什么是ELK
- Elasticsearch是个开源分布式搜索引擎,它的特点有:分布式,零配置,自动发现,索引自动分片,索引副本机制,restful风格接口,多数据源,自动搜索负载等。
- Logstash是一个完全开源的工具,他可以对你的日志进行收集、过滤,并将其存储供以后使用(如,搜索)。
- Kibana 也是一个开源和免费的工具,它Kibana可以为 Logstash 和 ElasticSearch 提供的日志分析友好的
- Web 界面,可以帮助您汇总、分析和搜索重要数据日志
- Filebeat隶属于Beats。目前Beats包含四种工具:
Packetbeat(搜集网络流量数据)
Topbeat(搜集系统、进程和文件系统级别的 CPU 和内存使用情况等数据)
Filebeat(搜集文件数据)
Winlogbeat(搜集 Windows 事件日志数据)
| 操作系统 | IP地址 | 主要软件 |
|---|---|---|
| centos7 | 10.0.0.73 | jdk,elasticsearch,kibana |
| centos7 | 10.0.0.74 | jdk,logstash |
##10.0.0.73操作
安装Elk包
[root@ localhost ~]# unzip ELK.zip
Archive: ELK.zip
inflating: ELK/elasticsearch-6.6.2.rpm
inflating: ELK/jdk-8u131-linux-x64_.rpm
inflating: ELK/kibana-6.6.2-x86_64.rpm
inflating: ELK/logstash-6.6.0.rpm
安装jdk
# 切换目录到Elk
[root@ localhost ~]# cd ELK/
[root@ localhost ELK]# rpm -ivh jdk-8u131-linux-x64_.rpm
Preparing... ################################# [100%]
Updating / installing...
1:jdk1.8.0_131-2000:1.8.0_131-fcs ################################# [100%]
Unpacking JAR files...
tools.jar...
plugin.jar...
javaws.jar...
deploy.jar...
rt.jar...
jsse.jar...
charsets.jar...
localedata.jar...
# 查看版本
[root@ localhost ELK]# java -version
java version "1.8.0_131"
Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)
安装elasticsearch
[root@ localhost ELK]# yum -y install elasticsearch-6.6.2.rpm
Loaded plugins: fastestmirror
Examining elasticsearch-6.6.2.rpm: elasticsearch-6.6.2-1.noarch
Marking elasticsearch-6.6.2.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package elasticsearch.noarch 0:6.6.2-1 will be installed
--> Finished Dependency Resolution
# 配置开机自启动
[root@ localhost ELK]# systemctl enable elasticsearch
Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.
# 开启服务
[root@ localhost ELK]# systemctl start elasticsearch
# 验证服务是否启动
[root@ localhost ELK]# netstat -lptnu|grep java
tcp6 0 0 127.0.0.1:9200 :::* LISTEN 2239/java
tcp6 0 0 ::1:9200 :::* LISTEN 2239/java
tcp6 0 0 127.0.0.1:9300 :::* LISTEN 2239/java
tcp6 0 0 ::1:9300 :::* LISTEN 2239/java
# 监听端口:
9200作为Http协议,主要用于外部通讯(http协议,给客户端用的)
9300作为Tcp协议,ES集群之间是通过9300进行通讯(tcp协议,是es集群内部通信使用)
# 修改elasticsearch配置文件
[root@ localhost ELK]# vim /etc/elasticsearch/elasticsearch.yml
network.host: 10.0.0.73(本机IP)
http.port: 9200 (注释打开)
安装 kibana
[root@ localhost ELK]# yum -y install kibana-6.6.2-x86_64.rpm
Loaded plugins: fastestmirror
Examining kibana-6.6.2-x86_64.rpm: kibana-6.6.2-1.x86_64
Marking kibana-6.6.2-x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package kibana.x86_64 0:6.6.2-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
# 配置kibana文件
[root@ localhost ELK]# vim /etc/kibana/kibana.yml
server.port: 5601(注释打开)
server.host: "10.0.0.73"(默认打开并修改IP)
elasticsearch.hosts: ["http://10.0.0.73:9200"](默认打开并修改IP)
# 配置开机自启动
[root@ localhost ELK]# systemctl enable kibana
Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /etc/systemd/system/kibana.service.
# 开启服务
[root@ localhost ELK]# systemctl start kibana
##10.0.0.74操作
安装Elk包
[root@ localhost ~]# unzip ELK.zip
Archive: ELK.zip
inflating: ELK/elasticsearch-6.6.2.rpm
inflating: ELK/jdk-8u131-linux-x64_.rpm
inflating: ELK/kibana-6.6.2-x86_64.rpm
inflating: ELK/logstash-6.6.0.rpm
安装jdk
# 切换目录到Elk
[root@ localhost ~]# cd ELK/
[root@ localhost ELK]# rpm -ivh jdk-8u131-linux-x64_.rpm
Preparing... ################################# [100%]
Updating / installing...
1:jdk1.8.0_131-2000:1.8.0_131-fcs ################################# [100%]
Unpacking JAR files...
tools.jar...
plugin.jar...
javaws.jar...
deploy.jar...
rt.jar...
jsse.jar...
charsets.jar...
localedata.jar...
# 查看版本
[root@ localhost ELK]# java -version
java version "1.8.0_131"
Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)
安装logstash
[root@ localhost ELK]# yum -y install logstash-6.6.0.rpm
Loaded plugins: fastestmirror
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
Examining logstash-6.6.0.rpm: 1:logstash-6.6.0-1.noarch
Marking logstash-6.6.0.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package logstash.noarch 1:6.6.0-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
# 配置文件路径:
[root@localhost logstash]# pwd
/etc/logstash
[root@localhost logstash]# ll
total 36
drwxrwxr-x 2 root root 6 2019-01-24 20:16 conf.d
-rw-r--r-- 1 root root 1846 2019-01-24 20:16 jvm.options
-rw-r--r-- 1 root root 4568 2019-01-24 20:16 log4j2.properties
-rw-r--r-- 1 root root 342 2019-01-24 20:16 logstash-sample.conf
-rw-r--r-- 1 root root 8194 2020-02-11 18:05 logstash.yml
-rw-r--r-- 1 root root 285 2019-01-24 20:16 pipelines.yml
-rw------- 1 root root 1696 2019-01-24 20:16 startup.options
# 日志文件路径:
[root@localhost logstash]# pwd
/var/log/logstash
# logstash是用来收集日志,并对日志做过滤处理的,我们下面要分析的是系统日志,所以要编写一个收集日志的配置文件
[root@ localhost ELK]# vim /etc/logstash/conf.d/message.conf
# input日志输入模块:日志的获取方式和路径
input {
file {
path => "/var/log/messages"
type => "messages-log"
start_position => "beginning"
}
}
# output日志的输出模块:导出你的数据
output {
elasticsearch {
hosts => "10.0.0.73:9200"
index => "messages_log=%{+YYYY.MM.dd}"
}
}
# 配置开机自启动
[root@ localhost ELK]# systemctl enable logstash
Created symlink from /etc/systemd/system/multi-user.target.wants/logstash.service to /etc/systemd/system/logstash.service.
# 启动logstash服务
[root@ localhost ELK]# systemctl start logstash
测试访问IP:10.0.0.73:5601
在kibana上创建索引
给系统日志添加可视化图形
选择绘画哪个索引的图形
选择x轴为绘画日期的柱状图,然后点击开始获取数据
