ELK企业级日志分析系统
ELK是由Elasticsearch、Logstash、Kiban三个开源软件的组合。在实时数据检索和分析场合,三者通常是配合共用,而且又都先后归于 Elastic.co 公司名下,故有此简称。
ELK中日志处理步骤
- 应用服务
生产日志,通过Logger产生日志并输出。
- Logstash
收集日志,通过http接收应用服务产生的日志。
- Elasticsearch
为日志提供全文检索功能。
- kibana
为Elasticsearch提供图形化界面。
ELK详细说明
Elasticsearch:
是实时全文搜索和分析引擎,提供搜集、分析、存储数据三大功能;是一套开放REST和JAVA API等结构提供高效搜索功能,可扩展的分布式系统。它构建于Apache Lucene搜索引擎库之上。
Logstash:
是一个用来搜集、分析、过滤日志的工具。它支持几乎任何类型的日志,包括系统日志、错误日志和自定义应用程序日志。它可以从许多来源接收日志,这些来源包括 syslog、消息传递(例如 RabbitMQ)和JMX,它能够以多种方式输出数据,包括电子邮件、websockets和Elasticsearch。
Kibana:
是一个基于Web的图形界面,用于搜索、分析和可视化存储在 Elasticsearch指标中的日志数据。它利用Elasticsearch的REST接口来检索数据,不仅允许用户创建他们自己的数据的定制仪表板视图,还允许他们以特殊的方式查询和过滤数据
环境准备
主机 操作系统 IP地址 软件
node1 CentOS7 192.168.230.133 Elasticsearch/head/Kibana
node2 CentOS7 192.168.230.131 zookeeper/kafka/Logstash
实验准备
-
关防火墙和系统安全机制(三台)
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl disable firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@localhost ~]# setenforce 0
[root@localhost ~]# hostnamectl set-hostname node1
[root@localhost ~]# bash
[root@node1 ~]#
-
配置elasticsearch环境
[root@node1 ~]# vi /etc/hosts
[root@node1 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.230.131 node2
192.168.230.133 node1
[root@node1 ~]# java -version
bash: java: 未找到命令
-
配置jdk18依赖包
官方下载地址:https://www.oracle.com/java/technologies/downloads/#jdk17-linux
[root@node1 ~]# cd /opt/
[root@node1 opt]# tar xzf jdk-18_linux-x64_bin.tar.gz -C /usr/local/
[root@node1 opt]# cd /usr/local/
[root@node1 local]# mv jdk-18/ java
配置jdk18环境(以下命令添加到最后)
[root@node1 local]# vim /etc/profile
JAVA_HOME=/usr/local/java
PATH=$JAVA_HOME/bin:$PATH
export JAVA_HOME PATH
刷新后查看版本
[root@node1 local]# source /etc/profile
[root@node1 local]# java -version
java version "18.0.2" 2022-07-19
Java(TM) SE Runtime Environment (build 18.0.2+9-61)
Java HotSpot(TM) 64-Bit Server VM (build 18.0.2+9-61, mixed mode, sharing)
部署elasticsearch软件(node1)
官方下载地址:https://www.elastic.co/cn/downloads/past-releases#elasticsearch
(1)安装elasticsearch包
上传elasticsearch-8.3.0-linux-x86_64.tar.gz(按照自己所需去进行下载)到/opt目录下
[root@node1 local]# cd /opt/
[root@node1 opt]# ls
elasticsearch-8.3.0-linux-x86_64.tar.gz
[root@node1 opt]# tar xzf elasticsearch-8.3.0-linux-x86_64.tar.gz -C /usr/local
(2)更改elasticsearch主配置文件
修改配置文件内容(部分带井号键)
[root@node1 opt]# vim /usr/local/elasticsearch-8.3.0/config/elasticsearch.yml
[root@node1 opt]# grep -v "^#" /etc/elasticsearch/
cluster.name: elk
node.name: elk01
#node.master: true
#node.data: true
path.data: /data/elasticsearch/data
path.logs: /data/elasticsearch/logs
#bootstrap.memory_lock: false
#bootstrap.system_call_filter: false
network.host: 0.0.0.0
http.port: 9200
http.cors.enabled: true
http.cors.allow-origin: "*"
(3)创建用户并给权限(有些下载会自动创建elasticsearch用户,不管这个用户,自行再创建一个)
[root@node1 local]# useradd ll
[root@node1 local]# echo "1" | passwd --stdin ll
更改用户 ll 的密码 。
passwd:所有的身份验证令牌已经成功更新。
给与权限
[root@node1 local]# chown -R ll:ll /usr/local/elasticsearch-8.3.0/
创建日志存放目录及路径并给与权限
[root@node1 local]# mkdir -p /data/elasticsearch/data
[root@node1 local]# mkdir -p /data/elasticsearch/logs/
[root@node1 local]# chown -R ll:ll /data/elasticsearch/logs/
[root@node1 local]# chown -R ll:ll /data/elasticsearch/data/
(4)设置JVM堆大小(-Xms1g修改为-Xms2g)
[root@node1 local]# vim /usr/local/elasticsearch-8.3.0/config/jvm.options
-Xms2g
-Xmx2g
(5)系统优化(增加最大内存映射数)
[root@node1 local]# vim /etc/sysctl.conf
vm.max_map_count=262144
vm.swappiness=0
[root@node1 local]# sysctl -p
vm.max_map_count = 262144
vm.swappiness = 0
(6)使用普通用户开启elasticsearch
切换普通用户进行启动
[root@node1 bin]# su ll
[ll@node1 bin]$ pwd
/usr/local/elasticsearch-8.3.0/bin
[ll@node1 bin]$ sh elasticsearch &
[ll@node1 bin]$ sh ./elasticsearch
warning: ignoring JAVA_HOME=/usr/local/java; using bundled JDK
[2022-08-02T04:42:38,653][INFO ][o.e.n.Node ] [node1] version[8.3.0], pid[1420811], build[tar/5b8b981647acdf1ba1d88751646b49d1b461b4cc/2022-06-23T22:48:49.607492124Z], OS[Linux/4.18.0-193.el8.x86_64/amd64], JVM[Oracle Corporation/OpenJDK 64-Bit Server VM/18.0.1.1/18.0.1.1+2-6]
[2022-08-02T04:42:38,674][INFO ][o.e.n.Node ] [node1] JVM home [/usr/local/elasticsearch-8.3.0/jdk], using bundled JDK [true]
[2022-08-02T04:42:38,675][INFO ][o.e.n.Node ] [node1] JVM arguments [-Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -Djava.security.manager=allow, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Dlog4j2.formatMsgNoLookups=true, -Djava.locale.providers=SPI,COMPAT, --add-opens=java.base/java.io=ALL-UNNAMED, -Xms2g, -Xmx2g, -XX:+UseG1GC, -Djava.io.tmpdir=/tmp/elasticsearch-17587380676560187067, -XX:+HeapDumpOnOutOfMemoryError, -XX:+ExitOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -XX:MaxDirectMemorySize=1073741824, -XX:G1HeapRegionSize=4m, -XX:InitiatingHeapOccupancyPercent=30, -XX:G1ReservePercent=15, -Des.distribution.type=tar, --module-path=/usr/local/elasticsearch-8.3.0/lib, -Djdk.module.main=org.elasticsearch.server]
[2022-08-02T04:42:45,845][INFO ][c.a.c.i.j.JacksonVersion ] [node1] Package versions: jackson-annotations=2.13.2, jackson-core=2.13.2, jackson-databind=2.13.2.2, jackson-dataformat-xml=2.13.2, jackson-datatype-jsr310=2.13.2, azure-core=1.27.0, Troubleshooting version conflicts: https://aka.ms/azsdk/java/dependency/troubleshoot
报错信息:
java.lang.IllegalArgumentException: unknown setting [bootstrap.system_call_filter] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
访问一下
[root@node1 ~]# curl localhost:9200/
curl: (52) Empty reply from server
权限问题,去修改elasticsearch.yml里面配置
[root@node1 ~]# vim /usr/local/elasticsearch-8.3.0/config/elasticsearch.yml
xpack.security.enabled: false (ture改为false)
重新运行下在查看
[root@node1 ~]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:9300 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:9200 *:*
(7)访问一下
[root@node1 ~]# curl localhost:9200/
{
"name" : "elk01",
"cluster_name" : "elk",
"cluster_uuid" : "bkZze1k7S52pkf1yq-bbHg",
"version" : {
"number" : "8.3.0",
"build_type" : "tar",
"build_hash" : "5b8b981647acdf1ba1d88751646b49d1b461b4cc",
"build_date" : "2022-06-23T22:48:49.607492124Z",
"build_snapshot" : false,
"lucene_version" : "9.2.0",
"minimum_wire_compatibility_version" : "7.17.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "You Know, for Search"
}
网页访问:
(8)如果暂时不想开启的话可以强行kill掉
[root@node1 ~]# ps -ef | grep elastic
ll 1057349 1 1 18:26 ? 00:02:49 /opt/elasticsearch-8.3.0/jdk/bin/java -Xms4m -Xmx64m -XX:+UseSerialGC -Dcli.name=server -Dcli.script=elasticsearch -Dcli.libs=lib/tools/server-cli -Des.path.home=/opt/elasticsearch-8.3.0 -Des.path.conf=/opt/elasticsearch-8.3.0/config -Des.distribution.type=tar -cp /opt/elasticsearch-8.3.0/lib/*:/opt/elasticsearch-8.3.0/lib/cli-launcher/* org.elasticsearch.launcher.CliToolLauncher
ll 1057564 1057349 18 18:26 ? 00:35:38 /opt/elasticsearch-8.3.0/jdk/bin/java -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -Djava.security.manager=allow -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Dlog4j2.formatMsgNoLookups=true -Djava.locale.providers=SPI,COMPAT --add-opens=java.base/java.io=ALL-UNNAMED -XX:+UseG1GC -Djava.io.tmpdir=/tmp/elasticsearch-17167938705352124055 -XX:+HeapDumpOnOutOfMemoryError -XX:+ExitOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=logs/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Xms900m -Xmx900m -XX:MaxDirectMemorySize=471859200 -XX:G1HeapRegionSize=4m -XX:InitiatingHeapOccupancyPercent=30 -XX:G1ReservePercent=15 -Des.distribution.type=tar --module-path /opt/elasticsearch-8.3.0/lib -m org.elasticsearch.server/org.elasticsearch.bootstrap.Elasticsearch
...
[root@node1 ~]# kill -9 1057349 1057737 1409787 1410067
[root@node1 ~]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
安装Head插件(node1)
Head插件是通过Nodejs实现的,所以先安装Nodejs
官方下载地址:https://nodejs.org/en/download/
- 安装Nodejs
Nodejs解压
[root@node1 ~]# cd /opt/
[root@node1 opt]# tar xf node-v16.16.0-linux-x64.tar.xz -C /usr/local/
配置环境(加到最后)
[root@node1 opt]# vim /etc/profile
NODE_HOME=/usr/local/node-v16.16.0-linux-x64
JAVA_HOME=/usr/local/java
PATH=$NODE_HOME/bin:$JAVA_HOME/bin:$PATH
export JAVA_HOME PATH
注意:由于在elasticsearch环境进行配置的时候添加了node2主机,所以jdk环境配置不能进行删除
刷新后查看版本
[root@node1 opt]# source /etc/profile
[root@node1 opt]# node --version
v16.16.0
[root@node1 opt]# npm -v
8.11.0
小知识:npm是随着nodejs一起安装的包(管理工具),能解决nodejs代码部署上的很多问题
- 安装git
需要git方式去下载head插件
[root@node1 opt]# cd /usr/local/
[root@node1 local]# yum -y install git
[root@node1 local]# git --version
git version 2.31.1
-
下载及安装head插件
[root@node1 local]# git clone git://github.com/mobz/elasticsearch-head.git
正克隆到 ‘elasticsearch-head’…
fatal: 无法连接到 github.com:
github.com[0: 20.205.243.166]: errno=拒绝连接
我发现拉不下来,所以https进行拉的
[root@node1 local]# git clone https://github.com/mobz/elasticsearch-head.git
正克隆到 'elasticsearch-head'...
remote: Enumerating objects: 4377, done.
remote: Counting objects: 100% (40/40), done.
remote: Compressing objects: 100% (27/27), done.
remote: Total 4377 (delta 12), reused 34 (delta 12), pack-reused 4337
接收对象中: 100% (4377/4377), 2.54 MiB | 1.08 MiB/s, 完成.
处理 delta 中: 100% (2429/2429), 完成.
[root@node1 local]# ls
bin etc harbor java lib64 node-v16.16.0-linux-x64 share
elasticsearch-head games include lib libexec sbin src
[root@node1 local]# cd elasticsearch-head/
直接下载:
[root@node1 elasticsearch-head]# npm install
如果报错就把网换成国内淘宝后进行下载
可以将npm源设置为国内淘宝的,确保能下载成功
[root@node1 elasticsearch-head]# npm install -g cnpm --registry=https://registry.npm.taobao.org
npm WARN config global `--global`, `--local` are deprecated. Use `--location=global` instead.
added 356 packages in 51s
11 packages are looking for funding
run `npm fund` for details
[root@node1 elasticsearch-head]# npm install
报错一
reify:core-js: WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and n
npm ERR! code 1
执行以下命令
// 设置淘宝镜像
[root@node1 elasticsearch-head]# npm config set registry https://registry.npm.taobao.org
//查看是否配置成功
[root@node1 elasticsearch-head]# npm config get registry
https://registry.npm.taobao.org/
查看npm版本
[root@node1 elasticsearch-head]# npm --version
8.15.1
版本号太高了,降到6.14.13的版本就解决了
[root@node1 elasticsearch-head]# npm install npm@6.14.13 -g
removed 63 packages, and changed 97 packages in 18s
3 packages are looking for funding
run `npm fund` for details
[root@node1 elasticsearch-head]# npm --version
6.14.13
更新core-js
[root@node1 elasticsearch-head]# npm i core-js
修改配置文件(如果是一台主机做的ELK就跳过这一步,不需要修改配置文件)
[root@node1 elasticsearch-head]# vim Gruntfile.js
connect: {
server: {
options: {
port: 9100,
base: '.',
keepalive: true, --逗号记得添加
hostname: '*' -- 添加这一句
}
配置连接node1主机的ip和port(一台主机可自行跳过这一步)
[root@node1 elasticsearch-head]# vim _site/app.js
4383 base_uri: null
4384 },
4385 init: function(parent) {
4386 this._super();
4387 this.prefs = services.Preferences.instance();
4388 this.base_uri = this.config.base_uri || this.prefs.get("app-base_uri") ||
"http://192.168.230.133:9200"; --这里修改为node1主机的ip加端口号
4389 if( this.base_uri.charAt( this.base_uri.length - 1 ) !== "/" ) {
4390 // XHR request fails if the URL is not ending with a "/"
4391 this.base_uri += "/";
4392 }
运行一下
[root@node1 elasticsearch-head]# npm run start
> elasticsearch-head@0.0.0 start /usr/local/elasticsearch-head
> grunt server
>> Local Npm module "grunt-contrib-jasmine" not found. Is it installed?
Running "connect:server" (connect) task
Waiting forever...
Started connect web server on http://localhost:9100
查看进程
[root@node1 ~]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:9300 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:9100 *:*
LISTEN 0 128 *:9200 *:*
网页显示: