Elasticsearch 是个开源分布式搜索引擎,它的特点有:分布式,零配置,自动发现,索引自动分片,索引副本机制, restful 风格接口,多数据源,自动搜索负载等。
Logstash 是一个完全开源的工具,他可以对你的日志进行收集、分析,并将其存储供以后使用(如,搜索)。
kibana 也是一个开源和免费的工具,他 Kibana 可以为 Logstash 和 ElasticSearch 提供的日志分析友好的 Web 界面,可以帮助您汇总、分析和搜索重要数据日志
在yfm05安装elasticsearch-2.3.3.rpm 前提要安装java1.8。
mkdir /data/efk && cd /data/efk
注意Elasticsearch、Kibana、FileBeat一定要使用相同的版本
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.10.2-linux-x86_64.tar.gz
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.10.2-linux-x86_64.tar.gz
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.10.2-linux-x86_64.tar.gz
tar -zxvf elasticsearch-7.10.2-linux-x86_64.tar.gz
cd elasticsearch-7.10.2
sed -i '/#network.host: 192.168.0.1/s/^#//' config/elasticsearch.yml
sed -i s#network.host:\ 192.168.0.1#network.host:\ 0.0.0.0#g config/elasticsearch.yml
sed -i '/#http.port: 9200/s/^#//' config/elasticsearch.yml
sed -i '/#node.name: node-1/s/^#//' config/elasticsearch.yml
注意这里,如果目前是单节点的话,一定要修改该值为节点的名称,否则虽然启动成功了,但是通过curl命令向elasticsearch服务中新增数据时,会出现 "master_not_discovered_exception"错误
cluster.initial_master_nodes: ["node-1"]
Elasticsearch不能使用root用户打开,所以需要专门创建一个用户来启动Elasticsearch
adduser elastic
passwd elastic
chmod -R 777 /data/efk/elasticsearch-7.10.2
su elastic
后台启动es
./bin/elasticsearch -d
[2021-02-03T22:00:54,729][ERROR][o.e.b.Bootstrap ] [yfm05] node validation exception
[4] bootstrap checks failed
[1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65535]
[2]: max number of threads [3795] for user [elastic] is too low, increase to at least [4096]
[3]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
[4]: the default discovery settings are unsuitable for production use; at least one of [discovery.seed_hosts, discovery.seed_providers, cluster.initial_master_nodes] must be configured
[2021-02-03T22:00:54,736][INFO ][o.e.n.Node ] [yfm05] stopping ...
本机环境是 JDK 8 ,它会提醒后面版本需要 JDK 11 支持。但它是向下兼容的
可以看到启动报错了
Centos 6.5不支持SecComp, 而ES 5.x版本起 bootstrap.system_call_filter 的默认值是 true.
修改config/elasticsearch.yml,注意要在Memory配置项的下面添加:
bootstrap.system_call_filter: false
echo "bootstrap.system_call_filter: false" >>config/elasticsearch.yml
[1]: max file descriptors [4096]
vi /etc/security/limits.conf,在里面添加如下内容
* soft nofile 65536
* hard nofile 65536
vi /etc/profile
ulimit -SHn 65536
source /etc/profile
[2]: max number of threads [3795]
vim /etc/security/limits.d/20-nproc.conf
# 修改为8192, 其中*表示所有用户:
* soft nproc 8192
[3]: max virtual memory areas
vim /etc/sysctl.conf
# 修改下述配置, 如果没有就在文件末尾添加:
vm.max_map_count=655360
# 执行命令使修改生效:
sysctl -p
[4]: the default discovery settings
修改
elasticsearch.yml
取消注释保留一个节点
cluster.initial_master_nodes: ["node-1"]
这个的话,这里的node-1是上面一个默认的记得打开就可以了
验证是否启动成功
http://192.168.199.105:9200/
{
"name" : "yfm05",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "_na_",
"version" : {
"number" : "7.10.2",
"build_flavor" : "default",
"build_type" : "tar",
"build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
"build_date" : "2021-01-13T00:42:12.435326Z",
"build_snapshot" : false,
"lucene_version" : "8.7.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
修改nginx配置文件
在http模块下配置
log_format access_json '{ "@timestamp": "$time_iso8601", '
'"time": "$time_iso8601", '
'"remote_addr": "$remote_addr", '
'"remote_user": "$remote_user", '
'"body_bytes_sent": "$body_bytes_sent", '
'"request_time": "$request_time", '
'"status": "$status", '
'"host": "$host", '
'"request": "$request", '
'"request_method": "$request_method", '
'"uri": "$uri", '
'"http_referrer": "$http_referer", '
'"body_bytes_sent":"$body_bytes_sent", '
'"http_x_forwarded_for": "$http_x_forwarded_for", '
'"http_user_agent": "$http_user_agent" '
'}';
access_log /var/log/nginx/access.log access_json;
curl localhost ,可以看待nginx日志已经成功json化
安装head插件
for Elasticsearch 5.x, 6.x, and 7.x: site plugins are not supported. Run as a standalone server
for Elasticsearch 2.x: sudo elasticsearch/bin/plugin install mobz/elasticsearch-head
for Elasticsearch 1.x: sudo elasticsearch/bin/plugin -install mobz/elasticsearch-head/1.x
for Elasticsearch 0.x: sudo elasticsearch/bin/plugin -install mobz/elasticsearch-head/0.9
wget https://codeload.github.com/mobz/elasticsearch-head/zip/v5.0.0
安装 grunt-cli
npm install -g grunt-cli
elasticsearch-head 下载完成后,进入 elasticsearch-head 文件夹
npm install grunt --save
安装依赖的 npm 包
yum -y install bzip2
npm install
安装过程中phantomjs报错,可参考文末文章
启动elastic-head
grunt server 或者 npm run start
nohup npm run start &
Running "connect:server" (connect) task
Waiting forever...
Started connect web server on http://localhost:9100
安装kibana
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.10.2-linux-x86_64.tar.gz
tar -zxvf kibana-7.10.2-linux-x86_64.tar.gz
vi config/kibana.yml
elasticsearch.url: "http://192.168.199.105:9200"
server.host: "0.0.0.0"
kibana.index: ".kibana
注意和Elasticsearch一样不能使用root账户启动
chown -R elastic:elastic /data/efk/kibana-7.10.2-linux-x86_64
后台启动kibana
nohup ./bin/kibana &
安装filebeat
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.10.2-linux-x86_64.tar.gz
tar xzvf filebeat-7.10.2-linux-x86_64.tar.gz
vi filebeat.yml
filebeat.prospectors:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
fields:
appname : nginx_access
setup.kibana:
host: "192.168.199.105:5601"
output.logstash:
hosts: ["192.168.199.105:5044"]
配置一定要注意格式,是以2个空格为子级,里面的配置都在配置文件中,列出来的只是要修改的部分,enabled默认为false,需要改成true才会收集日志。其中/var/xxx/*.log修改为自己的日志路径,注意-后面有一个空格,
如果多个路径则添加一行,一定要注意新行前面的4个空格,multiline开头的几个配置取消注释就行了,是为了兼容多行日志的情况,setup.kibana中的host取消注释,根据实际情况配置地址,output.elasticsearch中的host也一样,根据实际情况配置
后台启动filebeat
nohup ./filebeat -c filebeat.yml &
安装logstash
wget https://artifacts.elastic.co/downloads/logstash/logstash-7.10.2-linux-x86_64.tar.gz
tar -zxvf logstash-7.10.2-linux-x86_64.tar.gz
创建config/logstash-filebeats.conf
# 监听5044端口作为输入
input {
beats {
port => "5044"
}
}
output {
if [fields][appname] == "nginx_access" {
elasticsearch {
hosts => ["192.168.199.105:9200"]
index => "nginx-access-%{+YYYY.MM.dd}"
}
}
}
后台启动
nohup ./bin/logstash -f config/logstash-filebeats.conf &
访问http://192.168.199.105:9200/nginx-access-2021.02.22/_search/ ,其中的日期是你运行的那一天,发现网页中有nginx的日志信息:
{“took”:0,“timed_out”:false,"_shards":{“total”:1,“successful”:1,“skipped”:0,“failed”:0},“hits”:{“total”:{“value”:2,“relation”:“eq”},“max_score”:1.0,“hits”:[{"_index":“nginx-access-2021.02.22”,"_type":"_doc","_id":“C2CZyncBDSpi3swM65rK”,"_score":1.0,"_source":{“host”:{“mac”:[“00:0c:29:1d:b2:3a”],“name”:“yfm05”,“id”:“5b5c56cd758c4e629bf19faa1ebdc87f”,“architecture”:“x86_64”,“containerized”:false,“hostname”:“yfm05”,“os”:{“family”:“redhat”,“kernel”:“3.10.0-1160.el7.x86_64”,“version”:“7 (Core)”,“name”:“CentOSLinux”,“codename”:“Core”,“platform”:“centos”},“ip”:[“192.168.199.105”,“fe80::fca9:7d90:fd6:d63a”,“fe80::be4f:8aab:e347:6e66”,“fe80::bf02:a10:c932:6672”]},“fields”:{“appname”:“nginx_access”},“agent”:{“type”:“filebeat”,“version”:“7.10.2”,“name”:“yfm05”,“id”:“669465ad-52df-48e1-ab99-0480073422be”,“ephemeral_id”:“5ed3abea-5e89-448e-bb59-47b170840a02”,“hostname”:“yfm05”}
也可以通过elasticsearch的可视化header插件看到信息:
在kibana里面查看
打开kibana web地址:http://192.168.199.105:5601,依次打开:Management
-> Kibana -> Index Patterns ,选择Create Index Pattern:
- Index pattern 输入:nginx-access-* ;
- Time Filter field name 选择 @timestamp。
- 点击Create。
然后打开Discover,选择 nginx-access-* 就能看到日志数据了。
参考:
解决:max file descriptors [65535] for elasticsearch process is too low