ELFK
E:elasticsearch -- 高性能,近实时的,分布式搜索引擎数据库
L:logstash -- 启动慢
F:filebeat -- 轻,比logstash启动快的多
K:kibana --
ELFK功能
E:elasticsearch 存储数据
L:logstash 收集信息、过滤转发
F:filebeat 从es里提取数据并画图展示、按条件搜索
K:kibana 收集日志、信息
网站架构
负载均衡代理:Nginx haproxy
Web服务器:Nginx Tomcat PHP
存储层:NFS local本地
缓存/消息队列:Redis kafka/zookeeper
DB层:MySQL Redis MongoDB elasticsearch
基础环境:JAVA
#停止防火墙并禁止自启动
systemctl stop firewalld.service
systemctl disable firewalld.service
# 关闭 selinux
sed -i.bak 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
setenforce 0
yum install git nodejs npm openssl screen java-1.8.0-openjdk.x86_64 -y
ntpdate tima1.aliyun.com
npm install -g cnpm --registry=https://registry.npm.taobao.org
cd /opt/
# 下载
git clone git://github.com/modz/elasticsearch-head.git
# 安装
cnpm install
# 开启一个新的终端,名字叫es-head
screen -S es-head
# 启动elasticsearch-head
cnpm run start
# 退出这个终端
Ctrl+A+D
# 查看服务启动产生的端口
netstat -lntup | grep 9100
#上传elasticsearch包
rpm -ivh elasticsearch-6.6.0.rpm
[root@efk1 ~]# egrep -v '#|^$' /etc/elasticsearch/elasticsearch.yml
node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true
network.host: 10.0.0.230,127.0.0.1
http.port: 9200
# 必加
http.cors.enabled: true
http.cors.allow-origin: "*"
# 需要在systemctl启动配置文件中添加一句话
[root@efk1 ~]# vim /usr/lib/systemd/system/elasticsearch.service
LimitMEMLOCK=infinity
# 在[service]模块中添加,添加到[service]下面第一条
systemctl start elasticsearch
rpm -ivh filebeat-6.6.0.rpm
[root@efk1 ~]# cat /etc/filebeat/filebeat.yml
# 设置filebeat输入
filebeat.inputs:
# 类型
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
# 下面两条是开启json格式
json.keys_under_root: true
json.overwrite_keys: true
# 标签
tags: ["access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
# 设置kibana地址
setup.kibana:
host: "10.0.0.230:5601"
# 设置elasticsearch的地址
output.elasticsearch:
hosts: ["10.0.0.230:9200"]
indices:
# 当标签为access的时候使用下面的格式
- index: "nginx_access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "access"
# 当标签为error的时候使用下面的格式
- index: "nginx_error-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "error"
setup.template.name: "nginx"
setup.template.pattern: "nginx_*"
setup.template.enabled: false
setup.template.overwrite: true
systemctl start filebeat
rpm -ivh kibana-6.6.0.rpm
[root@efk1 ~]# egrep -v '#|^$' /etc/kibana/kibana.yml
server.port: 5601
server.host: "10.0.0.230"
elasticsearch.hosts: ["http://10.0.0.230:9200"]
systemctl start kibana
将nginx和tomcat等服务的日志格式修改为JSON格式有利于EFK对日志的收集,也有利于运维人员精准查询。
# 更改日志格式为JSON格式
[root@efk1 ~]# vim /etc/nginx/nginx.conf
log_format json '{ "time_local": "$time_local", '
'"remote_addr": "$remote_addr", '
'"referer": "$http_referer", '
'"request": "$request", '
'"status": $status, '
'"bytes": $body_bytes_sent, '
'"agent": "$http_user_agent", '
'"x_forwarded": "$http_x_forwarded_for", '
'"up_addr": "$upstream_addr",'
'"up_host": "$upstream_http_host",'
'"upstream_time": "$upstream_response_time",'
'"request_time": "$request_time"' '}';
access_log /var/log/nginx/access.log json;
[root@efk1 ~]# vim /data/tomcat/conf/server.xml
# Tomcat站点目录下
第139行
pattern="{"clientip":"%h","ClientUser":"%l","authenticated":"%u","AccessTime":"%t","method":"%r","status":"%s","SendBytes":"%b","Query?string":"%q","partner":"%{Referer}i","AgentVersion":"%{User-Agent}i"}"/>