ElasticSearch 简介
ElasticSearch是一个基于Lucene的搜索服务器。它提供了一个分布式多用户能力的全文搜索引擎,基于RESTful web接口。Elasticsearch是用Java开发的,并作为Apache许可条款下的开放源码发布,是当前流行的企业级搜索引擎。设计用于云计算中,能够达到实时搜索,稳定,可靠,快速,安装使用方便。
logstash 简介
简单来说logstash就是一根具备实时数据传输能力的管道,负责将数据信息从管道的输入端传输到管道的输出端;与此同时这根管道还可以让你根据自己的需求在中间加上滤网,Logstash提供里很多功能强大的滤网以满足你的各种应用场景。
kibana 简介
Kibana 是一个开源的分析和可视化平台,旨在与 Elasticsearch 合作。Kibana 提供搜索、查看和与存储在 Elasticsearch 索引中的数据进行交互的功能。开发者或运维人员可以轻松地执行高级数据分析,并在各种图表、表格和地图中可视化数据。
ELK 工作大概流程图 :
ES :索引、存储、分析日志 logstash : 收集日志 kibana :展示日志
本案环境 :
| 角色 |
主机名 |
IP地址 |
软件 |
| 节点1 |
ElasticSearch |
192.168.100.129 |
jdk、elasticsearch 、logstash 、kibana |
| 节点2 |
node 2 |
192.168.100.130 |
jdk、elasticsearch |
搭建 ElasticSearch
1.关闭防火墙 :
systemctl stop firewalld.service
setenforce 0
2.配置 yum 源 :
vim /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-2.x]
name=Elasticsearch repository for 2.x packages
baseurl=http://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enable=1
3.安装服务 :
yum install elasticsearch -y #安装 elassearch 服务
yum install java -y #安装 java 环境
4.编辑配置文件 :
vim /etc/elasticsearch/elasticsearch.yml
17行 集群名称
cluster.name: abner
23行 节点名称
node.name: node1
33行 工作目录
path.data: /data/es-data #文件不存在
path.logs: /var/log/elasticsearch/
43行 防止交换swap分区
bootstrap.memory_lock: true
54行 监听网络
network.host: 0.0.0.0
58行 端口
http.port: 9200
5.创建工作目录 :
mkdir -p /data/es-data
chown -R elasticsearch:elasticsearch /data/es-data/ #修改文件属主属组
6.开启服务 :
systemctl start elasticsearch.service
netstat -ntap | grep 9200
7. elasticsearch 内存限制 :
less /var/log/elasticsearch/test.log #查看日志
......
[2018-08-21 16:45:52,015][WARN ][bootstrap ] These can be adjusted by modifying /etc/security/limits.conf, for example:
# allow user 'elasticsearch' mlockall
elasticsearch soft memlock unlimited
elasticsearch hard memlock unlimited
......
vim /etc/security/limits.conf #末尾添加 不限制内存
elasticsearch soft memlock unlimited
elasticsearch hard memlock unlimited
systemctl restart elasticsearch.service #重启服务
8.文件数量限制 :
ulimit -a #查看文件限制数量
......
open files (-n) 1024
......
vim /etc/security/limits.conf #末尾添加
* soft nofile 65535
* hard nofile 65535
#重启服务器生效
测试访问 http://192.168.100.129:9200
两种方法和ES进行交互 :
第一种 JAVA API :
[root@localhost ~]# curl -i -XGET 'http://192.168.100.129:9200/_count?pretty' -d '{
> "query": {
> "match_all": {}
> }
> }'
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 95
{
"count" : 0,
"_shards" : {
"total" : 0,
"successful" : 0,
"failed" : 0
}
}
第二种 RESTful API (通过json格式交互)
1.安装插件 :
[root@localhost ~]# /usr/share/elasticsearch/bin/plugin install mobz/elasticsearch-head #安装 head 插件
-> Installing mobz/elasticsearch-head...
Trying https://github.com/mobz/elasticsearch-head/archive/master.zip ...
Downloading ....................DONE
Verifying https://github.com/mobz/elasticsearch-head/archive/master.zip checksums if available ...
NOTE: Unable to verify checksum for downloaded plugin (unable to find .sha1 or .md5 file to verify)
Installed head into /usr/share/elasticsearch/plugins/head
2.插件安装位置 :
[root@localhost ~]# ls /usr/share/elasticsearch/plugins/ #插件安装位置 不需要直接删除即可
head
3.测试访问 http://192.168.100.129:9200/_plugin/head/
搭建 ElasticSearch 群集
1.在 ES 节点1服务器修改配置文件 :
vim /etc/elasticsearch/elasticsearch.yml
69行 自动发现机制
discovery.zen.ping.unicast.hosts: ["127.0.0.1", "192.168.100.130"]
2.安装步骤同上,配置 ES 节点2服务器 :
vim /etc/elasticsearch/elasticsearch.yml
17行 集群名称
cluster.name: test #相同
23行 节点名称
node.name: node2 #不同
33行 工作目录
path.data: /data/es-data #文件不存在
path.logs: /var/log/elasticsearch/
43行 防止交换swap分区
bootstrap.memory_lock: true
54行 监听网络
network.host: 0.0.0.0
58行 端口
http.port: 9200
69行 自动发现机制
discovery.zen.ping.unicast.hosts: ["127.0.0.1", "192.168.100.129"]
3.开启服务 :
systemctl restart elasticsearch.service #节点1服务器重启服务、节点2服务器开启服务
4.测试访问 http://192.168.100.129:9200/_plugin/head/ :
搭建 logstash
1.配置 yum 源 :
vim /etc/yum.repos.d/logstash.repo
[logstash-2.1]
name=Logstash repository for 2.1.x packages
baseurl=http://packages.elastic.co/logstash/2.1/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enable=1
2.安装 logstash 服务 :
yum install logstash -y #默认安装在opt下
3.logstash 收集系统日志 :
ln -s /opt/logstash/bin/logstash /usr/bin/ #建立软连接
[root@localhost ~]# vim file.conf #编写配置文件
input { #输入信息
file {
path => "/var/log/messages" #系统日志位置
type => "system" #类型
start_position => "beginning" #友好显示
}
}
output { #输出信息
elasticsearch { #输出到 ES
hosts => ["192.168.100.129:9200"] #ES 服务器
index => "system-%{+YYYY.MM.dd}" #system 自定义 后面格式固定
}
}
[root@localhost ~]# logstash -f file.conf #收集信息
# -f: 指定加载后缀为conf文件的 logstash 配置模板。
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
Settings: Default filter workers: 1
Logstash startup completed
^CSIGINT received. Shutting down the pipeline. {:level=>:warn} #Ctrl+c
^CSIGINT received. Terminating immediately.. {:level=>:fatal} #Ctrl+c
4.访问 http://192.168.100.129:9200/_plugin/head/ 查看信息收集 :
5.收集多服务日志,系统日志和 java 日志 :
vim file.conf
input {
file {
path => "/var/log/messages"
type => "system"
start_position => "beginning"
}
file {
path => "/var/log/elasticsearch/test.log" #java日志位置
type => "es-error"
start_position => "beginning"
}
}
output {
if [type] == "system" { # if 判断语句
elasticsearch {
hosts => ["192.168.100.129:9200"]
index => "system-%{+YYYY.MM.dd}"
}
}
if [type] == "es-error" {
elasticsearch {
hosts => ["192.168.100.129:9200"]
index => "es-error-%{+YYYY.MM.dd}"
}
}
}
[root@localhost ~]# logstash -f file.conf #收集信息
6.访问 http://192.168.100.129:9200/_plugin/head/ 查看信息收集 :
7.codec 插件处理堆栈信息 :
vim multiline.conf
input {
stdin {
codec => multiline { #codec 插件
pattern => "^\[" #引用正则表达式
negate => true
what => "previous"
}
}
}
output {
stdout {
codec => "rubydebug"
}
}
[root@localhost ~]# logstash -f multiline.conf
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
Settings: Default filter workers: 1
Logstash startup completed
[1]
[2] #一个完整的[]算一个事件
{
"@timestamp" => "2018-08-21T11:56:30.674Z",
"message" => "[1]",
"@version" => "1",
"host" => "localhost.localdomain"
}
[abc
{
"@timestamp" => "2018-08-21T11:56:37.894Z",
"message" => "[2]",
"@version" => "1",
"host" => "localhost.localdomain"
}
de
fg]
[abc123]
{
"@timestamp" => "2018-08-21T11:56:58.147Z",
"message" => "[abc\nde\nfg]",
"@version" => "1",
"tags" => [
[0] "multiline"
],
"host" => "localhost.localdomain"
}
8.重新编辑 file.conf 文件 :
vim file.conf #编辑
input {
file {
path => "/var/log/messages"
type => "system"
start_position => "beginning"
}
file {
path => "/var/log/elasticsearch/test.log"
type => "es-error"
start_position => "beginning"
codec => multiline { #添加codec插件
pattern => "^\["
negate => true
what => "previous"
}
}
}
output {
if [type] == "system" {
elasticsearch {
hosts => ["192.168.100.129:9200"]
index => "system-%{+YYYY.MM.dd}"
}
}
if [type] == "es-error" {
elasticsearch {
hosts => ["192.168.100.129:9200"]
index => "es-error-%{+YYYY.MM.dd}"
}
}
}
搭建 kibana
1.下载软件包 :
wget https://download.elastic.co/kibana/kibana/kibana-4.3.1-linux-x64.tar.gz
2.修改配置文件 :
tar zxvf kibana-4.3.1-linux-x64.tar.gz -C /usr/local/
cd /usr/local/
mv kibana-4.3.1-linux-x64/ kibana #重命名
vim /usr/local/kibana/config/kibana.yml
//2行
server.port: 5601
//5行
server.host: "0.0.0.0"
//12行 ES地址
elasticsearch.url: "http://192.168.175.132:9200" #从 ES 中拿数据
//20行
kibana.index: ".kibana"
3.启动监控 :
[root@localhost local]# /usr/local/kibana/bin/kibana
log [20:17:53.006] [info][status][plugin:kibana] Status changed from uninitialized to green - Ready
log [20:17:53.028] [info][status][plugin:elasticsearch] Status changed from uninitialized to yellow - Waiting for Elasticsearch
......
4.访问 http://192.168.100.129:5601
