yum源

[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

下载安装

yum install java-1.8.0-openjdk-devel
服务器安装(端口):Elasticsearch(9200),Kibana(5601),Logstash(5044)
https://www.elastic.co/downloads
systemctl enable elasticsearch
systemctl enable logstash
systemctl enable kibana
vi /etc/elasticsearch/elasticsearch.yml
node.name: wl-es01
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
script.painless.regex.enabled: true
vi /etc/kibana/kibana.yml
server.host: "0.0.0.0"
elasticsearch.url: "http://10.200.78.67:9200"
elasticsearch.requestTimeout: 120000
#i18n.defaultLocale: "cn"
tilemap.url: 'http://webrd02.is.autonavi.com/appmaptile?lang=zh_cn&size=1&scale=1&style=7&x={x}&y={y}&z={z}'
es-jvm.options
#-Xms1g
#-Xmx1g
-Xms48g
-Xmx48g
## GC configuration
#-XX:+UseConcMarkSweepGC
#-XX:CMSInitiatingOccupancyFraction=75
#-XX:+UseCMSInitiatingOccupancyOnly
-XX:+UseG1GC
-XX:MaxGCPauseMillis=200

logstash 插件更新

插件安装路径:/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems  
IP地址库:/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-geoip-5.0.3-java/vendor

/usr/share/logstash/bin/logstash-plugin update logstash-filter-grok
/usr/share/logstash/bin/logstash-plugin update logstash-filter-geoip
/usr/share/logstash/bin/logstash-plugin update logstash-filter-useragent
/usr/share/logstash/bin/logstash-plugin update logstash-filter-date
/usr/share/logstash/bin/logstash-plugin update logstash-filter-mutate
logstash调试模式
vi /etc/logstash/conf.d/gameclient.conf
input {
beats {
port => 5044
}
}
output{
stdout{
codec => rubydebug
}

}

/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/gameclient.conf
NGINX日志过滤logstash配置
vi /etc/logstash/conf.d/beats-nginx.conf
input {
beats {
port => 5044
}
}
filter {
grok {
match => { "message" => "%{IPORHOST:remote_addr} - (%{USERNAME:remote_user}|-) \[%{HTTPDATE:time_local}\] (%{IPORHOST:http_host}|-) \"%{WORD:method} %{DATA:request_url} HTTP/%{NUMBER:http_version}\" %{NUMBER:response_code} %{NUMBER:body_sent} \"%{DATA:referrer}\" \"%{DATA:user_agent}\" \"%{IPORHOST:x_forwarded_for}\" “%{NUMBER:request_time}\"" }
remove_field => "message"
}
date {
match => [ "time_local", "dd/MMM/YYYY:HH:mm:ss Z" ]
target => "@timestamp"
timezone => "-04:00"
}
useragent {
regexes => "/etc/logstash/regexes.yaml"
target => "ua"
source => "user_agent"
}
mutate {
convert => { "response_code" => "integer" }
convert => { "body_sent" => "integer" }
convert => { "request_time" => "float" }
}
if [x_forwarded_for] !~ "^127\.|^192\.168\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[01]\.|^10\.|^100.64\." {
geoip {
source => "x_forwarded_for"
target => "geoip"
fields => ["city_name","region_name","country_name","location"]
}
if ! [geoip][region_name] and ! [geoip][city_name] {
mutate {
add_field => { "client_addr" => "%{[geoip][country_name]}" }
}
}
else if ! [geoip][city_name] {
mutate {
add_field => { "client_addr" => "%{[geoip][country_name]},%{[geoip][region_name]}" }
}
}
else if ! [geoip][region_name] {
mutate {
add_field => { "client_addr" => "%{[geoip][country_name]},%{[geoip][city_name]}" }
}
}
else {
mutate {
add_field => { "client_addr" => "%{[geoip][country_name]},%{[geoip][region_name]},%{[geoip][city_name]}" }
}
}
mutate {
remove_field => ["[geoip][country_name]","[geoip][region_name]","[geoip][city_name]"]
}
}
}
output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "nginx-%{+YYYY.MM.dd}"
# index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
user agent 机型适配配置
vi /etc/logstash/regexes.yaml
https://github.com/ua-parser/uap-core/blob/master/regexes.yaml

#######################
- regex: 'iPhone'
device_replacement: 'iPhone'
brand_replacement: 'Apple'
model_replacement: 'iPhone'
- regex: 'Xiaomi_'
device_replacement: 'XiaoMi'
brand_replacement: 'XiaoMi'
model_replacement: 'XiaoMi'
#######################



#######################
- regex: 'Windows NT'
device_replacement: 'PC'
brand_replacement: 'PC'
model_replacement: 'PC'
- regex: 'Macintosh\;'
device_replacement: 'MAC'
brand_replacement: 'Apple'
model_replacement: 'MAC'
######################
防火墙日志过滤logstash配置
vi /etc/logstash/conf.d/syslog.conf
input {
tcp {
port => 10514
type => "Juniper"
}
udp {
port => 10514
type => "Juniper"
}
}
filter {
grok {
match => { "message" => "reason=(?<reason>([\s\S]*))" }
}
kv {
source => "message"
include_keys => [ "start_time", "src", "src_port", "dst", "dst_port", "sent", "rcvd", "duration", "session_id", "service" ]
# remove_field => "message"
}
date {
match => [ "start_time", "yyyy-MM-dd HH:mm:ss" ]
target => "@timestamp"
timezone => "+08:00"
}
mutate {
convert => { "src_port" => "integer" }
convert => { "dst_port" => "integer" }
convert => { "sent" => "integer" }
convert => { "rcvd" => "integer" }
convert => { "duration" => "integer" }
convert => { "session_id" => "integer" }
}
if [dst] !~ "^127\.|^192\.168\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[01]\.|^10\.|^100.64\." {
geoip {
source => "dst"
target => "dstgeoip"
fields => ["city_name","region_name","country_name"]
}

if ! [dstgeoip][region_name] and ! [dstgeoip][city_name] {
mutate {
add_field => { "dstname" => "%{[dstgeoip][country_name]}" }
}
}
else if ! [dstgeoip][city_name] {
mutate {
add_field => { "dstname" => "%{[dstgeoip][country_name]},%{[dstgeoip][region_name]}" }
}
}
else if ! [dstgeoip][region_name] {
mutate {
add_field => { "dstname" => "%{[dstgeoip][country_name]},%{[dstgeoip][city_name]}" }
}
}
else {
mutate {
add_field => { "dstname" => "%{[dstgeoip][country_name]},%{[dstgeoip][region_name]},%{[dstgeoip][city_name]}" }
}
}
mutate {
remove_field => "dstgeoip"
}
}
}
output{
elasticsearch {
hosts => "localhost:9200"
document_type => "Juniper"
index => "juniper-%{+YYYY.MM.dd}"
}
# stdout{
# codec => rubydebug
# }
}
gameclient logstash配置
input {
beats {
port => 5044
type => "gameclient"
}
}
filter {
if [type] == "gameclient" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:date} \[%{DATA:level}\] \<%{DATA}\>@%{DATA}\:%{DATA}\:%{NUMBER} (?<info>([\s\S]*))\,other\:(?<other>([\s\S]*))" }
}
kv {
source => "info"
prefix => "info_"
field_split => ","
value_split => ":"
}
kv {
source => "other"
prefix => "other_"
remove_char_key => "\"|\{"
remove_char_value => "\"|\}"
field_split => ","
value_split => ":"
}
date {
match => [ "date", "yyyy-MM-dd HH:mm:ss.SSS" ]
target => "@timestamp"
timezone => "+08:00"
}
}
}
output{
if [type] == "gameclient" {
# stdout{
# codec => rubydebug
# }
elasticsearch {
hosts => "localhost:9200"
document_type => "gameclient"
index => "gameclient-%{+YYYY.MM.dd}"
}
}
}

客户端安装:Filebeat

systemctl enable filebeat
vi /etc/filebeat/filebeat.yml

path.home: /usr/share/filebeat
path.config: /etc/filebeat
path.data: /var/lib/filebeat
path.logs: /var/log/filebeat
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
#output.logstash:
# hosts: ["10.100.77.60:5044"]
output.elasticsearch:
hosts: ["10.100.77.60:9200"]
setup.kibana:
host: "10.100.77.60:5601"
cd /etc/filebeat
/usr/share/filebeat/bin/filebeat setup --template
/usr/share/filebeat/bin/filebeat setup --dashboards
/usr/share/filebeat/bin/filebeat modules enable nginx
vi nginx.yml
- module: nginx
# Access logs
access:
enabled: true
var.paths: ["/home/wwwlogs/static.log"]
# Error logs
error:
enabled: false
#var.paths:
vi /etc/filebeat/filebeat.yml
path.home: /usr/share/filebeat
path.config: /etc/filebeat
path.data: /var/lib/filebeat
path.logs: /var/log/filebeat
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
output.logstash:
hosts: ["10.100.77.60:5044"]
#output.elasticsearch:
# hosts: ["10.100.77.60:9200"]
setup.kibana:
host: "10.100.77.60:5601"
#实例
cat /etc/filebeat/filebeat.yml
path.home: /usr/share/filebeat
path.config: /etc/filebeat
path.data: /var/lib/filebeat
path.logs: /var/log/filebeat
#filebeat.config.modules:
# path: ${path.config}/modules.d/*.yml

filebeat.prospectors:
- type: log
enabled: true
paths:
- /home/huangliang/19090/log/info*
fields_under_root: true
fields:
type: sit

- type: log
enabled: true
paths:
- /home/huangliang/19091/log/info*
# tags: ["pro"]
fields_under_root: true
fields:
type: pro
# logs_env: PRO

output.logstash:
hosts: ["127.0.0.1:5044"]
setup.kibana:
host: "localhost:5601"

geoip画地图elasticsearch坐标字段模板

vi /tmp/elasticsearch.template.nginx.json
{
"index_patterns" : ["nginx*"],
"mappings" : {
"doc" : {
"properties" : {
"geoip" : {
"properties" : {
"location" : {
"type" : "geo_point"
}
}
}
}
}
}
}

curl -XPUT -H 'Content-Type: application/json' 'http://10.100.77.60:9200/_template/nginx?pretty' -d@/tmp/elasticsearch.template.nginx.json

修改使用高德地图

编辑kibana配置文件kibana.yml,最后面添加:

tilemap.url: 'http://webrd02.is.autonavi.com/appmaptile?lang=zh_cn&size=1&scale=1&style=7&x={x}&y={y}&z={z}'

重启kibana

Elasticsearch操作:

curl localhost:9200/_cat/indices?v
curl 10.100.77.60:9200/_cat/templates
curl localhost:9200/filebeat-6.0.0-2017.12.01?pretty
curl 'http://localhost:9200/_template/nginx?pretty'
curl -XDELETE 'http://localhost:9200/filebeat-*'
curl localhost:9200/gameclient-2018.03.08/?pretty
curl http://10.100.77.60:9200/nginx-2017.12.01/_search?pretty

查询

curl -H "Content-Type: application/json" -XGET localhost:9200/gameclient-2018.06.10/doc/_search -d '{"query":{"match":{"gameName":{"query":"2277"}}}}'

批量替换字段为数值

curl -H "Content-Type: application/json" -XPOST localhost:9200/gameclient-2018.06.10/doc/_update_by_query -d '{"query":{"match":{"gameName":{"query":"2277"}}},"script":{"inline":"ctx._source.gameName='6666'","lang":"painless"}}'

批量替换字段为字符串

curl -H "Content-Type: application/json" -XPOST localhost:9200/gameclient-2018.06.10/doc/_update_by_query -d '{"query":{"match":{"gameName":{"query":"2277"}}},"script":{"inline":"ctx._source.gameName = params.last","params": {"last": "金球争霸"},"lang":"painless"}}'
cat ch.sh
#!/bin/bash
set -x
cat list.txt|while read line
do
id=`echo $line|awk '{print $1}'`
name=`echo $line|awk '{print $2}'`
cat gamedate.txt|while read line2
do
curl -H "Content-Type: application/json" -XPOST 10.200.77.45:9200/$line2/doc/_update_by_query -d "{\"query\":{\"match\":{\"gameName\":{\"query\": \"$id\"}}},\"script\":{\"inline\":\"ctx._source.gameName = params.last\",\"params\": {\"last\": \"$name\"},\"lang\":\"painless\"}}"
echo ""
done
done

Python2Elasticsearch 文本导入

#!/usr/local/bin/python3
# -*- coding:utf-8 -*-
import time
from datetime import datetime
import sys
from elasticsearch import Elasticsearch
from elasticsearch.helpers import bulk
def set_mapping(es, index_name = "pointlogs", doc_type_name = "point"):
my_mapping = {
"mappings":{
"point": {
"properties": {
"@timestamp" : {
"type" : "date"
},
"x": {
"type": "integer"
},
"y": {
"type": "float"
},
"z": {
"type": "text"
}
}
}
}
}
put_my_mapping = {
"properties": {
"@timestamp" : {
"type" : "date"
},
"x": {
"type": "integer"
},
"y": {
"type": "float"
},
"z": {
"type": "text"
}
}
}
create_index = es.indices.create(index = index_name,body = my_mapping)
mapping_index = es.indices.put_mapping(index = index_name, doc_type = doc_type_name, body = put_my_mapping,ignore=400)
# if create_index["acknowledged"] != True or mapping_index["acknowledged"] != True:
# print ("Index creation failed...")
def set_data(es, input_file, index_name = "pointlogs", doc_type_name="point"):
i = 0
count = 0
ACTIONS = []
with open(input_file,'r') as fd:
for num,line in enumerate(fd):
y = float(line)
action = {
"_index": index_name,
"_type": doc_type_name,
"_source": {
"@timestamp" : datetime.now().strftime( "%Y-%m-%dT%H:%M:%S.%f+0800"),
"x": num,
"y": y,
"z": "10w.txt",
}
}
i += 1
ACTIONS.append(action)
if (i == 100000):
success, _ = bulk(es, ACTIONS, index = index_name, raise_on_error = True)
count += success
print("insert %s lines" % count)
i = 0
ACTIONS = []
success, _ = bulk(es, ACTIONS, index = index_name, raise_on_error=True)
count += success
print("ALL insert %s lines" % count)
if __name__ == '__main__':
es = Elasticsearch(hosts=["127.0.0.1:9200"], timeout=5000)
set_mapping(es)
set_data(es,sys.argv[1])

Kibana自定义脚本字段配置

vi /etc/elasticsearch/elasticsearch.yml
script.painless.regex.enabled: true
def m = /^(\w+)\ .*$/.matcher(doc['ua.device.keyword'].value);
if ( m.matches() ) {
return m.group(1)
} else {
return "null"
}
DSL 例子
{
"query": {
"regexp": {
"userID": "[0-9].+"
}
}
}
---
{
"query": {
"prefix": {
"userID": "demo"
}
}
}

elasticsearch导出与导入

npm install elasticdump  

kibana配置导出

cd /root/node_modules/elasticdump/bin/
./elasticdump --input=http://localhost:9200/.kibana --output=kibana_mapping.json --type=mapping
./elasticdump --input=http://localhost:9200/.kibana --output=kibana.json --type=data

kibana配置导入

cd /root/node_modules/elasticdump/bin/
./elasticdump --input=kibana_mapping.json --output=http://localhost:9200/.kibana --type=mapping
./elasticdump --input=kibana.json --output=http://localhost:9200/.kibana --type=data

导出

./elasticdump --input=http://localhost:9200/gameclient-2018.06.30 --output=gameclient-2018.06.30-2.json --type=data --limit 10000