elk安装整理
kibana安装配置rpm 安装
vim vim /etc/kibana/kibana.yml
修改访问端口地址
server.port: 5601
server.host: "ip"
修改elasticsearch访问地址
elasticsearch.url: "http://ip:9200"
elasticsearch安装配置rpm 安装 jdk 1.8以上
vim /etc/elasticsearch/elasticsearch.yml
修改集群名字节点名字一样
cluster.name: my-elk
节点一
node.name: elk-node-1
存放数据路径
mkdir -p /data/
chown -R elasticsearch:elasticsearch /data
path.data: /data/elasticsearch
path.logs: /var/log/elasticsearch
# ----------------------------------- Memory -----------------------------------## Lock the memory on startup:#bootstrap.memory_lock: false
bootstrap.system_call_filter: false
network.host: 0.0.0.0
http.port: 9200
discovery.zen.ping.unicast.hosts: ["ip1", "ip2"]
head插件安装service elasticsearch restart
安装出错问题排查 logstash安装rpm安装
mkdir -p /data/logstash
vim /etc/logstash/logstash.yml
path.data: /data/logstash
http.host: "10.144.23.33"
http.port: 9600-9700
path.logs: /var/log/logstash
建立过滤日志文件
标准输入、输出/usr/share/logstash/bin/logstash -e 'input{stdin{}} output{stdout{}}'
--
/usr/share/logstash/bin/logstash -e 'input{stdin{}}output{stdout{codec=>"rubydebug"}}'
--
输出到elasticsearch
/usr/share/logstash/bin/logstash -e 'input{stdin{}} output{ elasticsearch {hosts => ["ip:9200"]}}'
--
/usr/share/logstash/bin/logstash -e 'input{}output{ elasticsearch {hosts["ip:9200"]} stdout{codec =>"rubydebug"}}'
--
默认路径
vim /etc/logstash/conf.d/simple.conf --必须以.conf后缀
input{
stdin{}
}
output{
elasticsearh
hosts[""]
}
收集系统日志
input{
file{
path => "/var/log/messages"
type => "system"
start_postition => "beginning"
}
}
output{
elasticsearch{
hosts => ["ip:9200"]
index => "system-%{+YYYY.MM.dd}"
}
}收集java日志
input{
file{
path =>""
type =>""
start_postition =>""
}
}
input{
file{
path =>"/var/log/elasticsearch/my-elk.log"
type =>"es-error" / /为自定义类型
start_postition =>"beginning"
}
}
output{
if[type]=="system"{
elasticsearch{
hosts =>["IP:9200"]
index =>"system-%{+YYYY.MM.dd}"
}
if[type]=="es-error"{
elasticsearch{
hosts =>["ip:9200"]
index =>"es-error-%{+YYYY.MM.dd}"
}
}
}
}多行收集
input{
stdin{
codec => multiline { //多行模式。碰到指定模式之前,日志为无效。遇见模式时,才将模式之前的信息,收集成日志
pattern => "^\[" // 模式
negate => true //无效
what => "previous" //之前
}
}
}
output{
stdout{
codec =>" rubydebug"
}
}启动logstash
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/simple.conf &
由于logstash 比较耗费资源采用轻量级filebeats
安装filebeatsvim /etc/filebeat/filebeat.yml
#=========================== Filebeat inputs =============================
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.- type: log
# Change to true to enable this input configuration.enabled: true
# Paths that should be crawled and fetched. Glob based paths.paths:
- /home/159tomcat/logs/*.txt
#============================= Filebeat modules ===============================
filebeat.config.modules:
Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
# Set to true to enable config reloadingreload.enabled: true
#----------------------------- Logstash output --------------------------------
output.logstash:
The Logstash hosts
hosts: ["10.144.23.33:5044"]启动filebeats
/usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml &
实例
vim /etc/logstash/conf.d/simple.confinput{
beats{
port => 5044
}
}
output{
elasticsearch {
hosts => ["http://ip:9200"]
index => "localhost_access_log"
}
}