ELK(es,filebeat,kibana,logstash,redis,zookeeper,kafka)部署日志收集(,nginx,tomcat,docker)
收集 代理 nginx haproxy
web nginx tomcat
数据库 mysql redis mongo elasticsearch
操作系统 source message
1、搭建环境:
es安装单节点就可以了,这里把前面配置的集群取消
192.168.208.120: elastic , kibana , filebeat nginx zookeeper kafka/redis logstash
192.168.208.121: nginx filebeat, tomcat zookeeper kafka
192.168.208.122: nginx filebeat, tomcat zookeeper kafka
192.168.208.120:
1.png
es 单节点配置文件:
[root@elk-server config]# egrep -v "^#|^$" elasticsearch.yml
node.name: node-1
path.data: /usr/local/data
path.logs: /usr/local/logs
network.host: 192.168.208.120
http.port: 9200
discovery.seed_hosts: ["192.168.208.120"]
http.cors.allow-origin: "/.*/"
http.cors.enabled: true
[root@elk-server config]# systemctl restart elasticsearch
安装 kibana
[root@elk-server tool]# rpm -ihv kibana-6.6.0-x86_64.rpm
[root@elk-server tool]# rpm -qc kibana
/etc/kibana/kibana.yml
kibana配置:
[root@elk-server tool]# vim /etc/kibana/kibana.yml
server.port: 5601
server.host: "192.168.208.120"
server.name: "elk-server"
elasticsearch.hosts: ["http://192.168.208.120:9200"]
kibana.index: ".kibana"
启动 kibana
[root@elk-server tool]# systemctl restart elasticsearch
[root@elk-server tool]# systemctl start kibana
[root@elk-server tool]# netstat -luntp |grep 9200
tcp6 0 0 192.168.208.120:9200 :::* LISTEN 22217/java
[root@elk-server tool]# netstat -luntp |grep 5601
tcp 0 0 192.168.208.120:5601 0.0.0.0:* LISTEN 22569/node
测试访问:
http://192.168.208.120:5601
2.png
3.png
2、安装 nginx
收集节点 192.168.208.120/121
配置nginx 下载源
[root@node1 ~]# vim /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enable=0
gpgkey=https://nginx.org/keys/nginx_signing.key
安装nginx
[root@node1 ~]# yum install nginx -y
[root@node1 ~]# systemctl start nginx
[root@node1 ~]# netstat -luntp
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 42966/nginx: master
压力测试:
[root@node1 ~]# ab -c 10 -n 1000 192.168.208.121/
3、安装配置filebeat
收集节点 192.168.208.120/121
[root@elk-server tool]# rpm -ivh filebeat-6.6.0-x86_64.rpm
备份 filebeat 配置文件
[root@elk-server tool]# cp /etc/filebeat/filebeat.yml /tool/
修改 filebeat.yml 配置文件
[root@elk-server tool]# egrep -v "#|^$" /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
output.elasticsearch:
hosts: ["192.168.208.120:9200"]
启动 filebeat
[root@elk-server tool]# systemctl restart filebeat
[root@elk-server tool]# tail -f /var/log/filebeat/filebeat # 查看日志
查看上传到 es 的日志 默认写入的索引就是 filebeat
4.png
4、kibana配置
Index Patterns 配置 el 索引数据
5.png
将 下面显示的 filebeat-6.6.0-2020.04.05 索引 复制到 index pattern
6.png
等待 进入到下一步 选择 @timestamp 选择创建
7.png
进入到 索引界面, 可以看到把 es 里的索引添加到kibana 上了 然后进入 Ddiscover
8.png
点击右上角的 最新的 15分钟 选择 新近 1小时 或者是 4小时, 就可以看到图了
9.png
然后选择左边 把 message 点击 add 添加要看的信息 如下显示
10.png
点击 可以进行 全文检索 查询状 态码 和显示的条数
11.png
检查 条件筛查
12.png
==================================================================================
收集 nginx的json日志
日志格式配置如下:
log_format main '{ "time_local": "$time_local", '
'"remote_addr": "$remote_addr", '
'"referer": "$http_referer", '
'"request": "$request", '
'"status": $status, '
'"bytes": $body_bytes_sent, '
'"agent": "$http_user_agent", '
'"x_forwarded": "$http_x_forwarded_for", '
'"up_addr": "$upstream_addr",'
'"up_host": "$upstream_http_host",'
'"upstream_time": "$upstream_response_time",'
'"request_time": "$request_time"'
''}'
将以上日志格式放入到 nginx.conf 中
1、定时 log_format json 日志格式
2、在 access_log /var/log/nginx/access.log json; 引用 json 格式日志
3、清空 /var/log/nginx.log 历史日志
4、修改 /etc/filebeat/filebeat.yml 配置文件 设置为 json 格式解析
5、重启 nginx
[root@elk-server tool]# vim /etc/nginx/nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format json '{ "time_local": "$time_local", '
'"remote_addr": "$remote_addr", '
'"referer": "$http_referer", '
'"request": "$request", '
'"status": $status, '
'"bytes": $body_bytes_sent, '
'"agent": "$http_user_agent", '
'"x_forwarded": "$http_x_forwarded_for", '
'"up_addr": "$upstream_addr",'
'"up_host": "$upstream_http_host",'
'"upstream_time": "$upstream_response_time",'
'"request_time": "$request_time"'
'}';
access_log /var/log/nginx/access.log json;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
检查是否已成为 json类似字典
[root@elk-server nginx]# tail -f /var/log/nginx/access.log
{ "time_local": "05/Apr/2020:19:35:37 +0800", "remote_addr": "192.168.208.1", "referer": "-", "request": "GET / HTTP/1.1", "status": 304, "bytes": 0, "agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36", "x_forwarded": "-", "up_addr": "-","up_host": "-","upstream_time": "-","request_time": "0.000"}
{ "time_local": "05/Apr/2020:19:35:37 +0800", "remote_addr": "192.168.208.1", "referer": "-", "request": "GET / HTTP/1.1", "status": 304, "bytes": 0, "agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36", "x_forwarded": "-", "up_addr": "-","up_host": "-","upstream_time": "-","request_time": "0.000"}
修改 filebeat.yml
vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
然后 将索引干掉,重启 kibana
13.png
重启 nginx 和 filebeat
[root@elk-server nginx]# echo "" >/var/log/nginx/access.log
[root@elk-server nginx]# systemctl restart nginx
[root@elk-server nginx]# systemctl restart filebeat
[root@elk-server nginx]# systemctl restart kibana
然后重新在 kibana 上添加索引数据
filebeat:
停掉了 filebeat 会记录一下上一次读到什么位置
写入100条信息后
再启动 filebeat 会从上一次记录的位置开始读取数据
自定义 index 索引 替代 默认的索引插件 es数据表中
[root@elk-server tool]# egrep -v "#|^$" /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
setup.kibana:
host: "192.168.208.120:5601"
output.elasticsearch:
hosts: ["192.168.208.120:9200"]
index: "nginx-%{[beat.version]}-%{+yyyy.MM}"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true
重启 filebeat , 重启后这里会报错
[root@elk-server nginx]# systemctl restart filebeat
解决方法:
在配置文件最后面增加 文件一定要注意缩进, 要不然很难发现错误 导致 启动不了的
使用 nginx的模块索引
setup.template.name: "nginx"
setup.template.pattern: "nginx_*"
setup.template.enabled: false
此时再重新访问 nginx , 重启配置 kibana
[root@elk-server tool]#systemctl restart filebeat
就可以发现 索引少了很多没用的了
14.png
15.png
多日志收集分析配置
注释: 多个日志文件收集,最好使用 tags 收打标签
语法
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
...
tags: ["access"]
在写入 elastic 时使用判断 tags 标签 用来写入某个索引
indices:
- index: "nginx-access%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "access"
- index: "nginx-error%{[beat.version]}-%{+yyyy.MM}"
tags: "error"
[root@elk-server filebeat]# ls /var/log/nginx/ access.log error.log
此配置可以在多节点配置收集日志
[root@elk-server filebeat]# pwd
/etc/filebeat
[root@elk-server filebeat]# vim filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
json.keys_under_root: true
json.overwrite_keys: true
setup.kibana:
host: "192.168.208.120:5601"
output.elasticsearch:
hosts: ["192.168.208.120:9200"]
#index: "nginx-%{[beat.version]}-%{+yyyy.MM}"
indices:
- index: "nginx-access%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "access"
- index: "nginx-error%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "error"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true
改后重新启动
[root@elk-server tool]# systemctl restart filebeat
此时也可以在 插件上查看
16.png
在 kibana 上重新添加
17.png
18.png
收集 tomcat日志
192.168.208.121
安装tomcat yum安装
yum install tomcat tomcat-webapps tomcat-admin-webapps tomcat-docs-webapp tomcat-javadoc -y
启动 tomcat
[root@node1 /]# systemctl start tomcat
[root@node1 /]# netstat -luntp |grep 8080
tcp6 0 0 :::8080 :::* LISTEN 18009/java
访问 tomcat 192.168.208.121:8080
修改日志 为 json格式
修改 /etc/tomcat/server.xml
将 139行的 pattern="%h %l %u %t "%r" %s %b" /> 替换成下面的
[root@node1 /]#vim /etc/tomcat/server.xml
pattern="{"clientip":"%h","ClientUser":"%l","authenticated":"%u","AccessTime":"%t","method":"%r","status":"%s","SendBytes":"%b","Query?string":"%q","partner":"%{Referer}i","AgentVersion":"%{User-Agent}i"}"/>
[root@node1 /]# systemctl restart tomcat
修改 filebeat.yml 配置
[root@node1 /]# cat /etc/filebeat/filebeat.yml
filebeat.inputs:
############################ nginx
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
json.keys_under_root: true
json.overwrite_keys: true
############################ tomcat
- type: log
enabled: true
paths:
- /var/log/tomcat/localhost_access_log.*.txt
tags: ["tomcat"]
json.keys_under_root: true
json.overwrite_keys: true
setup.kibana:
host: "192.168.208.120:5601"
output.elasticsearch:
hosts: ["192.168.208.120:9200"]
#index: "nginx-%{[beat.version]}-%{+yyyy.MM}"
indices:
- index: "nginx-access%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "access"
- index: "nginx-error%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "error"
- index: "tomcat-accessr%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "tomcat"
重启 filebeat 服务
[root@node1 /]# systemctl restart filebeat
19.png
收集java日志
java 日志处理
日志内容 多行的处理如下, 添加如下参数
192.168.208.120: elastic日志
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after
日志如下:
[root@elk-server tool]# cat /var/log/elasticsearch/elasticsearch.log
[2020-04-06T00:12:55,740][INFO ][o.e.m.j.JvmGcMonitorService] [node-1] [gc][27738] overhead, spent [350ms] collecting in the last [1s]
[2020-04-06T00:22:10,191][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [tomcat-accessr6.6.0-2020.04] creating index, cause [auto(bulk api)], templates [], shards [5]/[1], mappings []
[2020-04-06T00:22:10,761][INFO ][o.e.c.m.MetaDataMappingService] [node-1] [tomcat-accessr6.6.0-2020.04/nA93Krr4RtyjKnoayAZAUg] create_mapping [doc]
[2020-04-06T00:22:10,868][INFO ][o.e.c.m.MetaDataMappingService] [node-1] [tomcat-accessr6.6.0-2020.04/nA93Krr4RtyjKnoayAZAUg] update_mapping [doc]
[2020-04-06T00:22:14,001][WARN ][o.e.m.j.JvmGcMonitorService] [node-1] [gc][young][28292][535] duration [2.6s], collections [1]/[3.5s], total [2.6s]/[34s], memory [237.2mb]->[220mb]/[503.6mb], all_pools {[young] [47.2mb]->[21.4mb]/[66.5mb]}{[survivor] [378.5kb]->[8.3mb]/[8.3mb]}{[old] [189.5mb]->[190.4mb]/[428.8mb]}
配置文件写如下进行多行匹配:
- type: log
enabled: true
paths:
- /var/log/elasticsearch/elasticsearch.log
tags: ["elastic_java"]
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after
setup.kibana:
host: "192.168.208.120:5601"
output.elasticsearch:
hosts: ["192.168.208.120:9200"]
#index: "nginx-%{[beat.version]}-%{+yyyy.MM}"
indices:
- index: "elastic-java%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "elastic_java"
收集docker日志
这个日志收集参考 老师给的文档
前台查看 nginx日志
docker logs -f nginx (容器名)
收集容器需要根据容器运行的服务 来区分运行的服务日志
需要使用工具 docker-compose
https://github.com/docker/compose/releases/tag/1.25.5-rc1
https://github.com/docker/compose/releases/
安装
[root@dorcer01 /]# yum install -y python2-pip
[root@dorcer01 /]# pip install -i https://pypi.tuna.tsinghua.edu.cn/simple pip -U
[root@dorcer01 /]# pip config set global.index-url https://pypi.tuna.tsinghua.edu.cn/simple
[root@dorcer01 /]# pip install docker-compose
检查版本:
[root@dorcer01 /]#docker-compose version
编写 docker-compose
[root@dorcer01 /] cat docker-compose.yml
version: '3' #compose版本号
services: #容器服务组
nginx: #nginx服务
image: nginx:v2 #启动的镜像名称
# 设置labels
labels:
service: nginx
# logging设置增加labels.service
logging: # 写入日志操作
options:
labels: "service"
ports:
- "8080:80"
db:
image: nginx:latest
# 设置labels
labels:
service: db
# logging设置增加labels.service
logging:
options:
labels: "service"
ports:
- "80:80"
清理镜像
[root@dorcer01 /]docker ps -a|awk 'NR>1{print "docker rm",$1}'|bash
运行 docker-compose.yml
docker-compose up -d
配置 filebeat的 配置文件
[root@dorcer01 /] cat /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/lib/docker/containers/*/*-json.log # docker所有日志文件
json.keys_under_root: true
json.overwrite_keys: true
output.elasticsearch:
hosts: ["192.168.47.175:9200"]
indices:
- index: "docker-nginx-access-%{[beat.version]}-%{+yyyy.MM.dd}"
when.contains:
attrs.service: "nginx" # docker-compose 上设置的服务标签
stream: "stdout" # docke生成的日志中标准输出 上设置的服务标签
- index: "docker-nginx-error-%{[beat.version]}-%{+yyyy.MM.dd}"
when.contains:
attrs.service: "nginx"
stream: "stderr"
- index: "docker-db-access-%{[beat.version]}-%{+yyyy.MM.dd}"
when.contains:
attrs.service: "db"
stream: "stdout"
- index: "docker-db-error-%{[beat.version]}-%{+yyyy.MM.dd}"
when.contains:
attrs.service: "db"
stream: "stderr"
setup.template.name: "docker"
setup.template.pattern: "docker-*"
setup.template.enabled: false
setup.template.overwrite: true
重启 filebeat
[root@dorcer01 /]systemctl restart filebeat
通过filebeat的module模块收集日志
通过 filebeat 的 module 模块进行配置 收集 nginx 普通日志
首先查看 filebeat配置文件
[root@node1 modules.d]# rpm -qc filebeat
/etc/filebeat/filebeat.yml
/etc/filebeat/modules.d/apache2.yml.disabled
/etc/filebeat/modules.d/auditd.yml.disabled
/etc/filebeat/modules.d/elasticsearch.yml.disabled
/etc/filebeat/modules.d/haproxy.yml.disabled
/etc/filebeat/modules.d/icinga.yml.disabled
/etc/filebeat/modules.d/iis.yml.disabled
/etc/filebeat/modules.d/kafka.yml.disabled
/etc/filebeat/modules.d/kibana.yml.disabled
/etc/filebeat/modules.d/logstash.yml.disabled
/etc/filebeat/modules.d/mongodb.yml.disabled
/etc/filebeat/modules.d/mysql.yml.disabled
/etc/filebeat/modules.d/nginx.yml.disabled
/etc/filebeat/modules.d/osquery.yml.disabled
/etc/filebeat/modules.d/postgresql.yml.disabled
/etc/filebeat/modules.d/redis.yml.disabled
/etc/filebeat/modules.d/suricata.yml.disabled
/etc/filebeat/modules.d/system.yml.disabled
/etc/filebeat/modules.d/traefik.yml.disabled
1、在 filebeat 配置文件中启动配置模块路径:
[root@elk-server filebeat]# cat filebeat.yml
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
reload.period: 10s
output.elasticsearch:
hosts: ["192.168.208.120:9200"]
index: "nginx-%{[beat.version]}-%{+yyyy.MM}"
2、激活 软件
[root@elk-server filebeat]# filebeat modules enable nginx
Module nginx is already enabled
[root@elk-server filebeat]# filebeat modules list
Enabled:
nginx
Disabled:
apache2
auditd
elasticsearch
haproxy
icinga
iis
kafka
kibana
logstash
mongodb
mysql
osquery
postgresql
redis
suricata
system
traefik
3、修改 nginx 配置文件 的 为普通日志文件格式 main
access_log /var/log/nginx/access.log main;
[root@elk-server filebeat]# systemctl restart nginx
4、修改 filebeat启动的 nginx模块配置文件
[root@elk-server filebeat]# vim /etc/filebeat/modules.d/nginx.yml
- module: nginx
# Access logs
access:
▽ enabled: true
var.paths: ["/var/log/nginx/access.log"]
# Error logs
error:
enabled: true
var.paths: ["/var/log/nginx/error.log"]
5、重启 filebeat 报如下错误信息
[root@elk-server filebeat]# systemctl restart filebeat
[root@elk-server filebeat]# tail -f /var/log/filebeat/filebeat
2020-04-08T20:55:14.205+0800 ERROR fileset/factory.go:142 Error loading pipeline: Error loading pipeline for fileset nginx/access: This module requires the following Elasticsearch plugins: ingest-user-agent, ingest-geoip. You can install them by running the following commands on all the Elasticsearch nodes:
sudo bin/elasticsearch-plugin install ingest-user-agent
sudo bin/elasticsearch-plugin install ingest-geoip
按错误提示安装 ingest-user-agent ingest-geoip
[root@elk-server /]# find / -name 'elasticsearch-plugin'
/usr/share/elasticsearch/bin/elasticsearch-plugin
/usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-user-agent
/usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-geoip
6、修改配置 filebeat 配置文件
[root@elk-server ~]# cat /etc/filebeat/filebeat.yml
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
reload.period: 10s
setup.kibana:
host: "192.168.208.120:5601"
output.elasticsearch:
hosts: ["192.168.208.120:9200"]
indices:
- index: "nginx_access-%{[beat.version]}-%{+yyyy.MM.dd}"
when.contains:
fileset.name: "access"
- index: "nginx_error-%{[beat.version]}-%{+yyyy.MM.dd}"
when.contains:
fileset.name: "error"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true
7、重启 filebeat 和 es
[root@elk-server ~]# systemctl restart filebeat
[root@elk-server ~]# systemctl restart elasticsearch
在kibana上 添加错误日志是要使用 read_timestamp
20.png
ELK-kibana画图
柱状图、拆线图、饼图、仪表图、大屏拼接展示
官文文档
https://www.elastic.co/guide/en/beats/filebeat/6.6/configuration-filebeat-modules.html
1、nginx画图配置
1、备份kibana, 拷贝 filebeat下的 kibana 到 /root/ 下
[root@elk-server kibana]# cp -a /usr/share/filebeat/kibana /root
[root@elk-server ~]cd kibana/6/dashboard
[root@elk-server dashboard]# find . -type f ! -name "*nginx*" |xargs rm -rf
2、替换 filebeat开头的 替换成 nginx
[root@elk-server dashboard]# sed -i 's#filebeat\-\*#nginx\-\*#g' Filebeat-nginx-overview.json
[root@elk-server dashboard]# sed -i 's#filebeat\-\*#nginx\-\*#g' Filebeat-nginx-logs.json
3、返回上级 把 index-pattern的也改了
[root@elk-server 6]# cd index-pattern/
[root@elk-server index-pattern]# ls
filebeat.json
[root@elk-server index-pattern]# pwd
/root/kibana/6/index-pattern
[root@elk-server index-pattern]# sed -i 's#filebeat\-\*#nginx\-\*#g' filebeat.json
4、导入当前的修改过的 kibana
filebeat setup --dashboards -E setup.dashboards.directory=/root/kibana/
filebeat setup --dashboards -E setup.dashboards.directory=/root/kibana/
[root@elk-server /]# filebeat setup --dashboards -E setup.dashboards.directory=/root/kibana/
Loading dashboards (Kibana must be running and reachable)
Loaded dashboards
5、重启 filebeat kibana elasticsearch
2、举例画图
访问最多的ip地址前10
访问最多的 url 前10
访问最多的agent
http状态码
开始画图
21.png
--设置图形形态--
22.png
点击 上面 save 可保存到 视图面板中, 饼图
23.png
图表类型画图
24.png
画面板图 ,即使用已画好的图 添加到面板中
25.png
26.png
使用Redis做缓存
当 es 数据存储遇到瓶颈时, 可以使用 redis 存储数据,并使用 logstash来获取 redis数据
https://www.elastic.co/guide/en/beats/filebeat/6.6/redis-output.html
架构如下:
27.png
output:
语法:
output.redis:
hosts: ["localhost"]
password: "my_password"
key: "filebeat"
db: 0
timeout: 5
启动 redis
[root@elk-server redis]# redis-server redis.conf
[root@elk-server redis]# ps -ef |grep redis
root 22573 1 0 20:49 ? 00:00:00 redis-server 192.168.208.120:6379
root 22586 14139 0 20:50 pts/0 00:00:00 grep --color=auto redis
[root@elk-server redis]# pwd
/tool/redis
配置 filebeat配置文件 filebeat.yml
output.redis:
hosts: ["192.168.208.120"]
key: "filebeat"
db: 0
timeout: 5
重启 filebeat
[root@elk-server filebeat]# systemctl restart filebeat
[root@elk-server filebeat]# redis-cli -h 192.168.208.120
192.168.208.120:6379> keys *
1) "filebeat"
192.168.208.120:6379> type filebeat
list
192.168.208.120:6379> LLEN filebeat
(integer) 26
192.168.208.120:6379> LRANGE filebeat
(error) ERR wrong number of arguments for 'lrange' command
192.168.208.120:6379> LRANGE filebeat 1 20
安装 logstash 6.6.0
[root@elk-server tool]# yum localinstall logstash-6.6.0.rpm
修改 filebeat 配置 nginx 日志
[root@elk-server conf.d]# cat /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
json.keys_under_root: true
json.overwrite_keys: true
- type: log
enabled: true
paths:
- /var/log/elasticsearch/elasticsearch.log
tags: ["elastic_java"]
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after
setup.kibana:
host: "192.168.208.120:5601"
output.redis:
hosts: ["192.168.208.120"]
keys:
- key: "nginx_access" # 写入 redis 的键
when.contains:
tags: "access"
- key: "nginx_error"
when.contains:
tags: "error"
配置 logstash 配置文件 input 从redis取数据 output 输出数据到 es
添加 redis.conf
[root@elk-server conf.d]# pwd
/etc/logstash/conf.d
[root@elk-server conf.d]# vim redis.conf
input {
redis {
host => "192.168.208.120"
port => "6379"
db => "0"
key => "nginx_access" # 从 redis 的键中取值
data_type => "list"
}
redis {
host => "192.168.208.120"
port => "6379"
db => "0"
key => "nginx_error"
data_type => "list"
}
}
# nginx 与 php 的时间解析 改为float
filter {
mutate {
convert => ["upstream_time", "float"]
convert => ["request_time", "float"]
}
}
output {
stdout {}
if "access" in [tags] {
elasticsearch {
hosts => "http://192.168.208.120:9200"
manage_template => false
index => "nginx_access-%{+yyyy.MM.dd}"
}
}
if "error" in [tags] {
elasticsearch {
hosts => "http://192.168.208.120:9200"
manage_template => false
index => "nginx_error-%{+yyyy.MM.dd}"
}
}
}
重启 filebeat logstash(前台启动)
[root@elk-server logstash]# systemctl restart filebeat
[root@elk-server logstash]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/redis.conf
查看 redis:
28.png
优化 filebeat logstash 配置文件 如下:
filebeat
[root@elk-server conf.d]# cat /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
json.keys_under_root: true
json.overwrite_keys: true
- type: log
enabled: true
paths:
- /var/log/elasticsearch/elasticsearch.log
tags: ["elastic_java"]
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after
setup.kibana:
host: "192.168.208.120:5601"
output.redis:
hosts: ["192.168.208.120"]
key: "access" # 只存一个 key 到 redis
logstash 配置
[root@elk-server logstash]# vim logstash.yml
input {
redis {
host => "192.168.208.120"
port => "6379"
db => "0"
key => "nginx" # 从 redis 的键中取值 只取 一个 key 就可以了
data_type => "list"
}
}
# nginx 与 php 的时间解析 改为float
filter {
mutate {
convert => ["upstream_time", "float"]
convert => ["request_time", "float"]
}
}
output {
stdout {}
if "access" in [tags] {
elasticsearch {
hosts => "http://192.168.208.120:9200"
manage_template => false
index => "nginx_access-%{+yyyy.MM.dd}"
}
}
if "error" in [tags] {
elasticsearch {
hosts => "http://192.168.208.120:9200"
manage_template => false
index => "nginx_error-%{+yyyy.MM.dd}"
}
}
}
kibana监控 es集群
elk 版本统一
使用Kafka作来缓存
环境安装准备
下载地址
http://zookeeper.apache.org/releases.html
wget https://downloads.apache.org/zookeeper/zookeeper-3.4.14/zookeeper-3.4.14.tar.gz
http://kafka.apache.org/downloads.html
三台 服务器配置 hosts, 可以相互ping 通
vim /etc/hosts
192.168.208.120 server
192.168.208.121 node1
192.168.208.122 node2
同步节点
[root@elk-server ~]# cd /etc/
[root@elk-server etc]# scp hosts node1:/etc/
[root@elk-server etc]# scp hosts node2:/etc/
安装zookeeper
zookeeper: 集群调度工具
[root@elk-server tool]# ll zookeeper-3.4.14.tar.gz kafka-2.4.1-src.tgz
-rw-r--r-- 1 root root 7690352 4月 15 17:22 kafka-2.4.1-src.tgz
-rw-r--r-- 1 root root 3096576 4月 15 17:23 zookeeper-3.4.11.tar.gz
[root@elk-server opt]# tar -xzvf apache-zookeeper-3.4.11.tar.gz -C /opt
[root@elk-server opt]# ln -s apache-zookeeper-3.4.11 zookeeper
[root@elk-server opt]# mkdir -p /data/zookeeper
[root@elk-server opt]# cp /opt/zookeeper/conf/zoo_sample.cfg /opt/zookeeper/conf/zoo.cfg
修改配置文件
[root@elk-server opt]# vim /opt/zookeeper/conf/zoo.cfg
tickTime=2000
initLimit=10
syncLimit=5
dataDir=/data/zookeeper
clientPort=2181
server.1=192.168.208.120:2888:3888
server.2=192.168.208.121:2888:3888
server.3=192.168.208.122:2888:3888
增加 myid
[root@elk-server opt]# echo "1" > /data/zookeeper/myid
其它节点一样的配置, 只是这个 myid 不同
rsync -avz /opt/zookeeper-3.4.11 node1:/opt/
rsync -avz /data/zookeeper node1:/data
node1:
[root@node1 #] echo "2" > /data/zookeeper/myid
rsync -avz /opt/zookeeper-3.4.11 node2:/opt/
rsync -avz /data/zookeeper node2:/data
node2:
[root@node2 #] echo "3" > /data/zookeeper/myid
注: 2888:3888 一个同步数据使用端口, 一个集群选择用端口
myid 是与 server.id 是相对应的
zookeeper 配置完成
启动 三台机器启动
[root@elk-server /]# /opt/zookeeper/bin/zkServer.sh start
/usr/bin/java
ZooKeeper JMX enabled by default
Using config: /opt/zookeeper/bin/../conf/zoo.cfg
Starting zookeeper ... STARTED
查看:
[root@node1 opt]# /opt/zookeeper/bin/zkServer.sh status
ZooKeeper JMX enabled by default
Using config: /opt/zookeeper/bin/../conf/zoo.cfg
Mode: follower
[root@node2 opt]# /opt/zookeeper/bin/zkServer.sh status
ZooKeeper JMX enabled by default
Using config: /opt/zookeeper/bin/../conf/zoo.cfg
Mode: leader
三台机器启动后, 只能故障一台, 这样启动就是集群了
连接测试
[root@elk_server zookeeper]# /opt/zookeeper/bin/zkCli.sh -server 192.168.208.120:2181
[root@node1 zookeeper]# /opt/zookeeper/bin/zkCli.sh -server 192.168.208.121:2181
[root@node2 zookeeper]# /opt/zookeeper/bin/zkCli.sh -server 192.168.208.122:2181
连接后测试发送消息:
create /test "hello"
[zk: 192.168.208.120:2181(CONNECTED) 0] create /test "hello"
Created /test
其它节点接收消息
get /test
[zk: 192.168.208.122:2181(CONNECTED) 0] get /test
hello
cZxid = 0x100000005
ctime = Wed Apr 15 18:57:45 CST 2020
mZxid = 0x100000005
mtime = Wed Apr 15 18:57:45 CST 2020
pZxid = 0x100000005
cversion = 0
dataVersion = 0
aclVersion = 0
ephemeralOwner = 0x0
dataLength = 5
numChildren = 0
安装kafka
server节点: 192.168.208.120
[root@elk-server tool]# tar -xzf /tool/kafka-2.11-2.4.tgz -C /opt
[root@elk-server tool]# ln -s /opt/kafka-2.11-2.4 /opt/kafka
[root@elk-server tool]# mkdir -p /data/kafka/logs/
[root@elk-server tool]# vim /opt/kafka/config/server.properties
broker.id=1
listeners=PLAINTEXT://192.168.208.120:9092
log.dirs=/data/kafka/logs
log.retention.hours=24
zookeeper.connect=192.168.208.120:2181,192.168.208.121:2181,192.168.208.122:2181
其它节点相同配置:
[root@elk-server tool]# rsync -avz /opt/kafka-2.11-2.4 node1:/opt/
[root@elk-server tool]# rsync -avz /opt/kafka-2.11-2.4 node2:/opt/
node1:
[root@node1 opt]# ln -s /opt//opt/kafka-2.11-2.4 /opt/kafka
[root@node1 opt]# mkdir -p /data/kafka/logs
[root@node1 opt]# vim kafka/config/server.properties
broker.id=2
listeners=PLAINTEXT://192.168.208.121:9092
log.dirs=/data/kafka/logs
log.retention.hours=24
zookeeper.connect=192.168.208.120:2181,192.168.208.121:2181,192.168.208.122:2181
node2:
[root@node2 opt]# ln -s /opt//opt/kafka-2.11-2.4 /opt/kafka
[root@node2 opt]# mkdir -p /data/kafka/logs
[root@node2 opt]# vim kafka/config/server.properties
broker.id=3
listeners=PLAINTEXT://192.168.208.122:9092
log.dirs=/data/kafka/logs
log.retention.hours=24
zookeeper.connect=192.168.208.120:2181,192.168.208.121:2181,192.168.208.122:2181
启动:
---前台启动 , 没有报错了 就可以后台启动了
/opt/kafka/bin/kafka-server-start.sh /opt/kafka/config/server.properties
启动日志如下:
[2020-04-15 19:33:07,920] INFO [/config/changes-event-process-thread]: Starting (kafka.common.ZkNodeChangeNotificationListener$ChangeEventProcessThread)
[2020-04-15 19:33:08,242] INFO [SocketServer brokerId=1] Started data-plane processors for 1 acceptors (kafka.network.SocketServer)
[2020-04-15 19:33:08,243] INFO Kafka version: 2.4.1 (org.apache.kafka.common.utils.AppInfoParser)
[2020-04-15 19:33:08,243] INFO Kafka commitId: c57222ae8cd7866b (org.apache.kafka.common.utils.AppInfoParser)
[2020-04-15 19:33:08,243] INFO Kafka startTimeMs: 1586950388242 (org.apache.kafka.common.utils.AppInfoParser)
[2020-04-15 19:33:08,244] INFO [KafkaServer id=1] started (kafka.server.KafkaServer)
-- 后台启动
/opt/kafka/bin/kafka-server-start.sh -daemon /opt/kafka/config/server.properties
[root@elk-server kafka]# /opt/kafka/bin/kafka-server-start.sh -daemon /opt/kafka/config/server.properties
[root@node1 opt]# /opt/kafka/bin/kafka-server-start.sh -daemon /opt/kafka/config/server.properties
[root@node2 opt]# /opt/kafka/bin/kafka-server-start.sh -daemon /opt/kafka/config/server.properties
三台启动后 进行测试
elk_server 创建:
/opt/kafka/bin/kafka-topics.sh --create --zookeeper 192.168.208.120:2181,192.168.208.121:2181,192.168.208.122:2181 --partitions 3 --replication-factor 3 --topic kafkatest
node1 获取
/opt/kafka/bin/kafka-topics.sh --describe --zookeeper 192.168.208.120:2181,192.168.208.121:2181,192.168.208.122:2181 --topic kafkatest
[root@node1 opt]# /opt/kafka/bin/kafka-topics.sh --describe --zookeeper 192.168.208.120:2181,192.168.208.121:2181,192.168.208.122:2181 --topic kafkatest
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
Topic: kafkatest PartitionCount: 3 ReplicationFactor: 3 Configs:
Topic: kafkatest Partition: 0 Leader: 1 Replicas: 1,3,2 Isr: 1,3,2
Topic: kafkatest Partition: 1 Leader: 2 Replicas: 2,1,3 Isr: 2,1,3
Topic: kafkatest Partition: 2 Leader: 3 Replicas: 3,2,1 Isr: 3,2,1
node2 获取
[root@node2 opt]# /opt/kafka/bin/kafka-topics.sh --describe --zookeeper 192.168.208.120:2181,192.168.208.121:2181,192.168.208.122:2181 --topic kafkatest
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
Topic: kafkatest PartitionCount: 3 ReplicationFactor: 3 Configs:
Topic: kafkatest Partition: 0 Leader: 1 Replicas: 1,3,2 Isr: 1,3,2
Topic: kafkatest Partition: 1 Leader: 2 Replicas: 2,1,3 Isr: 2,1,3
Topic: kafkatest Partition: 2 Leader: 3 Replicas: 3,2,1 Isr: 3,2,1
29.png
配置kafka做缓存
配置 filebeat 的 output
1、修改filebeat
语法:
output.kafka:
hosts: ["192.168.208.120:9092","192.168.208.121:9092","192.168.208.122:9092",]
topic: elklog
配置文件如下:
[root@elk-server filebeat]# vim filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
json.keys_under_root: true
json.overwrite_keys: true
- type: log
enabled: true
paths:
- /var/log/elasticsearch/elasticsearch.log
tags: ["elastic_java"]
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after
setup.kibana:
host: "192.168.208.120:5601"
output.kafka:
hosts: ["192.168.208.120:9092","192.168.208.121:9092","192.168.208.122:9092",]
topic: elklog #频道
2、修改logstash
[root@elk-server conf.d]# vim /etc/logstash/conf.d/kafka.conf
input{
kafka{
bootstrap_servers=>"192.168.208.120:9092" # kafka集群任意一个IP
topics=>["elklog"]
group_id=>"logstash"
codec => "json"
}
}
filter {
mutate {
convert => ["upstream_time", "float"]
convert => ["request_time", "float"]
}
}
output {
if "access" in [tags] {
elasticsearch {
hosts => "http://192.168.208.120:9200"
manage_template => false
index => "nginx_access-%{+yyyy.MM.dd}"
}
}
if "error" in [tags] {
elasticsearch {
hosts => "http://192.168.208.120:9200"
manage_template => false
index => "nginx_error-%{+yyyy.MM.dd}"
}
}
}
3、重启服务
[root@elk-server /]# systemctl restart filebeat
[root@elk-server /]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/kafka.conf
此时再刷新 nginx 访问数据, 数据就写到 elasticsearch 了
=======================================================================================
elasticsearch 启动端口号: 9200 9300 一个是数据访问端口, 一个是集群端口
kibana 启动端口号: 5601
filebeat
logstash
zookeeper 启动端口号: 2888、3888、2181, 2181:kafka与zookeeper连接端口,2888/3888同步选举
kafka 启动端口号: 9092
redis 启动端口号: 6379
终极架构
nginx+keepalived --> redis --> logstash ->es -- kibana
nginx+keepalived --> kafka --> logstash ->es -- kibana
