一、介绍
The Elastic Stack - 它不是一个软件,而是Elasticsearch,Logstash,Kibana 开源软件的集合,对外是作为一个日志管理系统的开源方案。它可以从任何来源,任何格式进行日志搜索,分析获取数据,并实时进行展示。像盾牌(安全),监护者(警报)和Marvel(监测)一样为你的产品提供更多的可能。
Elasticsearch:搜索,提供分布式全文搜索引擎
Logstash: 日志收集,管理,存储
Kibana :日志的过滤web 展示
Filebeat:监控日志文件、转发
二、测试环境规划图
环境:ip、主机名按照如上规划,系统已经 update. 所有主机时间一致。防火墙测试环境已关闭。下面是这次elk学习的部署安装
目的:通过elk 主机收集监控主要server的系统日志、以及线上应用服务日志。
三、Elasticsearch Logstash Kibana的安装(在 elk.test.com 上进行操作)
3.1.基础环境检查
代码语言:javascript复制[root@elk ~]# hostname
elk.test.com
[root@elk ~]# cat /etc/hosts
192.168.0.2 elk.test.com
192.168.0.3 rsyslog.test.com
192.168.0.4 nginx.test.com
3.2.软件包
代码语言:javascript复制[root@elk ~]# cd elk/
[root@elk elk]# wget -c https://download.elastic.co/elasticsearch/release/org/elasticsearch/distribution/rpm/elasticsearch/2.3.3/elasticsearch-2.3.3.rpm
[root@elk elk]# wget -c https://download.elastic.co/logstash/logstash/packages/centos/logstash-2.3.2-1.noarch.rpm
[root@elk elk]# wget https://download.elastic.co/kibana/kibana/kibana-4.5.1-1.x86_64.rpm
[root@elk elk]# wget -c https://download.elastic.co/beats/filebeat/filebeat-1.2.3-x86_64.rpm
3.3.检查
代码语言:javascript复制[root@elk elk]# ls
elasticsearch-2.3.3.rpm filebeat-1.2.3-x86_64.rpm kibana-4.5.1-1.x86_64.rpm logstash-2.3.2-1.noarch.rpm
服务器只需要安装e、l、k, 客户端只需要安装filebeat。
3.4.安装elasticsearch,先安装jdk,elk server 需要java 开发环境支持,由于客户端上使用的是filebeat软件,它不依赖java环境,所以不需要安装。
代码语言:javascript复制[root@elk elk]# yum install java-1.8.0-openjdk -y
安装es
代码语言:javascript复制[root@elk elk]# yum localinstall elasticsearch-2.3.3.rpm -y
重新载入 systemd,扫描新的或有变动的单元;启动并加入开机自启动
代码语言:javascript复制[root@elk elk]# systemctl daemon-reload
[root@elk elk]# systemctl enable elasticsearch
[root@elk elk]# systemctl start elasticsearch
[root@elk elk]# systemctl status elasticsearch
检查服务
代码语言:javascript复制[root@elk elk]# rpm -qc elasticsearch
/etc/elasticsearch/elasticsearch.yml
/etc/elasticsearch/logging.yml
/etc/init.d/elasticsearch
/etc/sysconfig/elasticsearch
/usr/lib/sysctl.d/elasticsearch.conf
/usr/lib/systemd/system/elasticsearch.service
/usr/lib/tmpfiles.d/elasticsearch.conf
[root@elk elk]# netstat -nltp | grep java
tcp6 0 0 127.0.0.1:9200 :::* LISTEN 10430/java
tcp6 0 0 ::1:9200 :::* LISTEN 10430/java
tcp6 0 0 127.0.0.1:9300 :::* LISTEN 10430/java
tcp6 0 0 ::1:9300 :::* LISTEN 10430/java
修改防火墙,将9200、9300 端口对外开放
代码语言:javascript复制[root@elk elk]# firewall-cmd --permanent --add-port={9200/tcp,9300/tcp}
[root@elk elk]# firewall-cmd --reload
[root@elk elk]# firewall-cmd --list-all
或者
iptables -A INPUT -p tcp --dport 9200 -j ACCEPT
iptables -A INPUT -p tcp --dport 9300 -j ACCEPT
service iptables save
systemctl restart iptables.service
3.5 安装kibana
代码语言:javascript复制[root@elk elk]# yum localinstall kibana-4.5.1-1.x86_64.rpm –y
[root@elk elk]# systemctl enable kibana
[root@elk elk]# systemctl start kibana
[root@elk elk]# systemctl status kibana
检查kibana服务运行(Kibana默认 进程名:node ,端口5601)
代码语言:javascript复制[root@elk elk]# netstat -nltp|grep 5601
tcp 0 0 0.0.0.0:5601 0.0.0.0:* LISTEN 3969/node
修改防火墙,对外开放tcp/5601
代码语言:javascript复制iptables -A INPUT -p tcp --dport 5601 -j ACCEPT
service iptables save
systemctl restart iptables.service
这时,我们可以打开浏览器,测试访问一下kibana服务器http://192.168.0.2:5601/,确认没有问题,如下图:
3.6 安装logstash,以及添加配置文件
代码语言:javascript复制[root@elk elk]# yum localinstall logstash-2.3.2-1.noarch.rpm -y
生成证书
代码语言:javascript复制[root@elk elk]# cd /etc/pki/tls/
[root@elk tls]# ls
cert.pem certs misc openssl.cnf private
[root@elk tls]# openssl req -subj '/CN=elk.test.com/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
之后创建logstash 的配置文件。如下:
代码语言:javascript复制[root@elk ~]# cat /etc/logstash/conf.d/01-logstash-initial.conf
input {
beats {
port => 5000
type => "logs"
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
filter {
if [type] == "syslog-beat" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
geoip {
source => "clientip"
}
syslog_pri {}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch { }
stdout { codec => rubydebug }
}
启动logstash,并检查端口,配置文件里,我们写的是5000端口
代码语言:javascript复制[root@elk conf.d]# systemctl start logstash
[root@elk elk]# /sbin/chkconfig logstash on
[root@elk conf.d]# netstat -ntlp |grep 5000
tcp6 0 0 :::5000 :::* LISTEN 4250/java
修改防火墙,将5000端口对外开放。
代码语言:javascript复制iptables -A INPUT -p tcp --dport 5000 -j ACCEPT
service iptables save
systemctl restart iptables.service
3.7 修改elasticsearch 配置文件
查看目录,创建文件夹es-01(名字不是必须的),logging.yml是自带的,elasticsearch.yml是创建的文件,内如见下:
代码语言:javascript复制[root@elk ~]# cd /etc/elasticsearch/
[root@elk ~]# mkdir es-01
[root@elk elasticsearch]# tree
.
├── es-01
│ ├── elasticsearch.yml
│ └── logging.yml
└── scripts
[root@elk elasticsearch]# cat es-01/elasticsearch.yml
----
http:
port: 9200
network:
host: elk.test.com
node:
name: elk.test.com
path:
data: /etc/elasticsearch/data/es-01
3.8 重启elasticsearch、logstash服务。
代码语言:javascript复制# systemctl restart elasticsearch
# systemctl restart logstash
3.9 将 fiebeat安装包拷贝到 rsyslog、nginx 客户端上
代码语言:javascript复制[root@elk elk]# scp filebeat-1.2.3-x86_64.rpm root@rsyslog.test.com:/root/elk
[root@elk elk]# scp filebeat-1.2.3-x86_64.rpm root@nginx.test.com:/root/elk
[root@elk elk]# scp /etc/pki/tls/certs/logstash-forwarder.crt rsyslog.test.com:/root/elk
[root@elk elk]# scp /etc/pki/tls/certs/logstash-forwarder.crt nginx.test.com:/root/elk
四、客户端部署filebeat(在rsyslog、nginx客户端上操作)
filebeat客户端是一个轻量级的,从服务器上的文件收集日志资源的工具,这些日志转发到处理到Logstash服务器上。该Filebeat客户端使用安全的Beats协议与Logstash实例通信。lumberjack协议被设计为可靠性和低延迟。Filebeat使用托管源数据的计算机的计算资源,并且Beats输入插件尽量减少对Logstash的资源需求。
4.1.(node1)安装filebeat,拷贝证书,创建收集日志配置文件
代码语言:javascript复制[root@rsyslog elk]# yum localinstall filebeat-1.2.3-x86_64.rpm -y
#拷贝证书到本机指定目录中
[root@rsyslog elk]# cp logstash-forwarder.crt /etc/pki/tls/certs/.
[root@rsyslog elk]# cd /etc/filebeat/
[root@rsyslog filebeat]# tree
.
├── conf.d
│ ├── authlogs.yml
│ └── syslogs.yml
├── filebeat.template.json
└── filebeat.yml
directory, 4 files
修改的文件有3个,filebeat.yml,是定义连接logstash 服务器的配置。conf.d目录下的2个配置文件是自定义监控日志的,下面看下各自的内容:
filebeat.yml
代码语言:javascript复制[root@rsyslog filebeat]# cat filebeat.yml
filebeat:
spool_size: 1024
idle_timeout: 5s
registry_file: .filebeat
config_dir: /etc/filebeat/conf.d
output:
logstash:
hosts:
- elk.test.com:5000
tls:
certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
enabled: true
shipper: {}
logging: {}
runoptions: {}
authlogs.yml & syslogs.yml
代码语言:javascript复制[root@rsyslog filebeat]# cat conf.d/authlogs.yml
filebeat:
prospectors:
- paths:
- /var/log/secure
encoding: plain
fields_under_root: false
input_type: log
ignore_older: 24h
document_type: syslog-beat
scan_frequency: 10s
harvester_buffer_size: 16384
tail_files: false
force_close_files: false
backoff: 1s
max_backoff: 1s
backoff_factor: 2
partial_line_waiting: 5s
max_bytes: 10485760
[root@rsyslog filebeat]# cat conf.d/syslogs.yml
filebeat:
prospectors:
- paths:
- /var/log/messages
encoding: plain
fields_under_root: false
input_type: log
ignore_older: 24h
document_type: syslog-beat
scan_frequency: 10s
harvester_buffer_size: 16384
tail_files: false
force_close_files: false
backoff: 1s
max_backoff: 1s
backoff_factor: 2
partial_line_waiting: 5s
max_bytes: 10485760
修改完成后,启动filebeat服务
代码语言:javascript复制[root@rsyslog filebeat]# service filebeat start
Starting filebeat: [ OK ]
[root@rsyslog filebeat]# chkconfig filebeat on
systemctl enable filebeat
[root@rsyslog filebeat]# netstat -altp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost:25151 *:* LISTEN 6230/python2
tcp 0 0 *:ssh *:* LISTEN 5509/sshd
tcp 0 0 localhost:ipp *:* LISTEN 1053/cupsd
tcp 0 0 localhost:smtp *:* LISTEN 1188/master
tcp 0 0 rsyslog.test.com:51155 elk.test.com:commplex-main ESTABLISHED 7443/filebeat
tcp 0 52 rsyslog.test.com:ssh 192.168.30.65:10580 ESTABLISHED 7164/sshd
tcp 0 0 *:ssh *:* LISTEN 5509/sshd
tcp 0 0 localhost:ipp *:* LISTEN 1053/cupsd
tcp 0 0 localhost:smtp *:* LISTEN 1188/master
[root@node3 filebeat]# netstat -altp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 3098/sshd
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN 3314/master
tcp 0 52 rsyslog.test.com:ssh 192.168.1.251:60090 ESTABLISHED 4144/sshd: root@pts
tcp 0 0 rsyslog.test.com:49826 elk.test.:commplex-main ESTABLISHED 4345/filebeat
tcp6 0 0 [::]:ssh [::]:* LISTEN 3098/sshd
tcp6 0 0 localhost:smtp [::]:* LISTEN 3314/master
如果连接不上,状态不正常的话,检查下客户端的防火墙。
4.2. (node2)安装filebeat,拷贝证书,创建收集日志配置文件
代码语言:javascript复制[root@nginx elk]# yum localinstall filebeat-1.2.3-x86_64.rpm -y
[root@nginx elk]# cp logstash-forwarder.crt /etc/pki/tls/certs/.
[root@nginx elk]# cd /etc/filebeat/
[root@nginx filebeat]# tree
.
├── conf.d
│ ├── nginx.yml
│ └── syslogs.yml
├── filebeat.template.json
└── filebeat.yml
directory, 4 files
修改filebeat.yml 内容如下:
代码语言:javascript复制[root@rsyslog filebeat]# cat c
filebeat:
spool_size: 1024
idle_timeout: 5s
registry_file: .filebeat
config_dir: /etc/filebeat/conf.d
output:
logstash:
hosts:
- elk.test.com:5000
tls:
certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
enabled: true
shipper: {}
logging: {}
runoptions: {}
syslogs.yml & nginx.yml
代码语言:javascript复制[root@nginx filebeat]# cat conf.d/syslogs.yml
filebeat:
prospectors:
- paths:
- /var/log/messages
encoding: plain
fields_under_root: false
input_type: log
ignore_older: 24h
document_type: syslog-beat
scan_frequency: 10s
harvester_buffer_size: 16384
tail_files: false
force_close_files: false
backoff: 1s
max_backoff: 1s
backoff_factor: 2
partial_line_waiting: 5s
max_bytes: 10485760
[root@nginx filebeat]# cat conf.d/nginx.yml
filebeat:
prospectors:
- paths:
- /var/log/nginx/access.log
encoding: plain
fields_under_root: false
input_type: log
ignore_older: 24h
document_type: syslog-beat
scan_frequency: 10s
harvester_buffer_size: 16384
tail_files: false
force_close_files: false
backoff: 1s
max_backoff: 1s
backoff_factor: 2
partial_line_waiting: 5s
max_bytes: 10485760
修改完成后,启动filebeat服务,并检查filebeat进程
代码语言:javascript复制[root@nginx filebeat]# systemctl restart filebeat
Starting filebeat: [ OK ]
[root@nginx filebeat]# systemctl enable filebeat
[root@nginx filebeat]# netstat -aulpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:ssh *:* LISTEN 1076/sshd
tcp 0 0 localhost:smtp *:* LISTEN 1155/master
tcp 0 0 *:http *:* LISTEN 1446/nginx
tcp 0 52 nginx.test.com:ssh 192.168.30.65:11690 ESTABLISHED 1313/sshd
tcp 0 0 nginx.test.com:49500 elk.test.com:commplex-main ESTABLISHED 1515/filebeat
tcp 0 0 nginx.test.com:ssh 192.168.30.65:6215 ESTABLISHED 1196/sshd
tcp 0 0 nginx.test.com:ssh 192.168.30.65:6216 ESTABLISHED 1200/sshd
tcp 0 0 *:ssh *:* LISTEN 1076/sshd
通过上面可以看出,客户端filebeat进程已经和 elk 服务器连接了。下面去验证。
五、验证,访问kibana http://192.168.0.2:5601
参考: Centos7 之安装Logstash ELK stack 日志管理系统