ELK log analysis and management

ELK log analysis and management

ELK log analysis and management

Composition of ELK

ANY = Elasticsearch + Logstash + Kibana

Logstash: Log phone and output
Elasticsearch: is a database
Kibana: Make a presentation

Introduction to ELK log analysis system

Log server

1. improve security
2. Centralized storage of log
defect

Difficulty in analyzing logs

ELK log analysis system

Elasticsearch
Logstash
Kibana

Log processing steps

1. Centralized management of logs
2. Logs formatting (Logstash) and output to Elasticsearch
3. Indexing of formatted CNCs (Elasticsearch)
4. Display of previous data (Kibana)

Introduction to Elasticsearch

Overview of Elasticsearch

Provide a full-text search engine with distributed multi-user capabilities

Elasticsearch core concepts

1. Near real time

Elasticsearch is a near real-time search platform. There is a slight delay (usually 1 second)

2. Cluster

A cluster is one or more nodes organized together, they jointly hold your entire data, and provide indexing and search functions together
3. A node
node is a single server, a part of the cluster, storing data and participating in the cluster Indexing and search functions. Like a cluster, nodes are also identified by names, and the default is a character name randomly assigned when the node starts. Of course, you can define it yourself. Changing the name is also very important. It is used to identify the node corresponding to the server in the cluster. Nodes can be added to the cluster by specifying the cluster name. By default, each node is set to join the Elasticsearch cluster. If multiple nodes are started, assuming they can automatically discover each other, they will automatically form a cluster called Elasticsearch.

4. Index

An index is a collection of documents with similar characteristics. An index is identified by a name (must be all lowercase letters) and when we want to index, search, update, and delete documents corresponding to this index, we must use this name. In a cluster, you can define as many indexes as you want.

5. Shards and copies

Sharding: 1. Horizontally split and expand, increase storage capacity
2. Distributed parallel cross-shard operations, improve performance and throughput.
Replica: 1. High availability to deal with sharding or node failure. For this reason, shard replicas must be on different nodes.
2 High availability, increased throughput, search can be performed on all copies in parallel.

Introduction to Logstash

Logstash

1. A powerful data processing tool
2. Data transmission and formatting can be realized. Formatted output
3. Data input, data processing (such as filtering, rewriting, etc.) and data output

Logstash main components

Shipper: Log collector, responsible for monitoring the changes of this log file, collecting the latest content of the log file in time, usually the remote agent (agent) only needs to run this component;
Indexr: Log storage, responsible for connecting to the log and writing Import to a local file.
Broker: Log Hub, responsible for connecting multiple Shippers and multiple Indexers.
Search and Storage: allows searching and storing events;
Web Interface: web-based display interface

Logstash simple concept
1.Collect: data input
2.Enrich: data processing, such as filtering, rewrite character
3.Transport: data output (called by other modules)

Kibana

Kibana

1. An open source analysis and visualization platform for Elasticsearch
2. Search and view data stored in the Elasticsearch index
3. Advanced data analysis and display through various charts

Kibana main functions

1. Elasticsearch seamless integration
2. Integrate data, complex data analysis
3. Make benefits with multiple team members
4. Flexible interface and easier sharing
5. Simple configuration and visualization of multiple data sources
6. Simple data export

Simple ELK project


apache ip ：20.0.0.13
node1 ip：  20.0.0.14
node2 ip：  20.0.0.15


[root@apache ~]# vi /etc/hosts （所有机子都要进行这项操作）
20.0.0.13 apache
20.0.0.14 node1
20.0.0.15 node2

node1 is the same as node2

[root@node1 ~]# unzip elk.zip 
[root@node1 ~]# cd elk/
[root@node1 elk]# rpm -ivh elasticsearch-5.5.0.rpm 
[root@node1 elk]# cd /etc/elasticsearch/
[root@node1elasticsearch]#cp elasticsearch.yml elasticsearch.yml.bak#备份
[root@node1 elasticsearch]# vim elasticsearch.yml#修改配置参数
17 cluster.name: my-elk-cluster
23 node.name: node1
32 path.data: /data/elk_data
37 path.logs: /var/log/elasticsearch/
43 bootstrap.memory_lock: false
55network.host: 0.0.0.0
59 http.port: 9200
68 discovery.zen.ping.unicast.hosts: ["node1", "node2"]
[root@node1 elasticsearch]# grep -v "^#"/etc/elasticsearch/elasticsearch.yml
cluster.name: my-elk-cluster
node.name: node1
path.data: /data/elk_data
path.logs:/var/log/elasticsearch/
bootstrap.memory_lock:false
network.host: 0.0.0.0
http.port:9200
discovery.zen.ping.unicast.hosts["node1", "node2"]


[root@node1 elasticsearch]# mkdir -p /data/elk_data#递归创建

[root@node1 elasticsearch]# chown elasticsearch:elasticsearch /data/elk_data/ #给与权限
[root@node1 elasticsearch]# systemctl start elasticsearch 
[root@node1 elasticsearch]# netstat -anpt | grep 9200
tcp6       0      0 :::9200                 :::*                 LISTEN      13707/java

Browser input: 20.0.0.14:9200

{
    
     "name" : "node1", "cluster_name" : "my-elk-cluster", "cluster_uuid" : "cDpw29cVRiCpKo9AFzW20A", "version" : {
    
     "number" : "5.5.0", "build_hash" : "260387d", "build_date" : "2017-06-30T23:16:05.735Z", "build_snapshot" : false, "lucene_version" : "6.6.0" }, "tagline" : "You Know, for Search" }

Insert picture description here

health examination

Insert picture description here

Check cluster status information

Insert picture description here

Install elasticsearch-head plugin

**For the convenience of management**
1. Install an environment (node1 and node2 are the same)

[root@glt6 elk]# yum install gcc gcc-c++ make -y

2. Compile and install the node component dependency package

[root@glt6 elk]# tar zxvf node-v8.2.1.tar.gz 
[root@glt6 elk]# cd node-v8.2.1/
[root@glt6 node-v8.2.1]# ./configure 
[root@glt6 node-v8.2.1]# make && make install

Install phantomjs front-end framework

[root@node2 elk]# tar jxvf phantomjs-2.1.1-linux-x86_64.tar.bz2 -C /usr/local/src/ #解压缩

Copy to the local directory for easy use of commands

[root@node2 elk]# cd /usr/local/src/phantomjs-2.1.1-linux-x86_64/bin/
[root@node2 bin]# cp phantomjs /usr/local/bin/
[root@node2 elasticsearch-head]# npm install

Install elasticsearch data visualization tool

[root@node2 elk]# tar zxvf elasticsearch-head.tar.gz -C /usr/local/src/

cd /usr/local/src/
cd elasticsearch-head/
npm install

Edit the main configuration file

[root@node2 elasticsearch-head]# vim /etc/elasticsearch/elasticsearch.yml
http.cors.enabled: true  #末尾添加
http.cors.allow-origin: "*"#末尾添加
[root@node2 elasticsearch-head]# systemctl restart elasticsearch.service 
[root@node2 elasticsearch-head]#  npm run start &
[root@node2 elasticsearch-head]# netstat -anpt | grep 9200
tcp6       0      0 :::9200                 :::*                    LISTEN      98554/java    
[root@node2 elasticsearch-head]# netstat -anpt | grep 9100
tcp        0      0 0.0.0.0:9100            0.0.0.0:*               LISTEN      98652/grunt

On the browser, enter
Insert picture description here

g-blog.csdnimg.cn/20210108085748717.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXFF,size_color,FF_81,FF_81Mg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,&,&,& 6,&″&&&&&&&&&&&&inging&&&&ing&&&& Of&&&& Of&&&& Of&&& Of&&&& Of>

Insert picture description here

View the added index on node1

[root@node1 elasticsearch-head]# curl -XPUT 'localhost:9200/index-demo/test/1?pretty&pretty' -H 'content-Type: application/json' -d '{"user":"zhangsan","mesg":"hello world"}'

{
    
     
 "_index" : "index-demo",  
 "_type" : "test", 
 "_id" : "1",  
 "_version" : 1,  
 "result" : "created", 
  "_shards" : {
    
       
   "total" : 2,   
    "successful" : 2,   
     "failed" : 0 
      },  
      "created" : true
      }

-XPUT'localhost:9200: specify
to create test
1 in the local /index-demo/test/: index ?pretty&pretty': hello followed by some parameters
application/json: insert data in json format to
Insert picture description here
prove that data can be stored in es and can be used

Install logstash on the third host

Do some log collection and output to elasticsearch
on the apache host

[root@apache ~]# yum -y install httpd
[root@apache ~]# unzip elk.zip 
[root@apache ~]# cd elk/
[root@apache elk]# rpm -ivh logstash-5.5.1.rpm 
[root@apache elk]# systemctl start logstash.service 
[root@apache elk]# systemctl enable logstash.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/logstash.service to /etc/systemd/system/logstash.service.

Create a soft connection, connect the command to the bin directory of the machine

 [root@apache elk]# ln -s /usr/share/logstash/bin/logstash /usr/local/bin/

Whether the functions of logstash (apache) and elasticsearch (node) are normal, do a docking test of the
Logstash command.
Field description explanation:
-f This option allows you to specify the configuration file of logstash, and configure logstash according to the configuration file
-e followed by characters to output the string Can be used as the configuration of logstash (if it is "", stdin is used as input and stdout as output by default)
-t test whether the configuration file is correct, and then exit

[root@apache elk]# logstash -e 'input { stdin{} } output { stdout{} }'
00:39:41.237 [Api Webserver] INFO  logstash.agent - Successfully started Logstash API endpoint {
    
    :port=>9600}#输入网址

www.baidu.com
2021-01-05T16:35:07.633Z apache www.baidu.com
 www.sina.com
 2021-01-05T16:35:26.921Z apache www.sina.com

[root@apache elk]# logstash -e 'input { stdin{} } output { stdout{ codec=>rubydebug } }'
证实logstash可进行格式化输出

www.baidu.com
{
    
    
  "@timestamp" => 2021-01-05T16:39:49.486Z,     
   "@version" => "1",         
    "host" => "apache",       
    "message" => "www.baidu.com"
    }

Use logstash to write information to elasticsearch

[root@apache elk]# logstash -e 'input { stdin{} } output { elasticsearch { hosts=>["20.0.0.14:9200"] } }'



01:11:13.182 [Api Webserver] INFO  logstash.agent - Successfully 
started Logstash API endpoint {
    
    :port=>9600}
www.baidu.com
www.sina.com

Open the browser cluster http://20.0.0.14:9200/ to
Insert picture description here

confirm that the data export guide can be connected to es, and the fragmentation and copy are successfully completed

Do the docking configuration on the apache host

1View apache log and
add readable permissions to other
[root@apache ~]# cd /var/log/
[root@apache log]# ll
Insert picture description here
[root@apache log]# chmod o+r messages

[root@apache log]# cd /etc/logstash/conf.d/
[root@apache conf.d]# vim system.conf
input {
    
           
	file{
    
            
	path => "/var/log/messages"        
	type => "system"        
	start_position => "beginning"        
	}      
     }
output {
    
            
	elasticsearch {
    
              
	hosts => ["20.0.0.14:9200"]         
	 index => "system-%{+YYYY.MM.dd}"          
	 }       
 }

Insert picture description here

Install kibana on node1

[root@node1 elk]# rpm -ivh kibana-5.5.1-x86_64.rpm 
[root@node1 elk]# cd /etc/kibana/
[root@node1 kibana]# cp kibana.yml  kibana.yml.bak#备份数据
[root@node1 kibana]# vim kibana.yml
2 server.host: "0.0.0.0"
7 server.host: "0.0.0.0"
21 elasticsearch.url: "http://20.0.0.14:9200"
30 kibana.index: ".kibana"
[root@node1 kibana]# systemctl start kibana.service  //重启服务
[root@node1 kibana]# systemctl enable kibana.service  //设置开机自启
Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /etc/systemd/system/kibana.service.

Do a time synchronization
Insert picture description here

Apache log file (accessed, wrong) connected to the apache host

On the apache host

[root@apache ~]# cd /etc/logstash/
[root@apache logstash]# cd conf.d/
[root@apache conf.d]# vim apache_log.conf
input {
    
    
        file{
    
    
         path => "/etc/httpd/logs/access_log"
         type => "access"
         start_position => "beginning"
         }
        file{
    
    
         path => "/etc/httpd/logs/error_log"
         type => "error"
         start_position => "beginning"
        }
        }
output {
    
    
        if [type] == "access" {
    
    
        elasticsearch {
    
    
         hosts => ["20.0.0.15:9200"]
         index => "apache_access-%{+YYYY.MM.dd}"
         }
        }
        if [type] == "error" {
    
    
        elasticsearch {
    
    
         hosts => ["20.0.0.10:9200"]
         index => "apache_error-%{+YYYY.MM.dd}"
         }
       }
      }
[root@apache conf.d]# logstash -f apache_log.conf #apache_log.conf 是在con.f 的路径下所以可以使用相对路径  否则使用绝对路径