1.Elasticsearch 允许给文本数据增加加动态索引
下载并安装ES的yum公钥
#rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
配置ES的yum源
# vim /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-2.x]
name=Elasticsearch repository for 5.6 packages
baseurl=http://packages.elastic.co/elasticsearch/5.6/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1更新yum的缓存
# yum makecache
安装ES
# yum install elasticsearch
配置和启动ES服务器进程
# /sbin/chkconfig --add elasticsearch
# service elasticsearch start
运行测试
# curl -X GET localhost:9200
{
"name" : "Amalgam",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "q1JTidLuTNecwBbFNJCUFQ",
"version" : {
"number" : "2.4.1",
"build_hash" : "c67dc32e24162035d18d6fe1e952c4cbcbe79d16",
"build_timestamp" : "2016-09-27T18:57:55Z",
"build_snapshot" : false,
"lucene_version" : "5.5.2"
},
"tagline" : "You Know, for Search"
}通过IP访问ES的配置
打开/etc/elasticsearch/elasticsearch.yml
# vim /etc/elasticsearch/elasticsearch.yml
找到下面两行,去掉#号,其中
55行的network.host,把后面改为0.0.0.0,这样访问可以通过访问本机的ip来访问
----------------------------------------------------------------------------------------------------------------------------------------------------------
2.Logstash 是一个数据管道,它被用来收集,解析和分析各种结构化的和非结构化的由各种系统产生的数据以及事件。
2.1 input
Input 作为数据输入端,可以接收来自任何地方的源数据。主要有以下四种类型:
- file:从文件中读取
- syslog:监听在514端口的系统日志信息,并解析成RFC3164格式。
- redis:从redis-server list 中获取
- beat:接收来自Filebeat的事件
- stdin: 标准输入,用于测试
2.2 filter
Filter 作为数据中转层,主要进行格式处理,数据类型转换、数据过滤、字段添加,修改等,常用的过滤器如下:
- grok: 通过正则解析和结构化任何文本。Grok 目前是logstash最好的方式对非结构化日志数据解析成结构化和可查询化。logstash内置了120个匹配模式,满足大部分需求。
- mutate: 在事件字段执行一般的转换。可以重命名、删除、替换和修改事件字段。
- drop: 完全丢弃事件,如debug事件。
- clone: 复制事件,可能添加或者删除字段。
- geoip: 添加有关IP地址地理位置信息。
2.3 output
output 是logstash工作的最后一个阶段,负责将数据输出到指定位置,兼容大多数应用,常用的有:
- elasticsearch: 发送事件数据到 Elasticsearch,便于查询,分析,绘图。
- file: 将事件数据写入到磁盘文件上。
- mongodb:将事件数据发送至高性能NoSQL mongodb,便于永久存储,查询,分析,大数据分片。
- redis:将数据发送至redis-server,常用于中间层暂时缓存。
- graphite: 发送事件数据到graphite。http://graphite.wikidot.com/
- statsd: 发送事件数据到 statsd。
- stdout: 标准输出,用于测试
2.3 Logstash 安装
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
添加如下内容,到/etc/yum.repos.d/ 目录,以.repo结尾,推荐为:logstash.repo
[logstash-5.x]
name=Elastic repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-mdsudo yum install logstash
logstash服务化
#添加用户
useradd logstash -M -s /sbin/nologin
mkdir /var/log/logstash/
chown -R logstash:logstash /var/log/logstash/
chown -R logstash:logstash /usr/local/logstash-2.0.0/
vi /etc/init.d/logstash
#!/bin/bash
#
### BEGIN INIT INFO
# Provides: logstash
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: S 0 1 6
# Short-Description: Logstash
# Description: Starts Logstash as a daemon.
# Author: [email protected]
### END INIT INFO
source /etc/init.d/functions
source /lib/lsb/init-functions
# Process name
NAME=logstash
DESC="Logstash Daemon"
# Location of logstash files
LOCATION="/usr/local/logstash-2.0.0/" #根据实际安装路径修改
CONFIG_DIR="/usr/local/logstash-2.0.0/"
LOGFILE="/var/log/logstash/logstash.log"
SCRIPTNAME=/etc/init.d/logstash
PIDFILE="/var/run/logstash-agent.pid"
LOCK_FILE=/var/lock/subsys/$NAME
NAMEJAVA=java
DAEMONJAVA=`which java`
# Exit if the package is not installed
if [ ! -x "$DAEMONJAVA" ]; then
{
echo "Couldn‘t find $NAMEJAVA"
exit 99
}
fi
start() {
echo -n "Starting $DESC : "
if [ "$(ps aux|grep -E "*/usr/local/logstash*" |grep -v grep)" != "" ];then
echo "$desc already running...."
exit 0
else
$LOCATION/bin/logstash -f $CONFIG_DIR/logstash_agent.conf >$LOGFILE 2>&1 &
RETVAL=$?
sleep 3
echo
if [ "$(ps aux|grep -E "*/usr/local/logstash*" |grep -v grep)" != "" ];then
echo "$DESC Started "
[ $RETVAL -eq 0 ] && touch $LOCK_FILE
return $RETVAL
fi
fi
}
stop() {
echo -n $"Stop $DESC: "
killall $NAMEJAVA
RETVAL=$?
sleep 3
echo
if [ "$(ps aux|grep -Eqi "*/usr/local/logstash*" |grep -v grep)" = "" ];then
echo "$DESC Stoped "
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$NAME $PIDFILE
return $RETVAL
fi
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
status)
status $NAMEJAVA
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
RETVAL=1
esac
exit $RETVAL
EOF
chmod +x /etc/init.d/logstash
#设置开机启动
chkconfig --add logstash
chkconfig logstash oninput { # 定义日志源
syslog {
type => "system-syslog" # 定义类型
port => 10514 # 定义监听端口
}
file {
path => ["/data/logs/logstash-001.log"]
start_position => "beginning"
}
}
filter{
ruby {
code=>"
msg=event.get('message')
#event.set('msg',msg)
if msg.length>209
msg=msg[70,11]
#event.set('aa',msg)
if msg=='{\"app_name'
event.set('type','api_business')
elsif msg=='Resolving e'
event.set('type','empty')
end
else
event.set('type','empty')
end
"
}
json {
source => "message"
}
if [type] == "api_business" {
json{
source => "message"
target => "response"
}
}
}
output { # 定义日志输出
if [type] != "empty" {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "logstash-log-%{+YYYY.MM}"
codec => rubydebug
}
}
if [type] == "api_business" {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "api-bus-log-%{+YYYY.MM}"
codec => rubydebug
}
}
}3.Kibana 开源可视化平台,它用来可视化任何结构化的和非结构化的存储在Elasticsearch索引中的数据。
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch[kibana-5.x]
name=Kibana repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-mdsudo yum install kibana测试默认情况下,远程的机器是无法访问Kibana的,只能本机访问。你需要修改Kibana配置:vim /etc/kibana/kibana.yml
server.host: '0.0.0.0'最后,在浏览器中输入:http://10.23.22.242:5601/