镜缘浮影 小人本住在 苏州的城外 家里有屋又有田 生活乐无边

ELK 搭建

2015-12-22
wilmosfang
原文地址 http://soft.dog/2015/12/22/elk-basic/

前言

ELK是三个开源软件的缩写,分别表示:Elasticsearch , Logstash, Kibana , 它们都是开源软件

  • Elasticsearch 是一个分布式搜索分析引擎,稳定、可水平扩展、易于管理是它的主要设计初衷

  • Logstash 是一个灵活的数据收集、加工和传输的管道软件

  • Kibana 是一个数据可视化平台,可以通过将数据转化为酷炫而强大的图像而实现与数据的交互

将三者的收集加工,存储分析和可视转化整合在一起就形成了 ELK

相关产品的详细信息可以参考 官网 ,下面分享一下 ELK 的搭建与基础操作,详细可以参阅 官方文档

Tip: 三个软件当前的最新版本分别为 Logstash 2.1.1 , Kibana 4.3.1 , Elasticsearch 2.1.1


概要


依赖

  • Elasticsearch requires at least Java 7

Elasticsearch requires at least Java 7. Specifically as of this writing, it is recommended that you use the Oracle JDK version 1.8.0_25. Java installation varies from platform to platform so we won’t go into those details here. Oracle’s recommended installation documentation can be found on Oracle’s website. Suffice to say, before you install Elasticsearch, please check your Java version first by running (and then install/upgrade accordingly if needed)

  • Logstash requires Java 7

Logstash requires Java 7 or later. Use the official Oracle distribution or an open-source distribution such as OpenJDK.

  • Kibana 4.3.1 requires Elasticsearch 2.1

检查java版本

[root@h102 ELK]# java -version
java version "1.7.0_65"
OpenJDK Runtime Environment (rhel-2.5.1.2.el6_5-x86_64 u65-b17)
OpenJDK 64-Bit Server VM (build 24.65-b04, mixed mode)
[root@h102 ELK]# 

符合要求


下载

elastic 所有软件的 下载地址

创建仓库

[root@h102 ELK]# vim /etc/yum.repos.d/elk.repo 
[root@h102 ELK]# cat /etc/yum.repos.d/elk.repo 
[logstash-2.1]
name=Logstash repository for 2.1.x packages
baseurl=http://packages.elastic.co/logstash/2.1/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
[elasticsearch-2.x]
name=Elasticsearch repository for 2.x packages
baseurl=http://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
[root@h102 ELK]# 

导入GPG校验密钥

[root@h102 ELK]# wget  https://packages.elastic.co/GPG-KEY-elasticsearch
--2015-12-22 17:40:51--  https://packages.elastic.co/GPG-KEY-elasticsearch
Resolving packages.elastic.co... 50.16.251.137, 50.17.224.164, 23.21.65.76, ...
Connecting to packages.elastic.co|50.16.251.137|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1768 (1.7K) [binary/octet-stream]
Saving to: “GPG-KEY-elasticsearch”

100%[======================================>] 1,768       --.-K/s   in 0s      

2015-12-22 17:41:03 (143 MB/s) - “GPG-KEY-elasticsearch” saved [1768/1768]

[root@h102 ELK]# rpm --import GPG-KEY-elasticsearch 
[root@h102 ELK]# echo $?
0
[root@h102 ELK]#

下载软件

[root@h102 ELK]# yumdownloader elasticsearch logstash 
Loaded plugins: dellsysid, fastestmirror, refresh-packagekit
Loading mirror speeds from cached hostfile
 * base: mirrors.opencas.cn
 * epel: mirrors.opencas.cn
 * extras: ftp.sjtu.edu.cn
 * updates: ftp.sjtu.edu.cn
elasticsearch-2.1.1.rpm                                                                                        |  28 MB     01:39  
logstash-2.1.1-1.noarch.rpm                                                                                    |  71 MB     02:50      
[root@h102 ELK]# wget https://download.elastic.co/kibana/kibana/kibana-4.3.1-linux-x64.tar.gz
--2015-12-22 17:42:45--  https://download.elastic.co/kibana/kibana/kibana-4.3.1-linux-x64.tar.gz
Resolving download.elastic.co... 50.16.251.137, 50.17.224.164, 23.21.65.76, ...
Connecting to download.elastic.co|50.16.251.137|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 30408272 (29M) [application/octet-stream]
Saving to: “kibana-4.3.1-linux-x64.tar.gz”

100%[============================================================================================>] 30,408,272  15.6K/s   in 20m 39s 

2015-12-22 18:03:36 (24.0 KB/s) - “kibana-4.3.1-linux-x64.tar.gz” saved [30408272/30408272]

[root@h102 ELK]# 

进行校验

[root@h102 ELK]# sha1sum * 
c2b6831386d926ad29f0e1abfcb8ae11f5505084  elasticsearch-2.1.1.rpm
84462fee86fc70185a9e83da42e78c2d57ef0985  GPG-KEY-elasticsearch
115ba22882df75eb5f07330b7ad8781a57569b00  kibana-4.3.1-linux-x64.tar.gz
a72ccab73566e52e61d6dcedf14c14e10257b243  logstash-2.1.1-1.noarch.rpm
[root@h102 ELK]# 

Tip: 之所以选择下载,而不是直接安装是为了避免重复安装的重复下载问题,这几个包都比较大,相对比较耗费带宽,网络如出问题,也容易前功尽弃


安装

安装elasticsearch

[root@h102 ELK]# rpm -ivh elasticsearch-2.1.1.rpm  
Preparing...                ########################################### [100%]
Creating elasticsearch group... OK
Creating elasticsearch user... OK
   1:elasticsearch          ########################################### [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using chkconfig
 sudo chkconfig --add elasticsearch
### You can start elasticsearch service by executing
 sudo service elasticsearch start
[root@h102 ELK]# chkconfig --add elasticsearch
[root@h102 ELK]# chkconfig  --list | grep elasticsearch
elasticsearch  	0:off	1:off	2:on	3:on	4:on	5:on	6:off 
[root@h102 ELK]# /etc/init.d/elasticsearch start 
Starting elasticsearch:                                    [  OK  ]
[root@h102 ELK]# ps faux | grep java 
root      8794  0.0  0.0 103256   828 pts/1    S+   19:31   0:00          \_ grep java
488       8738 91.3 12.4 2526348 238520 ?      Sl   19:31   0:21 /usr/bin/java -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:+DisableExplicitGC -Dfile.encoding=UTF-8 -Djna.nosys=true -Des.path.home=/usr/share/elasticsearch -cp /usr/share/elasticsearch/lib/elasticsearch-2.1.1.jar:/usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch start -p /var/run/elasticsearch/elasticsearch.pid -d -Des.default.path.home=/usr/share/elasticsearch -Des.default.path.logs=/var/log/elasticsearch -Des.default.path.data=/var/lib/elasticsearch -Des.default.path.conf=/etc/elasticsearch
[root@h102 ELK]# netstat  -ant | grep 9200
tcp        0      0 ::1:9200                    :::*                        LISTEN      
tcp        0      0 ::ffff:127.0.0.1:9200       :::*                        LISTEN       
[root@h102 ELK]# netstat  -ant | grep 9300
tcp        0      0 ::1:9300                    :::*                        LISTEN      
tcp        0      0 ::ffff:127.0.0.1:9300       :::*                        LISTEN      
[root@h102 ELK]# curl localhost:9200/_cat/health?v
epoch      timestamp cluster       status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent 
1450783966 19:32:46  elasticsearch green           1         1      0   0    0    0        0             0                  -                100.0% 
[root@h102 ELK]# curl localhost:9200/_cat/nodes?v
host      ip        heap.percent ram.percent load node.role master name 
127.0.0.1 127.0.0.1           12          70 0.09 d         *      Pyre 
[root@h102 ELK]# curl 'localhost:9200/_cat/allocation?v'
shards disk.indices disk.used disk.avail disk.total disk.percent host      ip        node 
     0           0b    24.9gb     24.1gb       49gb           50 127.0.0.1 127.0.0.1 Pyre 
[root@h102 ELK]#

安装kibana

准确来说,只用解压就可以了

[root@h102 ELK]# ls
elasticsearch-2.1.1.rpm  GPG-KEY-elasticsearch  kibana-4.3.1-linux-x64.tar.gz  logstash-2.1.1-1.noarch.rpm
[root@h102 ELK]# tar -zxvf kibana-4.3.1-linux-x64.tar.gz 
kibana-4.3.1-linux-x64/
kibana-4.3.1-linux-x64/bin/
kibana-4.3.1-linux-x64/config/
kibana-4.3.1-linux-x64/installedPlugins/
kibana-4.3.1-linux-x64/LICENSE.txt
kibana-4.3.1-linux-x64/node/
kibana-4.3.1-linux-x64/node_modules/
kibana-4.3.1-linux-x64/optimize/
kibana-4.3.1-linux-x64/package.json
kibana-4.3.1-linux-x64/README.txt
kibana-4.3.1-linux-x64/src/
...
...
kibana-4.3.1-linux-x64/node/bin/node
kibana-4.3.1-linux-x64/node/bin/npm
kibana-4.3.1-linux-x64/config/kibana.yml
kibana-4.3.1-linux-x64/bin/kibana
kibana-4.3.1-linux-x64/bin/kibana.bat
[root@h102 ELK]# ls
elasticsearch-2.1.1.rpm  GPG-KEY-elasticsearch  kibana-4.3.1-linux-x64  kibana-4.3.1-linux-x64.tar.gz  logstash-2.1.1-1.noarch.rpm
[root@h102 ELK]# cd kibana-4.3.1-linux-x64/config/
[root@h102 config]# ls
kibana.yml
[root@h102 config]# grep -v "^#" kibana.yml  | grep -v "^$"
[root@h102 config]# vim kibana.yml 
[root@h102 config]# grep -v "^#" kibana.yml  | grep -v "^$"
elasticsearch.url: "http://localhost:9200"
[root@h102 config]# cd ../bin/
[root@h102 bin]# ls
kibana  kibana.bat
[root@h102 bin]# ./kibana  
  log   [19:56:19.616] [info][status][plugin:kibana] Status changed from uninitialized to green - Ready
  log   [19:56:19.956] [info][status][plugin:elasticsearch] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [19:56:20.002] [info][status][plugin:kbn_vislib_vis_types] Status changed from uninitialized to green - Ready
  log   [19:56:20.054] [info][status][plugin:markdown_vis] Status changed from uninitialized to green - Ready
  log   [19:56:20.074] [info][status][plugin:metric_vis] Status changed from uninitialized to green - Ready
  log   [19:56:20.137] [info][status][plugin:spyModes] Status changed from uninitialized to green - Ready
  log   [19:56:20.163] [info][status][plugin:statusPage] Status changed from uninitialized to green - Ready
  log   [19:56:20.179] [info][status][plugin:table_vis] Status changed from uninitialized to green - Ready
  log   [19:56:20.269] [info][listening] Server running at http://0.0.0.0:5601
  log   [19:56:25.445] [info][status][plugin:elasticsearch] Status changed from yellow to yellow - No existing Kibana index found
  log   [19:56:34.094] [info][status][plugin:elasticsearch] Status changed from yellow to green - Kibana index ready
  log   [19:58:01.906] [error][status][plugin:elasticsearch] Status changed from green to red - Request Timeout after 1500ms
  log   [19:58:04.434] [info][status][plugin:elasticsearch] Status changed from red to green - Kibana index ready
...
...

配置目录和命令目录

[root@h102 kibana-4.3.1-linux-x64]# tree bin/ config/
bin/
├── kibana
└── kibana.bat
config/
└── kibana.yml

0 directories, 3 files
[root@h102 kibana-4.3.1-linux-x64]#

配置很简单,只用解注 config/kibana.yml 中这一行 elasticsearch.url: “http://localhost:9200”

启动也很简单,只用执行 bin/kibana 就可以在前台运行

由于 kibana 启动后默认会开启 5601 端口,所以如果想从外面访问,得开启防火墙


开启防火墙

[root@h102 ~]# grep 5601 /etc/sysconfig/iptables
[root@h102 ~]# vim /etc/sysconfig/iptables
[root@h102 ~]# grep 5601 /etc/sysconfig/iptables
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5601 -j ACCEPT 
[root@h102 ~]# iptables -L -nv | grep 5601
[root@h102 ~]# /etc/init.d/iptables  reload 
iptables: Trying to reload firewall rules:                 [  OK  ]
[root@h102 ~]# iptables -L -nv | grep 5601
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:5601 
[root@h102 ~]# 

此时已经可以进行访问了

kibana.png

但由于ES里没有数据,所以显示不出什么


安装logstash

[root@h102 ELK]# rpm -ivh logstash-2.1.1-1.noarch.rpm 
Preparing...                ########################################### [100%]
   1:logstash               ########################################### [100%]
[root@h102 ELK]# echo $?
0
[root@h102 ELK]# 

默认情况下 logstash 被安装到了 /opt/logstash/

[root@h102 ~]# ll /opt/logstash/
total 148
drwxr-xr-x 2 logstash logstash  4096 Dec 22 20:25 bin
-rw-rw-r-- 1 logstash logstash 97345 Dec  8 02:04 CHANGELOG.md
-rw-rw-r-- 1 logstash logstash  2249 Dec  8 02:04 CONTRIBUTORS
-rw-rw-r-- 1 logstash logstash  3771 Dec  8 02:04 Gemfile
-rw-rw-r-- 1 logstash logstash 21837 Dec  8 02:04 Gemfile.jruby-1.9.lock
drwxr-xr-x 4 logstash logstash  4096 Dec 22 20:25 lib
-rw-rw-r-- 1 logstash logstash   589 Dec  8 02:04 LICENSE
-rw-rw-r-- 1 logstash logstash   149 Dec  8 02:04 NOTICE.TXT
drwxr-xr-x 4 logstash logstash  4096 Dec 22 20:25 vendor
[root@h102 ~]# tree /opt/logstash/bin/
/opt/logstash/bin/
├── logstash
├── logstash.bat
├── logstash.lib.sh
├── plugin
├── plugin.bat
├── rspec
├── rspec.bat
└── setup.bat

0 directories, 8 files
[root@h102 ~]# 

logstash的简单测试

[root@h102 ELK]# /opt/logstash/bin/logstash -e 'input { stdin { } } output { stdout {} }'
Settings: Default filter workers: 1
Logstash startup completed
simple test
2015-12-22T12:30:32.996Z h102.temp simple test
getting started with logstash
2015-12-22T12:30:48.264Z h102.temp getting started with logstash
hello example
2015-12-22T12:31:08.384Z h102.temp hello example
...
...

输完以上命令后,要稍等一下, Logstash startup completed 字样出现后,才表示 logstash 已经启动,之后的输入,才会获得相应响应

Tip: The -e flag enables you to specify a configuration directly from the command line. Specifying configurations at the command line lets you quickly test configurations without having to edit a file between iterations. This pipeline takes input from the standard input, stdin , and moves that input to the standard output, stdout, in a structured format .

此时系统中多了一个给 logstash 用的java进程

[root@h102 ~]# ps  faux | grep java
root     34241 26.4  8.5 2506504 164332 pts/0  Sl+  20:28   0:53  |       \_ /usr/bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -Xmx1g -Xss2048k -Djffi.boot.library.path=/opt/logstash/vendor/jruby/lib/jni -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/opt/logstash/heapdump.hprof -Xbootclasspath/a:/opt/logstash/vendor/jruby/lib/jruby.jar -classpath : -Djruby.home=/opt/logstash/vendor/jruby -Djruby.lib=/opt/logstash/vendor/jruby/lib -Djruby.script=jruby -Djruby.shell=/bin/sh org.jruby.Main --1.9 /opt/logstash/lib/bootstrap/environment.rb logstash/runner.rb agent -e input { stdin { } } output { stdout {} }
root     34356  0.0  0.0 103256   828 pts/2    S+   20:32   0:00          \_ grep java
488       8738  2.3 14.8 2527948 284032 ?      Sl   19:31   1:26 /usr/bin/java -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:+DisableExplicitGC -Dfile.encoding=UTF-8 -Djna.nosys=true -Des.path.home=/usr/share/elasticsearch -cp /usr/share/elasticsearch/lib/elasticsearch-2.1.1.jar:/usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch start -p /var/run/elasticsearch/elasticsearch.pid -d -Des.default.path.home=/usr/share/elasticsearch -Des.default.path.logs=/var/log/elasticsearch -Des.default.path.data=/var/lib/elasticsearch -Des.default.path.conf=/etc/elasticsearch
[root@h102 ~]#

logstash的配置文件

[root@h102 etc]# vim logstash-simple.conf
[root@h102 etc]# cat logstash-simple.conf 
input {stdin{}}
output {
	stdout {codec => rubydebug}
} 
[root@h102 etc]# /opt/logstash/bin/logstash -f logstash-simple.conf --configtest
Configuration OK
[root@h102 etc]# time /opt/logstash/bin/logstash -f logstash-simple.conf --configtest
Configuration OK

real	0m18.992s
user	0m32.038s
sys	0m1.425s
[root@h102 etc]# 

使用 --configtest 参数可以对配置文件进行检查,但感觉这么点内容,要花这么长时间,有点不可思议

(相较而言Nginx的检查就在一瞬间,是由于JVM的启停么,专门为检查配置写个脚本也要不了多少代码吧)

检查好后,可以使用 -f 直接运行了

[root@h102 etc]# /opt/logstash/bin/logstash -f logstash-simple.conf
Settings: Default filter workers: 1
Logstash startup completed
simple test
{
       "message" => "simple test",
      "@version" => "1",
    "@timestamp" => "2015-12-22T13:10:11.729Z",
          "host" => "h102.temp"
}
getting started with logstash
{
       "message" => "getting started with logstash",
      "@version" => "1",
    "@timestamp" => "2015-12-22T13:10:34.294Z",
          "host" => "h102.temp"
}
hello example
{
       "message" => "hello example",
      "@version" => "1",
    "@timestamp" => "2015-12-22T13:10:39.486Z",
          "host" => "h102.temp"
}
...
...

效果还是很明显的,有了格式化的输出

basic_logstash_pipeline.png

Tip: A Logstash pipeline has two required elements, input and output , and one optional element, filter . The input plugins consume data from a source, the filter plugins modify the data as you specify, and the output plugins write the data to a destination.

退出运行

使用 Ctrl+C 退出 logstash

...
...
^CSIGINT received. Shutting down the pipeline. {:level=>:warn}

Logstash shutdown completed
[root@h102 ELK]# 

使用 Ctrl+D 退出 logstash

...
...
Logstash shutdown completed
[root@h102 etc]# 

数据存到Elasticsearch

[root@h102 etc]# vim  logstash-es-simple.conf
[root@h102 etc]# cat logstash-es-simple.conf 
input {stdin{}}
output {
	elasticsearch {hosts=>"localhost:9200"}
	stdout {codec=>rubydebug}
}
[root@h102 etc]# 
[root@h102 etc]# /opt/logstash/bin/logstash -f logstash-es-simple.conf 
Settings: Default filter workers: 1
Logstash startup completed
simple test
{
       "message" => "simple test",
      "@version" => "1",
    "@timestamp" => "2015-12-22T13:35:33.252Z",
          "host" => "h102.temp"
}
getting started with logstash
{
       "message" => "getting started with logstash",
      "@version" => "1",
    "@timestamp" => "2015-12-22T13:35:47.999Z",
          "host" => "h102.temp"
}
hello example
{
       "message" => "hello example",
      "@version" => "1",
    "@timestamp" => "2015-12-22T13:35:58.383Z",
          "host" => "h102.temp"
}
...
...

貌似结果和前一种情况差不多,但此时ES里已经有数据了

[root@h102 ~]# curl 'http://localhost:9200/_search?pretty'
{
  "took" : 35,
  "timed_out" : false,
  "_shards" : {
    "total" : 6,
    "successful" : 6,
    "failed" : 0
  },
  "hits" : {
    "total" : 4,
    "max_score" : 1.0,
    "hits" : [ {
      "_index" : ".kibana",
      "_type" : "config",
      "_id" : "4.3.1",
      "_score" : 1.0,
      "_source":{"buildNum":9517}
    }, {
      "_index" : "logstash-2015.12.22",
      "_type" : "logs",
      "_id" : "AVHJ5yfWrEoC64-rdPBW",
      "_score" : 1.0,
      "_source":{"message":"getting started with logstash","@version":"1","@timestamp":"2015-12-22T13:35:47.999Z","host":"h102.temp"}
    }, {
      "_index" : "logstash-2015.12.22",
      "_type" : "logs",
      "_id" : "AVHJ51ORrEoC64-rdPBX",
      "_score" : 1.0,
      "_source":{"message":"hello example","@version":"1","@timestamp":"2015-12-22T13:35:58.383Z","host":"h102.temp"}
    }, {
      "_index" : "logstash-2015.12.22",
      "_type" : "logs",
      "_id" : "AVHJ5vLKrEoC64-rdPBV",
      "_score" : 1.0,
      "_source":{"message":"simple test","@version":"1","@timestamp":"2015-12-22T13:35:33.252Z","host":"h102.temp"}
    } ]
  }
}
[root@h102 ~]# 

由于ES里已经有了数据,再看kibana,[Create] 变得可以点击了

kibana2.png

[Create] 点击完后,点击 [Discover] 就会看到有日志信息展示出来了

kibana3.png

继续在终端里输入测试信息,选择时间刷新后就会看到kibana的显示也发生了变化

kibana4.png

  • output 里多出来两条配置,其实代表可以同时指定多个输出,将结果写一份到ES,也写一份到终端
elasticsearch {hosts=>"localhost:9200"}
stdout {codec=>rubydebug}
  • 使用 hosts 来指定ES的位置,老版使用的是 host ,如果在这里使用 host 会报错
  • 可以使用 hosts => [“IP Address 1:port1”, “IP Address 2:port2”, “IP Address 3”] 的方式指定多个进行冗余,和负载均衡
  • 如果ES使用的 9200 端口,是可以在配置里省略的

从文件获取数据

生产环境中不太可能手动生成日志(使用人肉输入到stdin的方式),而更多是从一个源日志文件那里读取

[root@h102 etc]# vim logstash-file-es-simple.conf
[root@h102 etc]# cat logstash-file-es-simple.conf
input {
	stdin{}
	file {
	    type=>"syslog"
	    path=>"/var/log/messages"
	    start_position => beginning
	}
}
output {
	elasticsearch {hosts=>"localhost:9200"}
	stdout {codec=>rubydebug}
}
[root@h102 etc]# /opt/logstash/bin/logstash -f logstash-file-es-simple.conf  -t
Configuration OK
[root@h102 etc]# /opt/logstash/bin/logstash -f logstash-file-es-simple.conf  
Settings: Default filter workers: 1
Logstash startup completed
{
       "message" => "Dec 22 17:34:02 h102 rsyslogd: [origin software=\"rsyslogd\" swVersion=\"5.8.10\" x-pid=\"1693\" x-info=\"http://www.rsyslog.com\"] rsyslogd was HUPed",
      "@version" => "1",
    "@timestamp" => "2015-12-22T14:07:12.146Z",
          "host" => "h102.temp",
          "path" => "/var/log/messages",
          "type" => "syslog"
}
{
       "message" => "Dec 22 18:19:23 h102 dhclient[1624]: DHCPREQUEST on eth3 to 192.168.1.2 port 67 (xid=0x58532bb2)",
      "@version" => "1",
    "@timestamp" => "2015-12-22T14:07:12.148Z",
          "host" => "h102.temp",
          "path" => "/var/log/messages",
          "type" => "syslog"
}
{
       "message" => "Dec 22 18:19:23 h102 dhclient[1624]: DHCPACK from 192.168.1.2 (xid=0x58532bb2)",
      "@version" => "1",
    "@timestamp" => "2015-12-22T14:07:12.149Z",
          "host" => "h102.temp",
          "path" => "/var/log/messages",
          "type" => "syslog"
}
{
       "message" => "Dec 22 18:19:24 h102 dhclient[1624]: bound to 192.168.1.117 -- renewal in 3538 seconds.",
      "@version" => "1",
    "@timestamp" => "2015-12-22T14:07:12.150Z",
          "host" => "h102.temp",
          "path" => "/var/log/messages",
          "type" => "syslog"
}
{
       "message" => "Dec 22 18:27:04 h102 kernel: hrtimer: interrupt took 6428893 ns",
      "@version" => "1",
    "@timestamp" => "2015-12-22T14:07:12.150Z",
          "host" => "h102.temp",
          "path" => "/var/log/messages",
          "type" => "syslog"
}
{
       "message" => "Dec 22 19:18:22 h102 dhclient[1624]: DHCPREQUEST on eth3 to 192.168.1.2 port 67 (xid=0x58532bb2)",
      "@version" => "1",
    "@timestamp" => "2015-12-22T14:07:12.151Z",
          "host" => "h102.temp",
          "path" => "/var/log/messages",
          "type" => "syslog"
}
...
...
{
       "message" => "Dec 22 21:51:56 h102 dhclient[1624]: DHCPACK from 192.168.1.2 (xid=0x58532bb2)",
      "@version" => "1",
    "@timestamp" => "2015-12-22T14:07:12.188Z",
          "host" => "h102.temp",
          "path" => "/var/log/messages",
          "type" => "syslog"
}
{
       "message" => "Dec 22 21:51:57 h102 dhclient[1624]: bound to 192.168.1.117 -- renewal in 2973 seconds.",
      "@version" => "1",
    "@timestamp" => "2015-12-22T14:07:12.203Z",
          "host" => "h102.temp",
          "path" => "/var/log/messages",
          "type" => "syslog"
}
abc
{
       "message" => "abc",
      "@version" => "1",
    "@timestamp" => "2015-12-22T14:11:19.994Z",
          "host" => "h102.temp"
}
xyz
{
       "message" => "xyz",
      "@version" => "1",
    "@timestamp" => "2015-12-22T14:11:22.893Z",
          "host" => "h102.temp"
}
def
{
       "message" => "def",
      "@version" => "1",
    "@timestamp" => "2015-12-22T14:11:25.633Z",
          "host" => "h102.temp"
}
...
...

发现kibana里同时看到了所有的系统日志和手工测试数据

kibana5.png

  • start_position => beginning 的作用是从头开始读数据,如果不加这个配置,就会产生类似 tail -f /var/log/messages 的效果,只对新生成的数据进行跟踪,此刻以前的都直接忽略,此配置得在具体环境下考虑使用与否

致此,ELK基本的搭建与操作就完成了


命令汇总

  • java -version
  • cat /etc/yum.repos.d/elk.repo
  • wget https://packages.elastic.co/GPG-KEY-elasticsearch
  • rpm --import GPG-KEY-elasticsearch
  • yumdownloader elasticsearch logstash
  • wget https://download.elastic.co/kibana/kibana/kibana-4.3.1-linux-x64.tar.gz
  • sha1sum *
  • rpm -ivh elasticsearch-2.1.1.rpm
  • chkconfig --add elasticsearch
  • chkconfig --list | grep elasticsearch
  • /etc/init.d/elasticsearch start
  • netstat -ant | grep 9200
  • netstat -ant | grep 9300
  • curl localhost:9200/_cat/health?v
  • curl localhost:9200/_cat/nodes?v
  • curl 'localhost:9200/_cat/allocation?v'
  • tar -zxvf kibana-4.3.1-linux-x64.tar.gz
  • vim kibana.yml
  • grep -v "^#" kibana.yml | grep -v "^$"
  • ./kibana
  • vim /etc/sysconfig/iptables
  • grep 5601 /etc/sysconfig/iptables
  • /etc/init.d/iptables reload
  • iptables -L -nv | grep 5601
  • rpm -ivh logstash-2.1.1-1.noarch.rpm
  • /opt/logstash/bin/logstash -e 'input { stdin { } } output { stdout {} }'
  • cat logstash-simple.conf
  • time /opt/logstash/bin/logstash -f logstash-simple.conf --configtest
  • /opt/logstash/bin/logstash -f logstash-simple.conf
  • cat logstash-es-simple.conf
  • /opt/logstash/bin/logstash -f logstash-es-simple.conf
  • curl 'http://localhost:9200/_search?pretty'
  • cat logstash-file-es-simple.conf
  • /opt/logstash/bin/logstash -f logstash-file-es-simple.conf

原文地址 http://soft.dog/2015/12/22/elk-basic/

评论