Experience : Just start exploring, do a simple build. ES hardly needs configuration, filebeat configuration is more friendly, kibana needs to explore. In the business system, log the input and output of the interface, and the keyword search speed is very fast, which is very useful for troubleshooting and positioning.
Why not ELK : I heard that filebeat pays little attention to IO consumption
- The installation speed is very slow. Install in the middle of the night or find suitable resources or download the installation package.
- elasticsearch cannot be started as root user
One, install EFK
-
ubuntu:
apt install elasticsearch&& (cd /usr/share/elasticsearch&&./bin/elasticsearch -d)
apt install kibana&&service kibana start
apt install filebeat&&service filebeat start -
mac
brew install elasticsearch&&brew services start elasticsearch
brew install kibana&&brew services start kibana
brew install filebeat&&brew services start filebeatView
ps -ef | grep elasticsearchor view the port numberlsof -i:9200, kibana a5601port.
Two, placement
Because the default version of the system is different, the kibana interface has changed a bit. For example, the ES of my mac is 6.8, and the ubuntu is 7+.
-
Configure filebeat
vim /usr/local/etc/filebeat/filebeat.ymlfilebeat.prospectors: - type: log enabled: true # 开启 paths: #读取文件,注意得是该配置不会递归目录 - /var/log/php/*.logRestart filebeat.
Enter the sidebar
Discoverto view the configured data.
Three, open the module
- Open the kibana interface
http://localhost:5601/(ubuntu configures its own proxy for external access) and
select the module you want to add. And follow the document settings.DashboardThere are pre-defined display diagrams of many modules, which can be added to see.
Four, not finished.
Install ik
cd {elasticsearch目录}&& ./elasticsearch-plugin install https://github.com/medcl/elasticsearch-analysis-ik/releases/download/v7.8.1/elasticsearch-analysis-ik-7.8.1.zipselect the ik version according to the es version, ==========