ELK overview
ELK consists of three open source tools, ElasticSearch, Logstash and Kiabana:
1) ElasticSearch is an open source distributed search server based on Lucene. Its features are: distributed, zero configuration, automatic discovery, index automatic sharding, index replication mechanism, restful style interface, multiple data sources, automatic search load, etc. It provides a distributed multi-user capable full-text search engine based on a RESTful web interface. Developed in Java and released as open source under the terms of the Apache License, ElasticSearch is a popular enterprise search engine. Designed for use in cloud computing, it can achieve real-time search, stable, reliable, fast, and easy to install and use.
In ElasticSearch, the data of all nodes is equal.
2) Logstash is a completely open source tool that can collect, filter, analyze your logs, and store them for later use (eg, search), you can use it. Speaking of searching, logstash comes with a web interface to search and display all logs.
3) Kibana is a front-end display tool for ElasticSearch based on browser pages. It is also an open source and free tool. Kibana can provide Logstash and ElasticSearch with a friendly web interface for log analysis, which can help you summarize, analyze and search important data logs .
1. Install JDK
The operation of Logstash depends on the Java operating environment. The version of Logstash 1.5 or later is not lower than java 7. It is recommended to use the latest version of Java (please skip if it is already installed).
# wget http://download.oracle.com/otn-pub/java/jdk/8u45-b14/jdk-8u45-linux-x64.tar.gz # mkdir /usr/local/java # tar -zxf jdk-8u45-linux-x64.tar.gz -C /usr/local/java/
Configure Java environment variables
# vi /etc/profile export JAVA_HOME=/usr/local/java/jdk1.8.0_45 export PATH=$PATH:$JAVA_HOME/bin export CLASSPATH=.:$JAVA_HOME/lib/tools.jar:$JAVA_HOME/lib/dt.jar:$CLASSPATH
Run the java -version command to check whether the JDK is configured successfully.
2. Install Logstash
Download Logstash and extract Logstash to the specified directory
# wget https://download.elastic.co/logstash/logstash/logstash-2.3.4.tar.gz # tar -zxvf logstash-2.3.4.tar.gz -C /usr/local/ # mv /usr/local/logstash-2.3.4 /usr/local/logstash
Simply test whether the Logstash service is normal. It is expected that the input content can be printed on the interface in the form of a simple log
# /usr/local/logstash/bin/logstash -e 'input { stdin { } } output { stdout {} }'
Create a Logstash configuration file
# mkdir -p /data/elk/logstash_conf/ # saw log_web_error.conf
input {
file {
codec => multiline {
pattern => "^\d{2}:\d{2}:\d{2}\.\d* \d* ERROR"
negate => true
what => "previous"
}
path => "/data/weblogs/tomcat_web/error/*.log"
start_position => "beginning"
}
}
output {
stdout {}
elasticsearch {
action => 'index'
hosts => '172.16.90.33'
index => 'web_33_error'
}
}
测试脚本是否正常(正常启动时,日志信息会打印到控制台)
# /usr/local/logstash/bin/logstash -f /data/elk/logstash_conf/log_web_error.conf
当脚本较多时,可以指定logstash –f到指定目录即可
# /usr/local/logstash/bin/logstash -f /data/elk/logstash_conf/
三、安装ElasticSearch
1、下载ElasticSearch,并解压到指定目录
# wget https://download.elastic.co/elasticsearch/release/org/elasticsearch/distribution/tar/elasticsearch/2.3.4/elasticsearch-2.3.4.tar.gz # tar -zxvf elasticsearch-2.3.4.tar.gz -C /usr/local/ # mv /usr/local/elasticsearch-2.3.4 /usr/local/elasticsearch
2、创建ElasticSearch数据存储目录和日志存储目录
# mkdir -p /data/elk/db/ # mkdir -p /data/weblogs/elk/
3、为ElasticSearch服务创建启动用户
# useradd es # chown -R es /usr/local/elasticsearch/ # chown -R es /data/
4、调整ElasticSearch配置文件
# cd /usr/local/elasticsearch/config/ # vi elasticsearch.yml
cluster.name: es-cluster node.name: node-33 path.data: /data/elk/db path.logs: /data/weblogs/elk network.host: 172.16.90.33 http.port: 9200
5、安装head插件
# su - es $ cd /usr/local/elasticsearch/ $ ./bin/plugin install mobz/elasticsearch-head #查看head插件是否安装 $ ls plugins/
6、启动ElasticSearch
$ ./bin/elasticsearch &
7、查看ElasticSearch首页
# curl http://172.16.90.33:9200
可以通过浏览器查看head插件是否安装成功:http://172.16.90.33:9200/_plugin/head/
8、防火墙配置
为了正常使用HTTP服务等,需要关闭防火墙
# service iptables stop
或者可以不关闭防火墙,但是要在iptables中打开相关的端口
# vi /etc/sysconfig/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 9200 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 9292 -j ACCEPT # service iptables restart
四、安装Kibana
1、下载Kibana,并安装Kibana到指定目录
# wget https://download.elastic.co/kibana/kibana/kibana-4.5.3-linux-x64.tar.gz # tar -zxvf kibana-4.5.3-linux-x64.tar.gz # mv /usr/local/kibana-4.5.3-linux-x64 /usr/local/kibana/
2、修改Kibana配置文件
# cd /usr/local/kibana/config/ # vi kibana.yml server.host: "172.16.90.33" elasticsearch.url: http://172.16.90.33:9200
3、启动Kibana
# cd ../ # ./bin/kibana &
通过浏览器访问Kibana: http://172.16.90.33:5601/
五、kibana的登录认证问题
kibana是nodejs开发的,本身并没有任何安全限制,直接浏览url就能访问,如果公网环境非常不安全,可以通过nginx请求转发增加认证,方法如下:
注意:kibana没有重启命令,要重启,只能ps -ef|grep node 查找nodejs进程,干掉重来。
1、参考一下内容修改nginx配置文件:
##如果是大规模集群环境,此处配置多台Kibana服务器即可
upstream kibana_server {
server 172.16.90.33:5601;
#server 192.168.8.203:5601;
}
server {
listen 80;
server_name localhost;
charset utf8;
location / {
proxy_pass http://kibana_server$request_uri;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
##方案一、用户认证方式,依赖apache-utils中的生成密码工具
auth_basic "secret";
auth_basic_user_file /usr/local/nginx/db/passwd.db;
##方案二、只有公司的外网IP,局域网IP可以访问
#allow 10.**.*.**;
#allow 192.168.8.0/24;
#deny all;
}
}
2、配置登录用户名、密码
htpasswd -c /usr/local/nginx/db/passwd.db kibana
注意passwd.db的路径要跟nginx配置中的一致,最后的kibana为用户名,可以随便改,输入完该命令后,系统会提示输入密码,搞定后passwd.db中就有加密后的密码了,有兴趣的可以cat看下。
提示:htpasswd是apache自带的小工具,如果找不到该命令,尝试用yum install httpd安装。
3、关闭kibana端口的外网访问
用nginx转发后,一定要记得配置iptables之类的防火墙,禁止外部直接访问5601端口,这样就只能通过nginx来访问了。