为什么使用ELK日志分析:
一般我们需要进行日志分析场景:直接在日志文件中 grep、awk 就可以获得自己想要的信息。但在规模较大的场景中,此方法效率低下,面临问题包括日志量太大如何归档、文本搜索太慢怎么办、如何多维度查询。需要集中化的日志管理,所有服务器上的日志收集汇总。常见解决思路是建立集中式日志收集系统,将所有节点上的日志统一收集,管理,访问。
准备两台测试服务器:
Centos7(1),Centos(2)
运行内存:最少2G以上把
一,配置环境
Centos(1):操作 →
添加本地DNS解析:
vim /etc/hosts
192.168.xxx.111 aaa
192.168.xxx.110 bbb
修改文件描述符:
vim /etc/systemd/system.conf
DefaultLimitNOFILE=65535
DefaultLimitNPROC=65535
vim /etc/systemd/user.conf
DefaultLimitNOFILE=65535
DefaultLimitNPROC=65535
配置时间同步:
vim /etc/chrony.conf
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 192.168.xxx.111
开启所有同一网段来我这里同步时间:
allow 192.168.xxx.0/24
开启共享
local stratum 10
保存重启服务,开机自启:
systemctl restart chronyd
systemctl enable chronyd
Centos(2):操作 →
修改文件描述符:
vim /etc/systemd/system.conf
DefaultLimitNOFILE=65535
DefaultLimitNPROC=65535
vim /etc/systemd/user.conf
DefaultLimitNOFILE=65535
DefaultLimitNPROC=65535
安装同步时间插件:
yum -y install ntpdate
同步时间(最少两次)
[root@localhost ~]# ntpdate 192.168.xxx.111
23 Apr 09:40:35 ntpdate[3299]: adjust time server 192.168.xxx.111 offset -0.009580 sec
[root@localhost ~]# ntpdate 192.168.xxx.111
23 Apr 09:40:48 ntpdate[3300]: adjust time server 192.168.xxx.111 offset -0.006129 sec
查看同步路径
[root@localhost ~]# which ntpdate
/usr/sbin/ntpdate
编写计划任务,实现自动化同步时间(一分钟执行一次)
crontab -e
-
-
-
-
- /usr/sbin/ntpdate 192.168.xxx.111
-
-
-
查看是否成功
[root@localhost ~]# tail -f /var/log/cron
Apr 23 09:41:01 localhost run-parts(/etc/cron.daily)[3313]: finished logrotate
Apr 23 09:41:01 localhost run-parts(/etc/cron.daily)[3301]: starting man-db.cron
Apr 23 09:41:05 localhost run-parts(/etc/cron.daily)[5888]: finished man-db.cron
Apr 23 09:41:05 localhost anacron[3285]: Job `cron.daily' terminated
Apr 23 09:45:14 localhost crontab[5892]: (root) BEGIN EDIT (root)
Apr 23 09:47:14 localhost crontab[5892]: (root) REPLACE (root)
Apr 23 09:47:14 localhost crontab[5892]: (root) END EDIT (root)
Apr 23 09:48:01 localhost CROND[5906]: (root) CMD (/usr/sbin/ntpdate 192.168.xxx.111)
这样我们的ELK环境搭建完成!(下面就是ELK部署了)
Centos(1):操作 →
安装java环境:
yum -y install java-1.8.0-openjdk
下载elasticsearch安装包并安装
elasticsearch-6.6.0.rpm
rpm -ivh elasticsearch-6.6.0.rpm
修改elasticsearch配置文件
vim /etc/elasticsearch/elasticsearch.yml
cluster.name: ccc
node.name: aaa
network.host: 192.168.xxx.111
http.port: 9200
discovery.zen.ping.unicast.hosts: ["192.168.xxx.111"]
启动elasticsearch服务并设置开机自起:
[root@localhost ~]# systemctl restart elasticsearch
[root@localhost ~]# systemctl enable elasticsearch
Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.
等待 9200,9300端口启动
tcp6 0 0 192.168.xxx.111:9200 ::: LISTEN 6535/java
tcp6 0 0 192.168.xxx.111:9300 ::: LISTEN 6535/java
访问页面是否成功
http://192.168.xxx.111:9200/
Centos(2):操作 →
安装java环境:
yum -y install java-1.8.0-openjdk
下载logstash安装包并安装
rpm -ivh logstash-6.6.0.rpm
配置搜集系统内核日志
vim /etc/logstash/conf.d/syslog.conf
vim /etc/logstash/conf.d/syslog.conf
input {
file {
path => "/var/log/messages"
type => "systemlog"
start_position => "beginning"
stat_interval => "2"
}
}
output {
elasticsearch {
hosts => ["192.168.xxx.111:9200"]
index => "logstash-systemlog-%{+YYYY.MM.dd}"
}
}
启动logstash并设置开机自起
[root@localhost ~]# systemctl restart logstash
[root@localhost ~]# systemctl enable logstash
Created symlink from /etc/systemd/system/multi-user.target.wants/logstash.service to /etc/systemd/system/logstash.service.
等待9600端口启动
[root@localhost ~]# ss -tnl
LISTEN 0 50 ::ffff:127.0.0.1:9600 :::*
测试是否成功
curl -XGET 'localhost:9600/?pretty'
{
"host" : "localhost.localdomain",
"version" : "6.6.0",
"http_address" : "127.0.0.1:9600",
"id" : "8df16d18-b09d-4ccb-a2fc-f470bb48b1e0",
"name" : "localhost.localdomain",
"build_date" : "2019-01-24T12:13:56+00:00",
"build_sha" : "e4390be7e4d511af9d48bc503c9dcc15b03d3bce",
"build_snapshot" : false
}
Centos(1):操作 →
下载kibana安装包并安装
rpm -ivh kibana-6.6.0-x86_64.rpm
修改kibana配置文件
vim /etc/kibana/kibana.yml
server.port: 5601
server.host: "192.168.xxx.111"
elasticsearch.hosts: ["http://192.168.xxx.111:9200"]
启动kibana并设置开机自启
[root@aaa ~]# systemctl restart kibana
[root@aaa ~]# systemctl enable kibana
Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /etc/systemd/system/kibana.service.
等待5601端口启动
[root@aaa ~]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 192.168.40.111:5601 :
访问页面是否成功
http://192.168.xxx.111:5601/
发现没有索引
解决:
在Centos(2)添加权限
chmod 644 /var/log/messages
这样我们再次刷新页面
我们可以添加索引
这样呢我们的ELK监控系统日志就完成了!