(一)Beats是什么?
Beats是elasticsearch公司开源的一款采集系统监控数据的代理agent,它可以发送不同类型的数据到elasticsearch中,也可以行将采集完的数据发送到logstash中转,然后在推送到elasticsearch中,目前还在发展中,与成熟的监控系统zabbix和ganglia相比就界面看起来爽了点,系统功能还是有点弱,不过与elasticsearch全文搜索框架集成后,数据查询过滤功能非常强悍,还是非常有前途
的,在ELKB中,各个框架角色如下:
Beats:负责收集系统数据,可以直接发送到es中,也可以通过logstash中转
logstash:收集日志,为beats提供中转功能
Elasticsearch:提供数据存储,服务端聚合计算功能
Kibana:提供炫丽的可视化图形展示并且作为elasticsearch的搜索的小清新客户端
(二)Beats的组成:
到目前elasticsearch已经提供的有:
(1)Packetbeat 网络流量监控采集
(2)Topbeat 类似linux top的监控采集
(3)Filebeat 文件log的监控采集
(4)WinlogBeat windows系统的log监控采集
(5)自定义beat ,如果上面的指标不能满足需求,elasticsarch公司鼓励开发者
使用go语言,扩展实现自定义的beats指标,只需要按照模板,实现监控的输入,日志,输出等即可
(三)Beats的基本拓扑
(四)安装部署
安装JAVA环境
[root@node1 ~]# rpm -ivh jdk-8u51-linux-x64.rpm Preparing... ########################################### [100%] 1:jdk1.8.0_51 ########################################### [100%] Unpacking JAR files... rt.jar... jsse.jar... charsets.jar... tools.jar... localedata.jar... jfxrt.jar... plugin.jar... javaws.jar... deploy.jar... [root@node1 ~]# java -version java version "1.8.0_51" Java(TM) SE Runtime Environment (build 1.8.0_51-b16) Java HotSpot(TM) 64-Bit Server VM (build 25.51-b03, mixed mode)
安装elasticsearch-2.3.4
[root@node1 ~]# tar zxvf elasticsearch-2.3.4.tar.gz -C /usr/local/ elasticsearch-2.3.4/README.textile elasticsearch-2.3.4/LICENSE.txt elasticsearch-2.3.4/NOTICE.txt elasticsearch-2.3.4/modules/ elasticsearch-2.3.4/modules/lang-groovy/ elasticsearch-2.3.4/modules/reindex/ elasticsearch-2.3.4/modules/lang-expression/ elasticsearch-2.3.4/modules/lang-groovy/plugin-security.policy elasticsearch-2.3.4/modules/lang-groovy/plugin-descriptor.properties ........
新增elasticsearch用户
useradd elasticsearch
新增elasticsearch启动的日志目录及bin目录
[root@node1 bin]# mkdir /usr/local/elasticsearch-2.3.4/{logs,bin}
权限:
chown -R elasticsearch:elasticsearch /usr/local/elasticsearch-2.3.4/
启动elasticsearch
[elasticsearch@node1 bin]$ ./elasticsearch -d [2016-07-20 11:30:29,413][INFO ][env ] [Jon Spectre] heap size [1007.3mb], compressed ordinary object pointers [true] [2016-07-20 11:30:29,413][WARN ][env ] [Jon Spectre] max file descriptors [4096] for elasticsearch process likely too low, consider increasing to at least [65536] [2016-07-20 11:30:33,422][INFO ][node ] [Jon Spectre] initialized [2016-07-20 11:30:33,423][INFO ][node ] [Jon Spectre] starting ... [2016-07-20 11:30:33,651][INFO ][transport ] [Jon Spectre] publish_address {127.0.0.1:9300}, bound_addresses {[::1]:9300}, {127.0.0.1:9300} [2016-07-20 11:30:33,670][INFO ][discovery ] [Jon Spectre] elasticsearch/Rr-U_JhCStexH5Htmj4qKQ [2016-07-20 11:30:36,795][INFO ][cluster.service ] [Jon Spectre] new_master {Jon Spectre}{Rr-U_JhCStexH5Htmj4qKQ}{127.0.0.1}{127.0.0.1:9300}, reason: zen-disco-join(elected_as_master, [0] joins received) [2016-07-20 11:30:36,851][INFO ][http ] [Jon Spectre] publish_address {127.0.0.1:9200}, bound_addresses {[::1]:9200}, {127.0.0.1:9200} [2016-07-20 11:30:36,852][INFO ][node ] [Jon Spectre] started [2016-07-20 11:30:36,996][INFO ][gateway ] [Jon Spectre] recovered [0] indices into cluster_state
查看端口是否正常启动9200,9300
elasticsearch@node1 logs]$ ss -tanl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 50 ::ffff:127.0.0.1:9200 :::* LISTEN 0 50 ::1:9200 :::* LISTEN 0 50 ::ffff:127.0.0.1:9300 :::* LISTEN 0 50 ::1:9300
至此:elasticsearch已经安装完成。
Kibana安装
Kibana安装非常简单。官网上下载好kibana-4.5.3-linux-x64
tar zxvf kibana-4.5.3-linux-x64.tar.gz -C /usr/local/
启动Kibana
[root@node1 bin]# cd /usr/local/kibana-4.5.3-linux-x64/bin [root@node1 bin]# ./kibana & [root@node1 bin]# log [12:11:05.529] [info][status][plugin:kibana] Status changed from uninitialized to green - Ready log [12:11:05.609] [info][status][plugin:elasticsearch] Status changed from uninitialized to yellow - Waiting for Elasticsearch log [12:11:05.648] [info][status][plugin:kbn_vislib_vis_types] Status changed from uninitialized to green - Ready log [12:11:05.655] [info][status][plugin:markdown_vis] Status changed from uninitialized to green - Ready [root@node1 bin]# log [12:11:05.662] [info][status][plugin:metric_vis] Status changed from uninitialized to green - Ready log [12:11:05.669] [info][status][plugin:spyModes] Status changed from uninitialized to green - Ready log [12:11:05.683] [info][status][plugin:statusPage] Status changed from uninitialized to green - Ready log [12:11:05.690] [info][status][plugin:table_vis] Status changed from uninitialized to green - Ready log [12:11:05.700] [info][listening] Server running at log [12:11:22.664] [info][status][plugin:elasticsearch] Status changed from yellow to green - Kibana index ready
查看端口5601是否监听
[root@node1 bin]# ss -tanl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:5601
安装filebeat组件
官网下载filebeat-1.2.3-x86_64.tar.gz
[root@node1 ~]# rpm -ivh https://download.elastic.co/beats/filebeat/filebeat-1.2.3-x86_64.rpm
配置Filebeat
filebeat 默认预定了适应大部分场景的配置参数。对于最基本的Filebeat配置,可以定义一个单一路径的单一prospector,如:
# Make sure not file is defined twice as this can lead to unexpected behaviour. paths: - /var/log/*.log
该配置将获取/va/log/目录下的所有以.log结尾的文件。
如果要获取子目录下的所有文件可以这么设置/var/log/*/*.log。只会收集到/var/log/目录的子目录以.log结尾的文件,不包括 /var/log自身目录下的以.log结尾的文件。同时,也不会递归的去获取子目录的子目录下的文件。
一个配置文件可以包含多个prospector和每个prospector多个路径,如:
filebeat: prospectors: - paths: - /var/log/system.log - /var/log/wifi.log - paths: - "/var/log/apache/*"
该配置文件启动两个prospector,第一个prospector具有两个harvester,一个获取system.log文件另一个获取wifi.log文件。第二个prospector启动一个harvester获取/var/log/apache目录下的每个文件。
向Elasticsearch加载索引模板:
[root@node1 ~]# curl -XPUT 'http://192.168.254.15:9200/_template/filebeat?preety' -d@/usr/local/filebeat-1.2.3-x86_64/filebeat.template.json {"acknowledged":true}
安装Kibana dashboards 的模板数据
1, 下载 wget http://download.elastic.co/beats/dashboards/beats-dashboards -1.1.1.zip 2, 解压 unzip beats-dashboards-1.1.1.zip 3, 进入 cd beats-dashboards-1.1.1/ 4, 执行 ./load.sh 或者 ./load.sh -url http://192.168.254.15:9200 将dashboard的模板配置数据存进elasticsarch里面
查看kibana日志索引及仪表
已经有日志产生了。
安装Packetbeat组件:
(A)安装初始化包
(1)安装依赖库 sudo yum install libpcap (2)官网上下载最新的Packbeat包 packetbeat-1.2.3-x86_64.tar.gz [root@node1 ~]# tar zxvf packetbeat-1.2.3-x86_64.tar.gz -C /usr/local/ packetbeat-1.2.3-x86_64/ packetbeat-1.2.3-x86_64/packetbeat.template.json packetbeat-1.2.3-x86_64/packetbeat.yml packetbeat-1.2.3-x86_64/packetbeat 发现tar包的文件,无法启动packbeat,索性用rpm的安装方式来操作如下: rpm -ivh https://download.elastic.co/beats/packetbeat/packetbeat-1.2.3-x86_64.rpm
(B)配置elasticsearch地址或者Logstash(可选)采集的beats指标
/etc/packetbeat/packetbeat.yml 主要是一些服务的端口以及OUTPUT EL的端口
(C)配置elasticsearch模板
[root@node1 ~]# curl -XPUT 'http://192.168.254.15:9200/_template/packetbeat' -d@/usr/local/packetbeat-1.2.3-x86_64/packetbeat.template.json {"acknowledged":true}
(D)启动Packetbeat 指标收集进程
/etc/rc.d/init.d/packetbeat start
(E) 查看一下ES的索引
[root@node1 beats-dashboards-1.1.1]# curl -XGET 'http://192.168.254.15:9200/packetbeat-*/_search?pretty'
可以查看到搜集的相关数据信息。
{ "took" : 4, "timed_out" : false, "_shards" : { "total" : 5, "successful" : 5, "failed" : 0 }, "hits" : { "total" : 39, "max_score" : 1.0, "hits" : [ { "_index" : "packetbeat-2016.07.21", "_type" : "dns", "_id" : "AVYLlEJXOy0XFf94lOui", "_score" : 1.0, "_source" : { "@timestamp" : "2016-07-21T03:51:20.846Z", "beat" : { "hostname" : "node1", "name" : "node1" }, "bytes_in" : 37, "bytes_out" : 65, "client_ip" : "192.168.254.15", "client_port" : 36959, "client_proc" : "", "client_server" : "", "count" : 1, "direction" : "out", "dns" : { "additionals_count" : 0, "answers" : [ { "class" : "IN", "data" : "2001:da8:d800:95::110", "name" : "mirrors.ustc.edu.cn", "ttl" : 60, "type" : "AAAA" } ], "answers_count" : 1, "authorities_count" : 0, "flags" : { "authoritative" : false, "recursion_allowed" : true, "recursion_desired" : true, "truncated_response" : false }, "id" : 51339, "op_code" : "QUERY", "question" : { "class" : "IN", "name" : "mirrors.ustc.edu.cn", "type" : "AAAA" }, "response_code" : "NOERROR" }, "ip" : "210.22.84.3", "method" : "QUERY", "port" : 53, "proc" : "", "query" : "class IN, type AAAA, mirrors.ustc.edu.cn", "resource" : "mirrors.ustc.edu.cn", "responsetime" : 2, "server" : "", "status" : "OK", "transport" : "udp", "type" : "dns" } }, { "_index" : "packetbeat-2016.07.21", "_type" : "dns", "_id" : "AVYLlEZAOy0XFf94lOum", "_score" : 1.0, "_source" : { "@timestamp" : "2016-07-21T03:51:21.576Z", "beat" : { "hostname" : "node1", "name" : "node1" }, "bytes_in" : 27, "bytes_out" : 59, "client_ip" : "192.168.254.15", "client_port" : 57694, "client_proc" : "", "client_server" : "", "count" : 1, "direction" : "out", "dns" : { "additionals_count" : 0, "answers" : [ { "class" : "IN", "data" : "206.251.255.63", "name" : "nginx.org", "ttl" : 60, "type" : "A" }, { "class" : "IN", "data" : "95.211.80.227", "name" : "nginx.org", "ttl" : 60, "type" : "A" } ], "answers_count" : 2, "authorities_count" : 0, "flags" : { "authoritative" : false, "recursion_allowed" : true, "recursion_desired" : true, "truncated_response" : false }, "id" : 34503, "op_code" : "QUERY", "question" : { "class" : "IN", "name" : "nginx.org", "type" : "A" }, "response_code" : "NOERROR" }, "ip" : "210.22.84.3", "method" : "QUERY", "port" : 53, "proc" : "", "query" : "class IN, type A, nginx.org", "resource" : "nginx.org", "responsetime" : 2, "server" : "", "status" : "OK", "transport" : "udp", "type" : "dns" } }, { "_index" : "packetbeat-2016.07.21", "_type" : "http", "_id" : "AVYLlF2wOy0XFf94lOur", "_score" : 1.0, "_source" : { "@timestamp" : "2016-07-21T03:51:27.368Z", "beat" : { "hostname" : "node1", "name" : "node1" }, "bytes_in" : 169, "bytes_out" : 843202, "client_ip" : "192.168.254.15", "client_port" : 38464, "client_proc" : "", "client_server" : "", "count" : 1, "direction" : "out", "http" : { "code" : 200, "content_length" : 853092, "phrase" : "OK" }, "ip" : "114.247.56.117", "method" : "GET", "notes" : [ "Packet loss while capturing the response", "Packet loss while capturing the response" ], "params" : "", "path" : "/centos/6.8/updates/x86_64/Packages/httpd-2.2.15-54.el6.centos.x86_64.rpm", "port" : 80, "proc" : "", "query" : "GET /centos/6.8/updates/x86_64/Packages/httpd-2.2.15-54.el6.centos.x86_64.rpm", "responsetime" : 34, "server" : "", "status" : "OK", "type" : "http" } }, { "_index" : "packetbeat-2016.07.21", "_type" : "dns", "_id" : "AVYLlIipOy0XFf94lOuy", "_score" : 1.0, "_source" : { "@timestamp" : "2016-07-21T03:51:38.673Z", "beat" : { "hostname" : "node1", "name" : "node1" }, "bytes_in" : 33, "bytes_out" : 80, "client_ip" : "192.168.254.15", "client_port" : 39495, "client_proc" : "", "client_server" : "", "count" : 1, "direction" : "out", "dns" : { "additionals_count" : 0, "answers_count" : 0, "authorities" : [ { "class" : "IN", "data" : "localhost", "expire" : 86400, "minimum" : 3600, "name" : "localhost", "refresh" : 3600, "retry" : 1800, "rname" : "postmaster.localhost", "serial" : 1993050801, "ttl" : 3600, "type" : "SOA" } ], "authorities_count" : 1, "flags" : { "authoritative" : true, "recursion_allowed" : true, "recursion_desired" : true, "truncated_response" : false }, "id" : 61452, "op_code" : "QUERY", "question" : { "class" : "IN", "name" : "node1.localhost", "type" : "AAAA" }, "response_code" : "NXDOMAIN" }, "ip" : "210.22.84.3", "method" : "QUERY", "port" : 53, "proc" : "", "query" : "class IN, type AAAA, node1.localhost", "resource" : "node1.localhost", "responsetime" : 2, "server" : "", "status" : "Error", "transport" : "udp", "type" : "dns" } }, { "_index" : "packetbeat-2016.07.21", "_type" : "http", "_id" : "AVYLlMcoOy0XFf94lOu2", "_score" : 1.0, "_source" : { "@timestamp" : "2016-07-21T03:51:54.121Z", "beat" : { "hostname" : "node1", "name" : "node1" }, "bytes_in" : 315, "bytes_out" : 4211, "client_ip" : "192.168.254.88", "client_port" : 51951, "client_proc" : "", "client_server" : "", "count" : 1, "direction" : "in", "http" : { "code" : 200, "content_length" : 3956, "phrase" : "OK" }, "ip" : "192.168.254.15", "method" : "GET", "params" : "", "path" : "/icons/poweredby.png", "port" : 80, "proc" : "", "query" : "GET /icons/poweredby.png", "responsetime" : 20, "server" : "", "status" : "OK", "type" : "http" } }, { "_index" : "packetbeat-2016.07.21", "_type" : "http", "_id" : "AVYLlMcoOy0XFf94lOu3", "_score" : 1.0, "_source" : { "@timestamp" : "2016-07-21T03:51:54.262Z", "beat" : { "hostname" : "node1", "name" : "node1" }, "bytes_in" : 307, "bytes_out" : 469, "client_ip" : "192.168.254.88", "client_port" : 51952, "client_proc" : "", "client_server" : "", "count" : 1, "direction" : "in", "http" : { "code" : 404, "content_length" : 289, "phrase" : "Found" }, "ip" : "192.168.254.15", "method" : "GET", "params" : "", "path" : "/favicon.ico", "port" : 80, "proc" : "", "query" : "GET /favicon.ico", "responsetime" : 1, "server" : "", "status" : "Error", "type" : "http" } }, { "_index" : "packetbeat-2016.07.21", "_type" : "http", "_id" : "AVYLlDqHOy0XFf94lOuY", "_score" : 1.0, "_source" : { "@timestamp" : "2016-07-21T03:51:17.055Z", "beat" : { "hostname" : "node1", "name" : "node1" }, "bytes_in" : 147, "bytes_out" : 693, "client_ip" : "192.168.254.15", "client_port" : 48948, "client_proc" : "", "client_server" : "", "count" : 1, "direction" : "out", "http" : { "code" : 200, "content_length" : 533, "phrase" : "OK" }, "ip" : "85.236.43.108", "method" : "GET", "params" : "arch=x86_64&infra=stock&release=6&repo=extras", "path" : "/", "port" : 80, "proc" : "", "query" : "GET /", "responsetime" : 1131, "server" : "", "status" : "OK", "type" : "http" } }, { "_index" : "packetbeat-2016.07.21", "_type" : "dns", "_id" : "AVYLlD5xOy0XFf94lOub", "_score" : 1.0, "_source" : { "@timestamp" : "2016-07-21T03:51:19.752Z", "beat" : { "hostname" : "node1", "name" : "node1" }, "bytes_in" : 37, "bytes_out" : 53, "client_ip" : "192.168.254.15", "client_port" : 38047, "client_proc" : "", "client_server" : "", "count" : 1, "direction" : "out", "dns" : { "additionals_count" : 0, "answers" : [ { "class" : "IN", "data" : "202.141.176.110", "name" : "mirrors.ustc.edu.cn", "ttl" : 568, "type" : "A" } ], "answers_count" : 1, "authorities_count" : 0, "flags" : { "authoritative" : false, "recursion_allowed" : true, "recursion_desired" : true, "truncated_response" : false }, "id" : 18929, "op_code" : "QUERY", "question" : { "class" : "IN", "name" : "mirrors.ustc.edu.cn", "type" : "A" }, "response_code" : "NOERROR" }, "ip" : "210.22.84.3", "method" : "QUERY", "port" : 53, "proc" : "", "query" : "class IN, type A, mirrors.ustc.edu.cn", "resource" : "mirrors.ustc.edu.cn", "responsetime" : 2, "server" : "", "status" : "OK", "transport" : "udp", "type" : "dns" } }, { "_index" : "packetbeat-2016.07.21", "_type" : "dns", "_id" : "AVYLlD5xOy0XFf94lOue", "_score" : 1.0, "_source" : { "@timestamp" : "2016-07-21T03:51:19.755Z", "beat" : { "hostname" : "node1", "name" : "node1" }, "bytes_in" : 36, "bytes_out" : 68, "client_ip" : "192.168.254.15", "client_port" : 42875, "client_proc" : "", "client_server" : "", "count" : 1, "direction" : "out", "dns" : { "additionals_count" : 0, "answers" : [ { "class" : "IN", "data" : "112.124.140.210", "name" : "mirrors.aliyun.com", "ttl" : 595, "type" : "A" }, { "class" : "IN", "data" : "115.28.122.210", "name" : "mirrors.aliyun.com", "ttl" : 595, "type" : "A" } ], "answers_count" : 2, "authorities_count" : 0, "flags" : { "authoritative" : false, "recursion_allowed" : true, "recursion_desired" : true, "truncated_response" : false }, "id" : 35325, "op_code" : "QUERY", "question" : { "class" : "IN", "name" : "mirrors.aliyun.com", "type" : "A" }, "response_code" : "NOERROR" }, "ip" : "210.22.84.3", "method" : "QUERY", "port" : 53, "proc" : "", "query" : "class IN, type A, mirrors.aliyun.com", "resource" : "mirrors.aliyun.com", "responsetime" : 2, "server" : "", "status" : "OK", "transport" : "udp", "type" : "dns" } }, { "_index" : "packetbeat-2016.07.21", "_type" : "dns", "_id" : "AVYLlD5xOy0XFf94lOuf", "_score" : 1.0, "_source" : { "@timestamp" : "2016-07-21T03:51:19.840Z", "beat" : { "hostname" : "node1", "name" : "node1" }, "bytes_in" : 33, "bytes_out" : 65, "client_ip" : "192.168.254.15", "client_port" : 39388, "client_proc" : "", "client_server" : "", "count" : 1, "direction" : "out", "dns" : { "additionals_count" : 0, "answers" : [ { "class" : "IN", "data" : "123.58.173.185", "name" : "mirrors.163.com", "ttl" : 2312, "type" : "A" }, { "class" : "IN", "data" : "123.58.173.186", "name" : "mirrors.163.com", "ttl" : 2312, "type" : "A" } ], "answers_count" : 2, "authorities_count" : 0, "flags" : { "authoritative" : false, "recursion_allowed" : true, "recursion_desired" : true, "truncated_response" : false }, "id" : 22466, "op_code" : "QUERY", "question" : { "class" : "IN", "name" : "mirrors.163.com", "type" : "A" }, "response_code" : "NOERROR" }, "ip" : "210.22.84.3", "method" : "QUERY", "port" : 53, "proc" : "", "query" : "class IN, type A, mirrors.163.com", "resource" : "mirrors.163.com", "responsetime" : 2, "server" : "", "status" : "OK", "transport" : "udp", "type" : "dns" } } ] } }
查看packetbeat-*索引下的Discover
还可以查看HTTP、redis、mysql、mongodb等数据。
安装topbeat组件
(A)安装初始化包
[root@node1 ~]# rpm -ivh topbeat-1.2.3-x86_64.rpm
(B)配置elasticsearch地址或者Logstash(可选)采集的beats指标
[root@node1 ~]# vim /etc/topbeat/topbeat.yml input: period: 10 procs: [".*"] stats: system: true proc: true filesystem: trueoutput: elasticsearch: hosts: ["localhost:9200"] shipper: logging: files:
period 选项定义收集信息的频率,默认是10秒。
procs 选项定义正则表达式,以匹配你所要监控的进程。默认是所有正在运行的进程都进行监控。
如果不监控进程,可以这么做:
input: period: 10 procs: ["^$"]
(C)配置elasticsearch模板
# curl -XPUT 'http://192.168.254.15:9200/_template/topbeat' -d@/etc/topbeat/topbeat.template.json {"acknowledged":true}
运行topbeat
[root@node1 ~]# /etc/init.d/topbeat start Starting topbeat: [确定]
查看Kibana仪表盘:服务器的CPU、进程、空闲率、磁盘使用率等数据都已经有了。