ELK基础

ELK Stack介绍

ELK Stack是三个开放源代码产品的集合：Elasticsearch，Logstash和Kibana 。

• Elasticsearch
  是一个基于Lucene搜索引擎的NoSQL数据库，用于存储所有日志。
• Logstash
  是一个日志管道工具，它接受来自各种源的输入，执行不同的转换，并将数据导出到各种目标。
• Kibana
  是一个可视化层，可在Elasticsearch之上运行，用于搜索和可视化日志的Web界面。
• Filebeat
  安装在将其日志发送到Logstash的客户端服务器，Filebeat充当日志传送代理，使用 lumberjack 网络协议与 Logstash 进行通信。

ELK Stack还包括一系列名为Beats的log shippers。

对于小型开发环境，经典架构将如下所示： 为了处理为生产中处理大量数据而构建的更复杂的管道，可能会在日志记录体系结构中添加其他组件，以实现弹性（Kafka，RabbitMQ，Redis）和安全性（nginx）：

实践之后将其进一步优化为EFK，F代表Filebeat，用以解决Logstash导致的问题。

MacOS中安装ELK Stack

准备

• 安装HomeBrew
• 安装Java8

安装Elasticsearch

$ brew install elasticsearch && brew info elasticsearch
$ brew services start elasticsearch

访问 http://localhost:9200

安装Logstash

$ brew install logstash
$ brew services start logstash

安装Kibana

$ brew install kibana
$ brew services start kibana
$ brew services list
$ sudo vi /usr/local/etc/kibana/kibana.yml

内容如下：

server.port: 5601
elasticsearch.url: "http://localhost:9200”

访问 http://localhost:5601/status

CentOS中安装ELK Stack

准备

关闭SELinux

$ vi /etc/sysconfig/selinux

设置如下：

SELINUX=disabled

$ reboot
$ getenforce

安装java

jdk下载地址：http://www.oracle.com/technetwork/java/javase/downloads

$ wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http:%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u191-b12/2787e4a523244c269598db4e85c51e0c/jdk-8u191-linux-x64.rpm"
$ rpm -ivh jdk-8u191-linux-x64.rpm
$ java -version

安装Elasticsearch

安装Elasticsearch包

$ rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
$ wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.2.4.rpm
$ rpm -ivh elasticsearch-6.2.4.rpm

配置Elasticsearch

$ vi /etc/elasticsearch/elasticsearch.yml

配置如下：

# memory_lock设置为true，避免jvm、系统、硬盘进行内存交换，这对节点的健康非常重要。
bootstrap.memory_lock: true
# 配置本地访问（安全考虑）
network.host: localhost
# 配置默认端口
http.port: 9200

启动Elasticsearch

$ systemctl daemon-reload
$ systemctl enable elasticsearch
$ systemctl start elasticsearch

安装Kibana

安装Kibana

$ wget https://artifacts.elastic.co/downloads/kibana/kibana-6.2.4-x86_64.rpm
$ rpm -ivh kibana-6.2.4-x86_64.rpm

配置Kibana

$ vi /etc/kibana/kibana.yml

配置内容如下：

server.port: 5601
server.host: "localhost"
elasticsearch.url: "http://localhost:9200"

启动Kibana

$ systemctl enable kibana
$ systemctl start kibana

安装Nginx

安装Nginx

$ yum install epel-release
$ yum install -y nginx httpd-tools

配置Nginx

$ /etc/nginx/conf.d/kibana.conf

内容如下：

server {
    listen 80;
 
    server_name node11;
 
    auth_basic "Restricted Access";
    auth_basic_user_file /etc/nginx/htpasswd.kibana;
 
    location / {
        proxy_pass http://localhost:5601;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

配置密码

$ htpasswd -c /etc/nginx/htpasswd.kibana admin
New password:
Re-type new password:
Adding password for user admin

启动Nginx

$ systemctl enable nginx
$ systemctl start nginx

安装Logstash

安装

$ wget https://artifacts.elastic.co/downloads/logstash/logstash-6.2.4.rpm
$ rpm -ivh logstash-6.2.4.rpm
$ vi /etc/pki/tls/openssl.cnf

在[ v3_ca ]增加新的行：

[ v3_ca ]

# Server IP Address
subjectAltName = IP: 10.0.2.15

生成证书

$ openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout /etc/pki/tls/private/logstash-forwarder.key -out /etc/pki/tls/certs/logstash-forwarder.crt

配置输入配置文件

$ vi /etc/logstash/conf.d/filebeat-input.conf

input {
  beats {
    port => 5443
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

配置过滤器配置文件

$ vi /etc/logstash/conf.d/syslog-filter.conf

内容如下：

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

配置输出配置文件

$ vi /etc/logstash/conf.d/output-elasticsearch.conf

内容如下：

output {
  elasticsearch { hosts => ["localhost:9200"]
    hosts => "localhost:9200"
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

测试logstash配置

$ service logstash configtest

重启logstash

$ systemctl restart logstash
$ systemctl enable logstash

配置 Logstash 参考 Configuring Logstash

加载Kibana仪表盘

$ cd ~
$ curl -L -O https://download.elastic.co/beats/dashboards/beats-dashboards-1.1.0.zip
$ yum -y install unzip
$ unzip beats-dashboards-*.zip
$ cd beats-dashboards-*
$ ./load.sh

加载Filebeat索引模板(在ES中)

$ cd ~
# 下载Filebeat索引模板
$ curl -O https://gist.githubusercontent.com/thisismitch/3429023e8438cc25b86c/raw/d8c479e2a1adcea8b1fe86570e42abab0f10f364/filebeat-index-template.json
# 加载模板
$ curl -XPUT 'http://localhost:9200/_template/filebeat?pretty' -d@filebeat-index-template.json

安装Filebeat

CentOS中安装

安装Filebeat

# 拷贝证书
$ scp /etc/pki/tls/certs/logstash-forwarder.crt user@client_server_private_address:/tmp
$ mkdir -p /etc/pki/tls/certs
$ cp /tmp/logstash-forwarder.crt /etc/pki/tls/certs/
# 安装Filebeat
$ rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch
$ vi /etc/yum.repos.d/elastic-beats.repo

内容如下

[beats]
name=Elastic Beats Repository
baseurl=https://packages.elastic.co/beats/yum/el/$basearch
enabled=1
gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch
gpgcheck=1

$ yum -y install filebeat

修改如下内容

paths:
        - /var/log/secure     #添加这一行
        - /var/log/messages   #添加这一行
#       - /var/log/*.log      #注释掉这行，以避免发送所有日志
...
      document_type: syslog   #把log修改为syslog
...
output:
  elasticsearch:
    #注释或删除掉elasticsearch整个部分
  logstash:                   #取消注释
    hosts: ["ELK_server_private_IP:5044"]    
    bulk_max_size: 1024
    tls:                      #取消注释
      certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]

配置Filebeat

$ vi /etc/filebeat/filebeat.yml

启动Filebeat

$ systemctl start filebeat
$ systemctl enable filebeat

测试Filebeat安装（ELK Server）

$ curl -XGET 'http://localhost:9200/filebeat-*/_search?pretty'

Ubuntu中安装

Sender

• logzio-java-sender
• logzio-log4j2-appender
• logzio-logback-appender
• winston-logzio
• logzio-bunyan
• logzio-nodejs
• logzio-python-handler
• logzio_aws_serverless
• logzio-dotnet
• fluent-plugin-logzio

参考

• 官方安装文档
• kibana源
• elasticsearch源
• logstash源
• Installing the ELK Stack on Mac OS X
• Installing the ELK Stack on Docker
• 从ELK到EFK
• How to Install the ELK Stack on CentOS 7
• How to Install ELK Stack (Elasticsearch, Logstash and Kibana) on CentOS 7 / RHEL 7
• ELK日志分析系统在CentOS 7.3的部署安装（RPM）
• How to Install Elastic Stack on CentOS 7
• How To Install Elasticsearch, Logstash, and Kibana (ELK Stack) on CentOS 7
• Elasticsearch, Logstash, Kibana (ELK) Docker image documentation