ELK安装
安装Logstash依赖包JDK
Logstash的运行依赖于Java运行环境, Logstash 1.5以上版本不低于java 7推荐使用最新版本的Java。由于我们只是运行Java程序,而不是开发,下载JRE即可。首先,在Oracle官方下载新版jre,下载地址:http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html
$ mkdir /usr/local/java
$ tar -zxf jdk-8u45-linux-x64.tar.gz -C /usr/local/java/
设置JDK的环境变量,如下:
$ vim ~/.bash_profile
export JAVA_HOME=/usr/local/java/jdk1.8.0_161
export PATH=$PATH:$JAVA_HOME/bin
exportCLASSPATH=.:$JAVA_HOME/lib/tools.jar:$JAVA_HOME/lib/dt.jar:$CLASSPATH
$ java -version (注意是-version 而非 --version)
java version "1.8.0_161"
Java(TM) SE Runtime Environment (build 1.8.0_161-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12, mixed mode)
安装Logstash
$ https://download.elastic.co/logstash/logstash/logstash-6.2.3.tar.gz
$ tar –zxf logstash-6.2.3.tar.gz -C /usr/local/
安装完成后运行如下命令:
$ /usr/local/logstash-6.2.3/bin/logstash -e 'input { stdin { } } output { stdout {} }'
输出:
Sending Logstash's logs to /usr/local/logstash-6.2.3/logs which is now configured via log4j2.properties
[2018-04-09T01:54:36,236][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/usr/local/logstash-6.2.3/modules/netflow/configuration"}
[2018-04-09T01:54:36,267][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache", :directory=>"/usr/local/logstash-6.2.3/modules/fb_apache/configuration"}
[2018-04-09T01:54:36,953][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2018-04-09T01:54:37,799][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.2.3"}
[2018-04-09T01:54:38,385][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2018-04-09T01:54:40,664][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2018-04-09T01:54:40,871][INFO ][logstash.pipeline ] Pipeline started succesfully {:pipeline_id=>"main", :thread=>"#<Thread:0x72564250 run>"}
The stdin plugin is now waiting for input:
[2018-04-09T01:54:40,981][INFO ][logstash.agent ] Pipelines running {:count=>1, :pipelines=>["main"]}
hello world
我们可以看到,我们输入什么内容logstash按照某种格式输出,其中-e参数参数允许Logstash直接通过命令行接受设置。这点可以帮助我们反复的测试配置是否正确而不用写配置文件。使用CTRL-C命令可以退出之前运行的Logstash。
使用-e参数在命令行中指定配置是很常用的方式,不过如果需要配置更多设置则需要很长的内容。这种情况,我们首先创建一个简单的配置文件,并且指定logstash使用这个配置文件。
例如:在logstash安装目录下创建一个“基本配置”测试文件logstash-simple.conf,文件内容如下:
$ cat logstash-simple.conf
input { stdin { } }
output {
stdout { codec=> rubydebug }
}
Logstash使用input和output定义收集日志时的输入和输出的相关配置,本例中input定义了一个叫"stdin"的input,output定义一个叫"stdout"的output。无论我们输入什么字符,Logstash都会按照某种格式来返回我们输入的字符,其中output被定义为"stdout"并使用了codec参数来指定logstash输出格式。
使用logstash的-f参数来读取配置文件,执行如下开始进行测试:
$ echo "`date` hello World"
Mon Apr 9 02:08:45 UTC 2018 hello World
$ /usr/local/logstash-6.2.3/bin/logstash -f logstash-simple.conf
Logstash startup completed
Mon Apr 9 02:08:45 UTC 2018 hello Worl #该行是执行echo “`date`hello World” 后输出的结果,直接粘贴到该位置
{
"@timestamp" => 2018-04-09T02:17:15.064Z,
"message" => "Mon Apr 9 02:08:45 UTC 2018 hello Worl",
"@version" => "1",
"host" => "5ef8026aa3bf"
}
安装Elasticsearch
$ tar -zxf elasticsearch-6.2.3.tar.gz -C /usr/local/
启动Elasticsearch
$ /usr/local/elasticsearch-6.2.3/bin/elasticsearch
OR后台执行
$ nohup /usr/local/elasticsearch-6.2.3/bin/elasticsearch &
这时有可能会直接被Killed掉,因为内存溢出(OOM),elastisearch占用的内存非常大,所以在内存比较小的服务器上运行要先修改jvm的内存大小
$ vim config/jvm.options
将22和23行的栈堆大小改为512M
-Xms512M
-Xmx512M
注:如果在运行过程中还出现Killed,继续将以上的值调小。
[2018-04-09T03:06:34,552][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.lang.RuntimeException: can not run elasticsearch as root
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:125) ~[elasticsearch-6.2.3.jar:6.2.3]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) ~[elasticsearch-6.2.3.jar:6.2.3]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.2.3.jar:6.2.3]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.2.3.jar:6.2.3]
at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.2.3.jar:6.2.3]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-6.2.3.jar:6.2.3]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) ~[elasticsearch-6.2.3.jar:6.2.3]
Caused by: java.lang.RuntimeException: can not run elasticsearch as root
at org.elasticsearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:105) ~[elasticsearch-6.2.3.jar:6.2.3]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:172) ~[elasticsearch-6.2.3.jar:6.2.3]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.3.jar:6.2.3]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.3.jar:6.2.3]
... 6 more
因为安全问题elasticsearch 不让用root用户直接运行,所以要创建新用户
$ groupadd tzhennan
$ useradd tzhennan -g tzhennan
Exception in thread "main" java.nio.file.AccessDeniedException: /usr/local/elasticsearch-6.2.3/config/jvm.options
at sun.nio.fs.UnixException.translateToIOException(UnixException.java:84)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:214)
at java.nio.file.Files.newByteChannel(Files.java:361)
at java.nio.file.Files.newByteChannel(Files.java:407)
at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:384)
at java.nio.file.Files.newInputStream(Files.java:152)
at org.elasticsearch.tools.launchers.JvmOptionsParser.main(JvmOptionsParser.java:58)
$ chown -R elasticsearch:elasticsea elasticsearch-6.2.3/
查看elasticsearch的9200端口是否已监听
$ netstat -anp | grep :9200
tcp 0 0 127.0.0.1:9200 0.0.0.0:* LISTEN 1483/java
接下来我们在logstash安装目录下创建一个用于测试logstash使用elasticsearch作为logstash的后端的测试文件logstash-es-simple.conf,该文件中定义了stdout和elasticsearch作为output,这样的“多重输出”即保证输出结果显示到屏幕上,同时也输出到elastisearch中
input { stdin { } }
output {
elasticsearch {
hosts => "localhost:9200"
user => "tzhennan"
password => "xxx"
}
stdout {
codec=> rubydebug
}
}
执行命令
$ /usr/local/logstash-6.2.3/bin/logstash -f logstash-es-simple.conf
[2018-04-09T07:33:50,581][INFO ][logstash.outputs.elasticsearch] Installing elasticsearch template to _template/logstash
[2018-04-09T07:33:51,886][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//localhost:9200"]}
[2018-04-09T07:33:52,078][INFO ][logstash.pipeline ] Pipeline started succesfully {:pipeline_id=>"main", :thread=>"#<Thread:0x17ddf470 run>"}
The stdin plugin is now waiting for input:
[2018-04-09T07:33:52,202][INFO ][logstash.agent ] Pipelines running {:count=>1, :pipelines=>["main"]}
hello logstash
{
"@timestamp" => 2018-04-09T07:35:03.141Z,
"host" => "5ef8026aa3bf",
"@version" => "1",
"message" => "hello logstash"
}
可以使用curl命令发送请求来查看ES是否接收到了数据:
$ curl 'http://localhost:9200/_search?pretty'
输出:
{
"took" : 154,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : 1,
"max_score" : 1.0,
"hits" : [
{
"_index" : "logstash-2018.04.09",
"_type" : "doc",
"_id" : "WulUqWIB-5JaC2wTa7rt",
"_score" : 1.0,
"_source" : {
"@timestamp" : "2018-04-09T07:35:03.141Z",
"host" : "5ef8026aa3bf",
"@version" : "1",
"message" : "hello logstash"
}
}
]
}
}
至此,已经成功利用Elasticsearch和Logstash来收集日志数据了
问题:
可以访问127.0.0.1:9200,但不能访问公网IP:9200 ,需要在在elasticsearch.yml文件中增加以下配置:
network.bind_host: 0.0.0.0
安装elasticsearch插件
$ cd /usr/local/elasticsearch-6.2.3/
安装Head插件
$ ./bin/plugin install mobz/elasticsearch-head
安装安装elasticsearch-kopf插件
$ ./plugin -install lmenezes/elasticsearch-kopf
安装完成后在plugins目录下可以看到
$ ls plugin
可以在浏览器访问http://ip:9200/_plugin/kopf浏览保存在Elasticsearch中的数据
安装Kibana
$ tar -zxf kibana-6.2.3-linux-x86_64.tar.gz -C /usr/local/
启动kibana
$ /usr/local/kibana-6.2.3-linux-x86_64/bin/kibana
1>使用http://ip:5601访问Kibana,登录后,首先,配置一个索引,默认,Kibana的数据被指向Elasticsearch,使用默认的logstash-*的索引名称,并且是基于时间的,点击“Create”即可
2>点击“Discover”,可以搜索和浏览Elasticsearch中的数据,默认搜索的是最近15分钟的数据。可以自定义选择时间
问题:
可以访问127.0.0.1:5601,但不能访问公网IP:9200 ,需要在在kibaba.yml文件中增加以下配置:
server.host: "localhost"
更改为
server.host: "0.0.0.0"
配置logstash作为Indexer
将logstash配置为索引器,并将logstash的日志数据存储到Elasticsearch
input {
file {
type =>"syslog"
path => ["/var/log/messages", "/var/log/syslog" ]
}
syslog {
type => "syslog"
port => "5544"
}
}
output {
stdout { codec=> rubydebug }
elasticsearch {
hosts => "localhost:9200"
user => "tzhennan"
password => "xxx"
}
}
启动
$ /usr/local/logstash-6.2.3/bin/logstash -flogstash-indexer.conf
使用echo命令模拟写入日志
$ echo "`date` 本地系统测试" >>/var/log/messages
...
参考文章:
http://blog.51cto.com/baidu/1676798
https://my.oschina.net/itblog/blog/547250