部署logstash
主机名 | IP |
logstash-to-es01 | 192.168.15.28 |
logstash环境准备及安装
Logstash是一个开源的数据收集引擎,可以水平伸缩,而且logstash整个ELK当中拥有最多插件的一个组件,其可以接收来自不同来源的数据并统一输出到指定的且可以是多个不同目的地。
安装JDK环境
链接:jdk-11.0.5的JDK环境 提取码:1234
# 安装java JDK环境
rz -E jdk-11.0.5_linux-x64_bin.tar.gz
tar -xvf jdk-11.0.5_linux-x64_bin.tar.gz -C /usr/local/
vim /etc/profile
...
#set java environment
JAVA_HOME=/usr/local/jdk-11.0.5
CLASSPATH=.:$JAVA_HOME/lib
PATH=$JAVA_HOME/bin:$PATH
export JAVA_HOME CLASSPATH PATH
source /etc/profile
java -version
# java version "11.0.5" 2019-10-15 LTS
# Java(TM) SE Runtime Environment 18.9 (build 11.0.5+10-LTS)
# Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.5+10-LTS, mixed mode
安装logstash
wget https://artifacts.elastic.co/downloads/logstash/logstash-7.15.1-x86_64.rpm
yum -y install logstash-7.15.1-x86_64.rpm
# 生成systemd管理
/usr/share/logstash/bin/system-install /etc/logstash/startup.options systemd
logstash的使用
测试logstash输入与输出
# 测试输入在终端
/usr/share/logstash/bin/logstash -e "input { stdin {} } output { stdout { codec => rubydebug } }"
...
The stdin plugin is now waiting for input:
hello world
# 输入之后默认会生成一个事件
{
"host" => "logstash-to-es01",
"@timestamp" => 2021-11-22T02:52:00.085Z,
"@version" => "1",
"message" => "hello world"
}
# 测试输出到文件
/usr/share/logstash/bin/logstash -e "input { stdin {} } output { file { path => '/tmp/log-%{+YYYY.MM.dd}.log' } }"
...
The stdin plugin is now waiting for input:
hello world
# [INFO ] 2021-11-22 11:38:27.653 [[main]>worker0] file - Opening file {:path=>"/tmp/log-2021.11.22.log"}
# 查看执行结果
cat /tmp/log-2021.11.22.log
{"@timestamp":"2021-11-22T03:38:27.465Z","@version":"1","host":"logstash-to-es01","message":"hello world"}
# 测试输出到elasticsearch,hosts中可以写入多个主机ip(以逗号隔开),默认为高可用集群状态
/usr/share/logstash/bin/logstash -e "input { stdin {} } output { elasticsearch { hosts => ['192.168.15.25'] index => 'mytest-%{+YYYY.MM.dd}.log' } }"
...
The stdin plugin is now waiting for input:
MSG1
MSG2
# 查看执行结果,切换至es-node01主机
ll /data/esdata/data/nodes/0/indices/
# total 0
# drwxr-xr-x 4 elasticsearch elasticsearch 29 Nov 22 11:59 lOFwrY8xTg-8pJyqk8zoiQ
# drwxr-xr-x 4 elasticsearch elasticsearch 29 Nov 22 14:14 NDQnZWYYSJapHGUNfrXFRg
查看ES集群head插件主分片和副本分片的状态指定配置文件启动logstash
# 编写配置文件,路径为/etc/logstash/conf.d/*.conf
vim /etc/logstash/conf.d/log-es.conf
input {
stdin {}
}
output {
elasticsearch { # 写入elasticsearch
hosts => ['192.168.15.25']
index => 'mytest-%{+YYYY.MM.dd}.log'
}
file { # 同时写入本地的/tmp目录下
path => "/tmp/log-%{+YYYY.MM.dd}.log"
}
}
# 测试配置文件异常
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/log-es.conf -t
# 以进程的方式启动logstash
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/log-es.conf
...
The stdin plugin is now waiting for input:
123456
# 查看日志日志内容
tail -1 /tmp/log-2021.11.22.log
{"@version":"1","host":"logstash-to-es01","@timestamp":"2021-11-22T06:38:41.815Z","message":"123456"}
部署Kibana
主机名 | IP |
logstash-to-es01 | 192.168.15.28 |
Kibana是一款开源的数据分析和可视化平台,它是ElasticStack成员之一,设计用于和Elasticsearch协作,可以使用kibana对Elasticsearch索引中的数据进行搜索、查看、交互操作,您可以很方便的利用图表、表格及地图对数据进行多元化的分析和呈现。
安装Kibana
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.15.1-x86_64.rpm
yum -y install kibana-7.15.1-x86_64.rpm
# 修改配置文件
vim /etc/kibana/kibana.yml
...
server.port: 5601
server.host: "0.0.0.0" # kibina监听所有主机的5601端口
elasticsearch.hosts: ["http://192.168.15.25:9200"]
i18n.locale: "zh-CN"
# 启动kibana服务
systemctl restart kibana
Kibana的使用
创建logstash事件
# 修改logstash配置文件
vim /etc/logstash/conf.d/log-es.conf
input {
file {
path => "/var/log/messages"
start_position => "beginning" # beginning从文件开头开始读数据,end从文件结尾开始读数据
}
}
output {
elasticsearch {
hosts => ['192.168.15.25']
index => 'mytest-%{+YYYY.MM.dd}.log'
}
file {
path => "/opt/mytest-%{+YYYY.MM.dd}.log"
}
}
# 测试配置文件异常
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/log-es.conf -t
# 将logstash修改成root启动,如果以logstash用户身份启动服务没有权限访问系统日志
vim /etc/systemd/system/logstash.service
...
User=root
Group=root
# 启动logstash服务
systemctl restart logstash
# 生成数据并验证
echo 666 >> /var/log/messages
# 验证文件是否生成
ls /opt
# mytest-2021.11.23.log
将ES的数据通过kibana进行展示
测试kibana数据展示
echo 666 >> /var/log/messages
echo 666 >> /var/log/messages
echo 666 >> /var/log/messages
ELK组合收集多个日志
logstash收集多个的日志文件,写入不同的elasticsearch主机,并且通过kibina进行展示
vim /etc/logstash/conf.d/log-es.conf
input {
file {
path => "/var/log/messages" # 日志路径
type => "systemlog" # 事件的唯一类型
start_position => "beginning" # 第一次收集日志的位置
stat_interval => "3" # 日志收集的间隔时间(默认为1秒)
}
file {
path => "/var/log/vmware-network*"
type => "vmware-log"
start_position => "beginning"
stat_interval => "3"
}
}
output {
if[type] == "systemlog"{
elasticsearch {
hosts => ['192.168.15.25']
index => 'system-log-%{+YYYY.MM.dd}.log'
}}
if[type] == "vmware-log"{
elasticsearch {
hosts => ['192.168.15.26']
index => 'vmware-%{+YYYY.MM.dd}.log'
}}
}
# 重启logstash服务
systemctl restart logstash.service
# 如果出现问题,查看logstash进程日志
tail -f /var/log/logstash/logstash-plain.log
测试
# 输入数据到对应的日志文件
echo 666 >> /var/log/vmware-network.1.log
echo 666 >> /var/log/messages