ELK consists of three open source tools, ElasticSearch, Logstash and Kiabana.
1. ELK overview
1. Introduction to ELK
ElasticSearch: It is an open source distributed search engine. Its characteristics are: distributed, zero configuration, automatic discovery, automatic index sharding, index copy mechanism, restful style interface, multiple data sources, automatic search load, etc.
Logstash: It is a completely open source tool that can collect, analyze, and store your logs for later use.
Kibana: is also an open source and free tool, Kibana can be used for Logstash
And the log analysis friendly web interface provided by ElasticSearch can help aggregate, analyze and search important data logs.
2. ELK protocol stack and architecture
ELK is actually not a piece of software, but a set of solutions. It is an acronym for three software products, Elasticsearch, Logstash and Kibana. These three softwares are all open source software, usually used in conjunction, and successively belong to the elastic.co company, so they are referred to as the ELK protocol stack.
Deploy logstash on all services that need to collect logs. Logstash collects the logs generated by the application server, collects the logs and delivers them to the full-text search service ElasticSearch, while Kibana queries the data from the ES cluster to generate charts, and then returns them to the client browser .
二,ElasticSearch
2.1 Overview of ElasticSearch
ElasticSearch is a Lucene-based search server. It provides a full-text search engine with distributed multi-user capabilities, based on a RESTful web interface. Elasticsearch is developed in Java and released as an open source under the terms of the Apache license. It is currently a popular enterprise search engine for cloud design In calculation , real-time search can be achieved, stable, reliable, fast, and easy to install and use.
Elasticsearch is a real-time distributed search and analysis engine compared with the database: Most databases now seem extremely incompetent in terms of extracting available knowledge. They can filter queries by timestamp or exact match, but they cannot perform full-text search, process synonyms, and score documents based on relevance. Elasticsearch can generate analysis and aggregation results based on the same data. The most important thing is that they can process data in real time without a large number of work processes (threads).
2.2 ElasticSearch application scenarios
In the age of the Internet, to build a website or application, it is necessary to add search functions to realize both on-site search and off-site search, but it is very difficult to complete the search and ensure the function and performance of the operation. We want search solutions to run fast. We want to have a zero configuration and a completely free search mode. We want to be able to simply use JSON to index data through HTTP. We hope that our search server is always available. We hope to be able to Starting from one and expanding to hundreds of applications, we want real-time search, we want simple multi-tenancy, and we want to build a cloud solution. So we use Elasticsearch to solve all these problems and more other problems that may arise.
Regarding ElasticSearch, the deployment of Kibana refers to the previous two articles:
https://blog.csdn.net/lchmyhua88/article/details/88928311:
https://blog.csdn.net/lchmyhua88/article/details/103183862:
In this article, I mainly talk about the use of ELK and the construction of Logstash.
First build ElasticSearch, Kibana, what I use here is:
kibana-7.6.2-linux-x86_64;elasticsearch-7.6.2;elasticsearch-analysis-ik-7.6.2;logstash-7.6.2;
Elasticsearch installs ik word segmentation (the previous two articles have already talked about it and will not repeat it here).
Let's take a look at the construction of Logstash, directly download the 7.6.2 tar package from the official website , unzip it and configure it:
We write the logs accessed by nginxf to elasticsearch :
nginx.conf sets the access log format:
log_format main '$remote_addr - $remote_user [$time_local] '
'fwf[$http_x_forwarded_for] tip[$http_true_client_ip] '
'$upstream_addr $upstream_response_time $request_time '
'$geoip_country_code '
'$http_host $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_accept_language" "$http_user_agent" ';
Open access_log in the lch.demo.com.conf configuration in vhost:
Then we create a logstash.conf file under the directory of logstash-7.6.2, the content is as follows:
input {
file {
path => "/var/log/nginx/lch.demo.com-error.log"
type => "system-log"
start_position => "beginning"
}
}
output {
elasticsearch {
hosts => "127.0.0.1:9200"
index => "system_log-%{+YYYY.MM.dd}"
}
}
Then we have to start logstash:
./bin/logstash -f /htdocs/share/logstash-7.6.2/logstash.conf
You can see that the log has been included in elasticsearch, we can view:
curl -X GET HTTP://127.0.0.1:9200/_cat/indices?v
Then log in to the Kibana backend and set the index just now:
Click Next to set the filter field name: select "@timestamp"
Save, go back to the home page and open the search system_log* to see the content of the nginx log just now, you can search for the keywords in the log:
You can see that the log has been output to elasticsearch. You can also write various logs written by the program to redis, and then write them to elasticsearch.
When starting elasticsearch or logstash, the following error may be reported, insufficient memory. At this time, you need to modify the default jvm.options configuration of elasticsearch or logstash, the default is 1G, you can change it to a smaller size, of course, if the computer configuration is high, you don't need it.
Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00000000c0000000, 174456832, 0) failed; error='Cannot allocate memory' (errno=12) # # There is insufficient memory for the Java Runtime Environment to continue. # Native memory allocation (mmap) failed to map 174456832 bytes for committing reserved memory.
