ELK安装
ELK是三个软件产品的首字母缩写,Elasticsearch,Logstash 和 Kibana。是当前最流行的分布式日志搜索系统,可以帮助我们很好地完成日志的检索,收集,分析的神器!
安装环境:
- Memory – 2 GB
- Storage – 20 GB
- Operating System – CentOS 7
- Java Version – OpenJDK 1.8
Elasticsearch
JDK安装
参见https://chenliny.com/archives/356/
Elasticsearch文档中提供了 Yum安装Elasticsearch的方式。
YUM仓库准备
下载并安装签名(public signing key)
[root@localhost ~]# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch创建一个新的yum配置文件以在CentOS 7上通过Yum Repo进行安装Elasticsearch 。
官网的速度实在感人,换成清华镜像
[root@localhost ~]# cat > /etc/yum.repos.d/elasticsearch.repo << EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://mirror.tuna.tsinghua.edu.cn/elasticstack/7.x/yum/
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
为Elasticsearch Yum Repo构建缓存
[root@localhost ~]# yum makecache fast
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.cn99.com
* updates: mirrors.aliyun.com
base | 3.6 kB 00:00:00
elasticsearch-7.x | 1.3 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
元数据缓存已建立
我们已经成功安装了Elasticsearch Yum Repo。现在,我们可以在我们的CentOS 7服务器上安装Elastic stack组件
安装
[root@localhost ~]# yum install -y elasticsearch
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.163.com
* updates: mirrors.aliyun.com
正在解决依赖关系
--> 正在检查事务
---> 软件包 elasticsearch.x86_64.0.7.6.2-1 将被 安装
--> 解决依赖关系完成
依赖关系解决
。。。。。。省略。。。。。
Downloading packages:
elasticsearch-7.6.2-x86_64.rpm | 283 MB 00:03:25
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Creating elasticsearch group... OK
Creating elasticsearch user... OK
正在安装 : elasticsearch-7.6.2-1.x86_64 1/1
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
sudo systemctl start elasticsearch.service
future versions of Elasticsearch will require Java 11; your Java version from [/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-0.el7_7.x86_64/jre] does not meet this requirement
Created elasticsearch keystore in /etc/elasticsearch
验证中 : elasticsearch-7.6.2-1.x86_64 1/1
已安装:
elasticsearch.x86_64 0:7.6.2-1
完毕!
JVM配置
根据需要配置JVM (Java Virtual Machine) 参数
[root@localhost ~]# vi /etc/elasticsearch/jvm.options-Xms512m
-Xmx512m启动服务
根据上面的安装提示,启动Elasticsearch 服务
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl enable elasticsearch.service
Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.
[root@localhost ~]# systemctl start elasticsearch.service
开放端口
如果你有开启防火墙,那么还要开放端口,默认Elasticsearch 端口为9200。
如果没有就直接跳过。
firewall-cmd --zone=public --add-port=9200/tcp --permanent
firewall-cmd --reload校验
校验是否安装成功:
[root@localhost ~]# curl http://127.0.0.1:9200
{
"name" : "localhost.localdomain",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "I6ezKzW4RoOmHnsS_8jQ0g",
"version" : {
"number" : "7.6.2",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "ef48eb35cf30adf4db14086e8aabd07ef6fb113f",
"build_date" : "2020-03-26T06:34:37.794943Z",
"build_snapshot" : false,
"lucene_version" : "8.4.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
从ES 7.x开始内置了JDK,可以在安装的主目录中找到jdk目录。
使用yum安装的elasticsearch,
ES默认安装的主目录:/usr/share/elasticsearch
配置文件的默认位置:/etc/elasticsearch/elasticsearch.yml
系统配置文件:/etc/sysconfig/elasticsearch,可以设置诸如ES_JAVA_OPTS等很多配置
集群
如果你开一个虚拟机玩的不开心,恰好想整个集群玩玩,那么请将当前虚拟机再复制2份出来。
集群elasticsearch.yml配置文件,保持集群名称不变,节点名称变化。
cluster.name: dev-es
node.name: node-2 #node.name: node-3 node.name: node-4
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["192.168.47.90:9300","192.168.47.91:9300","192.168.47.92:9300"]
cluster.initial_master_nodes: ["node-2"]
gateway.recover_after_nodes: 1
http.cors.enabled: true
http.cors.allow-origin: "*"如果想要直接使用节点名称就需要在/etc/hosts加上host:
192.168.47.90 node-2
192.168.47.91 node-3
192.168.47.92 node-4
最重要的一步,如果你用的虚拟机克隆出来的需要删除/var/lib/elasticsearch的nodes目录!!
否则你怎么重启都无法形成集群,因为node-id是一样的!
开放端口
firewall-cmd --zone=public --add-port=9300/tcp --permanent
firewall-cmd --reload现在重启一下
service elasticsearch restart查看集群状态和集群节点列表:
[root@node-2 elasticsearch]# curl -X GET "192.168.47.91:9200/_cat/health?pretty"
1589894864 13:27:44 dev-es green 3 3 0 0 0 0 0 0 - 100.0%
[root@node-2 elasticsearch]# curl -X GET "192.168.47.90:9200/_cat/nodes"
192.168.47.91 29 96 14 0.32 0.17 0.14 dilmrt * node-3
192.168.47.92 19 96 14 0.57 0.23 0.14 dilmrt - node-4
192.168.47.90 41 96 15 0.33 0.25 0.18 dilmrt - node-2
如果还是无法形成集群可以telnet看一下是否网络互通。
Logstash
Logstash是一款强大的数据处理工具,可以帮助我们处理从数据源发送过来的数据。同时将加工之后的信息发送到Elasticsearch。
安装
Logstash 7.6也在在Elasticsearch yum repo中。因此,我们可以使用yum命令轻松安装它。
[root@localhost ~]# yum install -y logstash
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.nju.edu.cn
* extras: mirrors.nju.edu.cn
* updates: mirrors.nju.edu.cn
正在解决依赖关系
--> 正在检查事务
---> 软件包 logstash.noarch.1.7.6.2-1 将被 安装
--> 解决依赖关系完成
依赖关系解决
。。。。。。。省略。。。。。
Successfully created system startup script for Logstash
验证中 : 1:logstash-7.6.2-1.noarch 1/1
已安装:
logstash.noarch 1:7.6.2-1
完毕!配置
新增logstash收集处理数据配置文件,即pipeline配置文件,例如:
[root@localhost ~]# cat > /etc/logstash/conf.d/logstash.conf << EOF
input {
beats {
port => 5044
ssl => false
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGLINE}" }
}
date {
match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
hosts => localhost
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
stdout {
codec => rubydebug
}
}
EOFLogstash使用JRuby语言开发,默认yum安装的Logstash的各种配置文件在/etc/logstash下。
/etc/logstash/
├── conf.d
├── jvm.options
├── log4j2.properties
├── logstash-sample.conf
├── logstash.yml
├── pipelines.yml
└── startup.optionslogstash.yml是logstash自己的setting配置文件,这个配置文件里面可以设置关于logstash本身的一些配置。
启动logstash:
[root@localhost ~]# systemctl enable logstash.service
Created symlink from /etc/systemd/system/multi-user.target.wants/logstash.service to /etc/systemd/system/logstash.service.
[root@localhost ~]# systemctl start logstash.service
检查/var/log/logstash/logstash-plain.log,以排除Logstash服务错误。
防火墙放行
firewall-cmd --permanent --add-port=5044/tcp
firewall-cmd --reloadKibana
安装ES时添加的yum源中已经包含了kibana,下面直接使用yum安装即可。
安装
[root@localhost ~]# yum -y install kibana
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.nju.edu.cn
* extras: mirrors.nju.edu.cn
* updates: mirrors.nju.edu.cn
正在解决依赖关系
--> 正在检查事务
---> 软件包 kibana.x86_64.0.7.6.2-1 将被 安装
--> 解决依赖关系完成
依赖关系解决
。。。。。。省略。。。。。
Running transaction
正在安装 : kibana-7.6.2-1.x86_64 1/1
验证中 : kibana-7.6.2-1.x86_64 1/1
已安装:
kibana.x86_64 0:7.6.2-1
完毕!
使用yum安装的kibana,默认安装的主目录在/usr/share/kibana中。
配置
kibana配置文件的位置为/etc/kibana/kibana.yml
[root@localhost ~]# cat >> /etc/kibana/kibana.yml << EOF
server.port: 5601
server.host: "0.0.0.0"
server.name: "elasticsearch-01.example.com"
elasticsearch.hosts: ["http://localhost:9200"]
EOF启动
[root@localhost ~]# systemctl enable --now kibana
Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /etc/systemd/system/kibana.service.
防火墙放行
firewall-cmd --permanent --add-port=5601/tcp
firewall-cmd --reloadFilebeat
Filebeat是一个日志文件托运工具,在你的服务器上安装客户端后,filebeat会监控日志目录或者指定的日志文件,追踪读取这些文件(追踪文件的变化,不停的读),并且转发这些信息到elasticsearch或者logstarsh中存放。在elk中Filebeat是将日志发送到Logstash的代理。
安装
同样ES的yum也包含了Filebeat,所以可以直接yum安装。
[root@localhost ~]# yum install -y filebeat
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.nju.edu.cn
* extras: mirrors.nju.edu.cn
* updates: mirrors.nju.edu.cn
正在解决依赖关系
--> 正在检查事务
---> 软件包 filebeat.x86_64.0.7.6.2-1 将被 安装
--> 解决依赖关系完成
。。。。。。。。。。省略。。。。。。。。
已安装:
filebeat.x86_64 0:7.6.2-1
完毕!
配置
修改配置
[root@localhost ~]# vi /etc/filebeat/filebeat.yml
###################### Filebeat Configuration Example #########################
# This file is an example configuration file highlighting only the most common
# options. The filebeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/filebeat/index.html
# For more available modules and options, please see the filebeat.reference.yml sample
# configuration file.
#=========================== Filebeat inputs =============================
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: log
# Change to true to enable this input configuration.
##将他改为true
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/*.log
#- c:\programdata\elasticsearch\logs\*
找到output.elasticsearch,并注释
#-------------------------- Elasticsearch output ------------------------------
#下面这行注释掉
#output.elasticsearch:
# Array of hosts to connect to.
#下面这行注释掉
# hosts: ["localhost:9200"]
# Protocol - either `http` (default) or `https`.
#protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
#username: "elastic"
#password: "changeme"
找到output.logstash并取消注释,如下所示。
#----------------------------- Logstash output --------------------------------
#取消这行注释
output.logstash:
# The Logstash hosts
#取消这行注释
hosts: ["localhost:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
启动
[root@localhost ~]# systemctl enable --now filebeat.service
Created symlink from /etc/systemd/system/multi-user.target.wants/filebeat.service to /usr/lib/systemd/system/filebeat.service.
大功告成
访问 http://你的IP:5601/app/kibana 进入kibana,enjoy your self!
后面我们考虑整个集群ES~