    "number" : "7.7.1",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "ad56dce891c901a492bb1ee393f12dfff473a423",
    "build_date" : "2020-05-28T16:30:01.040088Z",
    "build_snapshot" : false,
    "lucene_version" : "8.5.1",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

安装插件

[root@elasticsearch ~]# yum install git npm
[root@elasticsearch ~]# git clone git://github.com/mobz/elasticsearch-head.git
[root@elasticsearch ~]# vim elasticsearch-head/_site/app.js
# 将localhost改为192.168.17.13
[root@elasticsearch ~]# cd elasticsearch-head
[root@elasticsearch elasticsearch-head]# npm install
[root@elasticsearch elasticsearch-head]# npm run start

> elasticsearch-head@0.0.0 start /root/elasticsearch-head
> grunt server

Running "connect:server" (connect) task
Waiting forever...
Started connect web server on http://localhost:9100

最后访问http://192.168.17.13:9100/

4.3. 部署logstash

略。参照3.3。唯一不同的是配置文件。
文件路径：/etc/logstash/conf.d/redis2elasticsearch.conf

input {
  redis {
    host => "192.168.17.12"
    port => "6379"
    db => "10"
    data_type => "list"
    key => "rsyslog"
  }
}
output {
  elasticsearch {
    hosts => ["192.168.17.13:9200"]
    index => "rsyslog-%{+YYYY.MM.dd}"
  }
}

4.4. 验证数据

访问http://192.168.17.13:9100/

5. 总结

至此，已经将系统日志存储到了elasticsearch。后续可以使用kibana进行数据展示。