ELK简介
ELK似乎是当前最为流行的日志收集-存储-分析的全套解决方案.
Elasticsearch Logstash and Kibana can be used to gather and visualize the syslogs of your systems in a centralized location. Logstash is an open source tool for collecting, parsing, and storing logs for future use. Kibana 4 is a web interface that can be used to search and view the logs that Logstash has indexed. Both of these tools are based on Elasticsearch.
Centralized logging can be very useful when attempting to identify problems with your servers or applications, as it allows you to search through all of your logs in a single place. It is also useful because it allows you to identify issues that span multiple servers by correlating their logs during a specific time frame.
logstash1.4.0 doc:http://logstash.net/docs/1.4.0/filters/grok 日志格式匹配测试页:http://grokdebug.herokuapp.com/ elk安装教程:https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-4-on-centos-7 官网:https://www.elastic.co/downloads
ELK部署(基于Centos6.4)
1. 设置机器名,客户机通过该名称访问
vi /etc/hosts
添加elkserver到第一行第一个位置
127.0.0.1 elkserver localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
2. 安装Java 7
sudo yum -y install java-1.7.0-openjdk
3. 安装Elasticsearch1.4.1
(1)导入Elasticsearch公共GPG key
sudo rpm --import http://packages.elasticsearch.org/GPG-KEY-elasticsearch
(2)创建并编辑一个新的用于Elasticsearch 的yum repository file
sudo vi /etc/yum.repos.d/elasticsearch.repo
添加如下内容
[elasticsearch-1.4] name=Elasticsearch repository for 1.4.x packages baseurl=http://packages.elasticsearch.org/elasticsearch/1.4/centos gpgcheck=1 gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch enabled=1
保存并退出
(3)安装Elasticsearch 1.4.4
sudo yum -y install elasticsearch-1.4.4
(4)配置Elasticsearch 1.4.4
sudo vi /etc/elasticsearch/elasticsearch.yml
找到network.host所在的行,改为如下
network.host: localhost
设置http.port
http.port: 9200
保存并退出elasticsearch.yml
(5)启动
sudo service elasticsearch start
添加到启动项
sudo /sbin/chkconfig --add elasticsearch
4. 安装Kibana4.0.1
(1)下载并解压
cd ~; wget https://download.elasticsearch.org/kibana/kibana/kibana-4.0.1-linux-x64.tar.gz
tar xvf kibana-*.tar.gz
(2)打开Kibana 配置文件并编辑
vi ~/kibana-4*/config/kibana.yml
设置host如下
host: "localhost"
保存并退出
(3)拷贝kibana文件到适宜的位置
sudo mkdir -p /opt/kibana
sudo cp -R ~/kibana-4*/* /opt/kibana/
(4)设置启动项
sudo vi /etc/init.d/kibana
写入如下内容
#!/bin/bash
#
# Kibana Init script for Kibana
#
# chkconfig: 345 99 76
# processname: kibana
#
KIBANA_EXEC="/opt/kibana/bin/kibana"
now=$(date +"%Y-%m-%d-%S")
LOG_FILE="/opt/kibana/bin/log/kibana.$now.log"
PID_FILE="/opt/kibana/bin/log/kibana.$now.pid"
RETVAL=0
start() {
echo "Starting Kibana..."
$KIBANA_EXEC 1>"$LOG_FILE" 2>&1 &
echo $!> "$PID_FILE"
echo "Kibana started with pid $!"
}
case "$1" in
start)
start
;;
*)
echo "Usage: $0 {start}"
exit 0
;;
esac
exit $RETVAL
执行如下命令使得启动项生效
sudo chmod 0755 /etc/init.d/kibana
sudo chkconfig kibana on
5.安装Nginx1.8.0
(1)安装EPEL
sudo yum -y install epel-release
修改配置
sudo vi /etc/yum.repos.d/epel.repo
改成 baseurl #mirrorlist
(2)安装httpd-tools
sudo yum -y install httpd-tools
(3)使用预先下载的nginx-1.8.0-1.el6.ngx.x86_64.rpm安装nginx
yum -y install /home/hailiang/nginx-1.8.0-1.el6.ngx.x86_64.rpm
(4)使用htpasswd创建用户kibanaadmin,设置密码为hylanda
sudo htpasswd -c /etc/nginx/htpasswd.users kibanaadmin
(5)配置kibana.conf
sudo vi /etc/nginx/conf.d/kibana.conf
设置server_name为机器名
server_name elkserver;
(6)启动,并添加到启动项
sudo service nginx restart
sudo chkconfig –levels 235 nginx on
6.安装Logstash
(1)为Logstash配置一个Yum repository 文件
sudo vi /etc/yum.repos.d/logstash.repo
写入如下内容
[logstash-1.5] name=logstash repository for 1.5.x packages baseurl=http://packages.elasticsearch.org/logstash/1.5/centos gpgcheck=1 gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch enabled=1
保存并退出
(2)安装Logstash1.5
sudo yum -y install logstash
(3)生成SSL Certificates
sudo vi /etc/pki/tls/openssl.cnf
找到[ v3_ca ]段,设置subjectAltName为本机ip
subjectAltName = IP:192.168.11.201
保存并退出
(4)生成SSL Certificates和私钥,CN=机器名
cd /etc/pki/tls
openssl req -subj '/CN=elkserver/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
logstash-forwarder.crt将会被拷贝到所有的客户机
(5)配置Logstash
sudo vi /etc/logstash/conf.d/01-lumberjack-input.conf
写入如下内容
input {
lumberjack {
port => 5000
type => "logs"
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
}
}
output {
elasticsearch {
host => "localhost"
}
stdout {codec => rubydebug}
}
7.安装Logstash Forwarder
(1)在服务机执行
拷贝cert到客户机(192.168.11.213)的tmp目录
scp /etc/pki/tls/certs/logstash-forwarder.crt [email protected]:/tmp
开放防火墙5000端口
/sbin/iptables -I INPUT -p tcp –dport 5000 -j ACCEPT
/etc/rc.d/init.d/iptables save
(2)如下内容在客户机执行
sudo rpm --import http://packages.elasticsearch.org/GPG-KEY-elasticsearch
sudo vi /etc/yum.repos.d/logstash-forwarder.repo
填写如下内容
[logstash-forwarder] name=logstash-forwarder repository baseurl=http://packages.elasticsearch.org/logstashforwarder/centos gpgcheck=1 gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch enabled=1
安装Logstash Forwarder
sudo yum -y install logstash-forwarder
拷贝证书到适宜的目录
sudo cp /tmp/logstash-forwarder.crt /etc/pki/tls/certs/
配置logstash-forwarder
sudo vi /etc/logstash-forwarder.conf
写入如下内容
{
"network": {
"servers": [ "elkserver:5000" ],
"timeout": 15,
"ssl ca": "/etc/pki/tls/certs/logstash-forwarder.crt"
},
"files": [
{
"paths": [
"/var/log/messages",
"/var/log/secure"
],
"fields": { "type": "syslog" }
}
]
}
保存并退出
sudo service logstash-forwarder restart
在客户机hosts文件中添加服务器机器名
192.168.11.201 elkserver
测试是否能访问
8.连接到Kibana
在浏览器输入elkserver访问Kibana,在验证用户窗口输入用户名kibanaadmin和密码hylanda
首次访问会进入1-select-index.gif所示页面
创建index成功后会进入默认页面2-discover.png
在页面下方可以看到客户机提交过来的系统日志
9curator安装(用于删除旧indices )
yum -y install python-pip
pip install elasticsearch-curator
which curator /usr/bin/curator
定时删除超过19天的日志
crontab -e
填写内容如下
20 0 * * * /usr/bin/curator delete indices --time-unit days --older-than 19 --timestring \%Y.\%m.\%d
10.如果发现5000端口没有监听,手动启动
/opt/logstash/bin/logstash -f /etc/logstash/conf.d/01-lumberjack-input.conf
注:以上是在centos6下配置通过,如果是centos7,服务启动将使用systemctl
kibana启动项将使用systemd配置,文件/etc/systemd/system/kibana4.service
[Service] ExecStart=/opt/kibana/bin/kibana Restart=always StandardOutput=syslog StandardError=syslog SyslogIdentifier=kibana4 User=root Group=root Environment=NODE_ENV=production [Install] WantedBy=multi-user.target
ELK使用(仅供参考)
1.ELK中,负责收集日志的是logstash-forwarder,主要是配置待收集日志的目录,关键配置文件logstash-forwarder.conf
如果待收集路径日志有更新,或者有新文件,logstash-forwarder会自动收集并提交到logstash。
日志类型名,这个在logstash解析那里会用到,也就是每种日志类型有自己的解析脚本。
2.logstash接收日志,每种类型按用户设置的格式解析,关键配置文件
这里的日志类型与logstash-forwarder收集的类型相对应,grok内置了好多pattern在http://grokdebug.herokuapp.com/patterns#,如果不能满足需求,可以自定义pattern文件,并在这里设置上路径,就能像内置类型一样使用了。
举个例子:%{NUMBER:total_source_count:int},会解析出当前位置的数值类型,命名为total _source_count,数据类型设置为int。
这个匹配脚本会严格按照日志中每行的字符顺序来解析
比如输入:
2015-07-20 17:52:41,052 INFO com.hylanda.statistic.mr.bean.TagStatisticResultHandler keywords_code 10000085412323 nagetive_source_count 1,neutral_source_count 0,positive_source_count 0,releaseDate 2015-06-08 05:42:31 release_date_day 2015-06-08 source_type 0 statisticTag 节目/负面/节目不好看 taskId 6572 total_feedback_count 0,total_repeat_count 0,total_source_count 1,total_weibo_original 0}
那么解析结果为
{
"message" => "2015-07-20 17:52:41,052 INFO com.hylanda.statistic.mr.bean.TagStatisticResultHandler keywords_code 10000085412323 nagetive_source_count 1,neutral_source_count 0,positive_source_count 0,releaseDate 2015-06-08 05:42:31 release_date_day 2015-06-08 source_type 0 statisticTag 节目/负面/节目不好看 taskId 6572 total_feedback_count 0,total_repeat_count 0,total_source_count 1,total_weibo_original 0}",
"@version" => "1",
"@timestamp" => "2015-07-21T03:32:42.260Z",
"host" => "localhost",
"package" => "com.hylanda.statistic.mr.bean.TagStatisticResultHandler",
"keywords_code" => 10000085412323,
"nagetive_source_count" => 1,
"neutral_source_count" => 0,
"positive_source_count" => 0,
"release_date_day" => "2015-06-08",
"source_type" => 0,
"taskId" => "6572",
"total_feedback_count" => 0,
"total_repeat_count" => 0,
"total_source_count" => 1,
"total_weibo_original" => 0
}
可以看到已经按照指定的类型和名称解析出来了。
3.有了数据下一步就是展现
第一次访问Kibana要求设置index
2.设置完毕就可以从discover页查看数据了
3.注意每个图表都可以使用elasticsearch来查询,这个目前还不太会用。另外有好多内置的对JSon的支持,也需要进一步探索。