由网络副手--寻路人于2022.05.18 00:23:00发布在工具类,企业技术支持 九、搭建ELK(Elasticsearch、Logstash、Kibana) 日志平台 阅读1144 评论0 喜欢0 ## 前言准备 1、 A组 仿真-工作机器 (1.1) 安装 Elasticsearch 服务、kibana 服务 和 logstash 服务 2、 B组 正式机(1.2) logstash 服务 3、 C组 正式机(1.3) logstash 服务 ## 一、安装Elasticsearch ### 1.1 安装 ``` ##1. 依然采用workuser 用户来启动es wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.10.2-darwin-x86_64.tar.gz tar -zxvf elasticsearch-7.10.2-darwin-x86_64.tar.gz sudo mv elasticsearch-7.10.2 /usr/local sudo chown -R workuser:workuser /usr/local/elasticsearch-7.10.2 ``` ### 1.2 调整配置文件 ``` vim /usr/local/elasticsearch-7.10.2/config/elasticsearch.yml network.host: 0.0.0.0 http.port: 9990 node.name: node-1 cluster.initial_master_nodes: ["node-1"] xpack.ml.enabled: false http.cors.enabled: true http.cors.allow-origin: "*" http.cors.allow-headers: Authorization xpack.security.enabled: true xpack.security.transport.ssl.enabled: true ``` ###1.2.2 重置密码 ``` /usr/local/elasticsearch-7.10.2/bin/elasticsearch-setup-passwords interactive 假如设置密码 123456 Changed password for user [apm_system] Changed password for user [kibana_system] Changed password for user [kibana] Changed password for user [logstash_system] Changed password for user [beats_system] Changed password for user [remote_monitoring_user] Changed password for user [elastic] 重启ES kill ID 号 elasticsearch -d #重启 ``` ### 1.3 服务启动 ``` elasticsearch -d 后台启动 ####--------通过supervisor 守护进程的方式进行启动,防止异常退出 vim /etc/supervisord.d/elasticsearch.ini [program:elasticsearch] command=/usr/local/elasticsearch-7.10.2/bin/elasticsearch user=workuser directory=/usr/local/elasticsearch-7.10.2/bin/ autostart=true autorestart=true environment=JAVA_HOME=/usr/java/jdk1.8.0_131/ startretries=3 stopsignal=INT startsecs=10 stdout_logfile=/home/www/rd_www/logs/elastic/elasticsearch.log stderr_logfile=/home/www/rd_www/logs/elastic/elasticsearch.log ``` 更新服务 supervisorctl update 停止和禁用命令 sudo systemctl stop elasticsearch sudo systemctl disable elasticsearch ### 1.4 启动后测试结果 ``` curl 127.0.0.1:9990 { "name" : "node-1", "cluster_name" : "elasticsearch", "cluster_uuid" : "m6nNjqHBSOujJx23zwqu4Q", "version" : { "number" : "7.10.2", "build_flavor" : "default", "build_type" : "tar", "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9", "build_date" : "2021-01-13T00:42:12.435326Z", "build_snapshot" : false, "lucene_version" : "8.7.0", "minimum_wire_compatibility_version" : "6.8.0", "minimum_index_compatibility_version" : "6.0.0-beta1" }, "tagline" : "You Know, for Search" } ``` ### 1.5 测试结果 ``` 错误1 max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144] 解决: # 在root用户下操作 vim /etc/security/limits.conf # 修改最大进程数和最大线程数 # 在文件末尾添加 elastic hard nofile 65536 elastic soft nofile 65536 elastic hard nproc 4096 elastic soft nproc 4096 错误2: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144] # 在root用户下操作 vi /etc/sysctl.conf # 在文件末尾添加 vm.max_map_count = 655360 # 保存退出 # 使之生效 sysctl -p 错误3: This could be due to running on an unsupported OS or distribution, missing OS libraries, or a problem with the temp directory. 解决方法: 进入config目录下在elasticsearch.yml添加一条配置:xpack.ml.enabled: false 错误4: the default discovery settings are unsuitable for production use; at least one of [discovery.seed_hosts, discovery.seed_providers, cluster.initial_master_nodes] must be configured 解决: 配置文件 cluster.initial_master_nodes: ["node-1"] ``` ## 二、Logstash (安装) ### 1. 安装 ``` wget https://artifacts.elastic.co/downloads/logstash/logstash-7.10.2-linux-x86_64.tar.gz tar -zxvf logstash-7.10.2-linux-x86_64.tar.gz sudo mv logstash-7.10.2 /usr/local/ ## 配置环境变量 vim ~/.bash_profile export LOGSTASH_HOME=/usr/local/logstash-7.10.2 PATH=$PATH:$LOGSTASH_HOME/bin source ~/.bash_profile ``` ### 2. 配置文件修改 , 在$LOGSTASH_HOME/config/ 创建文件夹 conf.d, 文件夹内放单独项目的配置 ├── conf.d │ ├── muse-api.conf #项目A │ └── muse-pay.conf #项目B ``` sudo vim $LOGSTASH_HOME/config/conf.d/muse-api.conf input { file { path => "/home/www/xxxx/logs/muse-api/project-app.log" type => "muse-api-app" start_position => "beginning" stat_interval => "5" } } input { file { path => "/home/www/xxxx/logs/muse-api/api_log*.out*" type => "muse-api-out" start_position => "beginning" stat_interval => "5" } } input { file { path => "/home/www/xxxx/logs/muse-api/project-web.log" type => "muse-api-web" start_position => "beginning" stat_interval => "5" } } filter { if[type] == "muse-api-web" { json { source => "message" } date { match => [ "time", "yyyy-MM-dd HH:mm:ss", "yyyy-MM-dd HH:mm:ss.SSS"] target => "@timestamp" } if [paymentType] == "Mastercard" { drop{} } mutate { remove_field => ["message", "host"] } } else if[type] == "muse-api-app" { json { source => "message" } date { match => [ "time", "yyyy-MM-dd HH:mm:ss", "yyyy-MM-dd HH:mm:ss.SSS"] target => "@timestamp" } if [paymentType] == "Mastercard" { drop{} } prune { whitelist_names => [ "path","type", "Trace-Id", "level", "msg", "time", "@timestamp", "message", "host" ] } } } output { if [type] == "muse-api-web" { elasticsearch { hosts => ["http://172.0.0.1:9990"] index => "beta-web-muse-api-%{+YYYY.MM.dd}" ##如果后面设置了账户密码,收集此处账户可以单独添加一个写es 的账户做 user => "elastic" password => "123456" } } else if [type] == "muse-api-out" { elasticsearch { hosts => ["http://172.0.0.1:9990"] index => "beta-out-muse-api-%{+YYYY.MM.dd}" ##如果后面设置了账户密码,收集此处账户可以单独添加一个写es 的账户做 user => "elastic" password => "123456" } } else if [type] == "muse-api-app" { elasticsearch { hosts => ["http://172.0.0.1:9990"] index => "beta-app-muse-api-%{+YYYY.MM.dd}" ##如果后面设置了账户密码,收集此处账户可以单独添加一个写es 的账户做 user => "elastic" password => "123456" } } } #vim /usr/local/logstash-7.10.2/config/logstash.yml #path.data: /home/www/logstash_data ``` ### 3. 配置服务启动 ``` sudo vim /lib/systemd/system/logstash.service [Unit] Description=Logstash [Service] ExecStart=/usr/local/logstash-7.10.2/bin/logstash -f /usr/local/logstash-7.10.2/config/conf.d User=workuser Group=workuser [Install] WantedBy=multi-user.target #服务设置开机启动: systemctl enable logstash #启动服务 systemctl enable logstash ``` ## 三、 Kibana (安装) ###1. 安装 ``` wget https://artifacts.elastic.co/downloads/kibana/kibana-7.10.2-linux-x86_64.tar.gz tar -zxvf kibana-7.10.2-linux-x86_64.tar.gz sudo mv kibana-7.10.2-linux-x86_64 /usr/local/kibana-7.10.2 ### 环境变量 export KIBANA_HOME=/usr/local/kibana-7.10.2 PATH=$PATH:$KIBANA_HOME/bin ``` ### 2. 配置文件 ``` vim $KIBANA_HOME/config/kibana.yml # Logstash端口 server.port: 9989 # # Logstash的IP地址 server.host: "localhost" # # ES实例URL elasticsearch.hosts: ["http://localhost:9990"] #i18n.locale: "zh-CN" # 界面中文设置【如果需要的话】 i18n.locale: "en" # 界面中文设置【如果需要的话】 elasticsearch.username: "kibana" elasticsearch.password: "123456" xpack.security.enabled: true # 否则页面会弹出提示 xpack.encryptedSavedObjects.encryptionKey: encryptedSavedObjects12345678909876543210 xpack.security.encryptionKey: encryptionKeysecurity12345678909876543210 xpack.reporting.encryptionKey: encryptionKeyreporting12345678909876543210 xpack.reporting.capture.browser.chromium.disableSandbox: true ``` ### 3. 设置开机启动 ``` 开机启动 vim /lib/systemd/system/kibana.service # 内容如下 [Unit] Description=Kibana [Service] LimitNOFILE=100000 LimitNPROC=100000 ExecStart=/usr/local/kibana-7.10.2/bin/kibana --allow-root User=workuser Group=workuser [Install] WantedBy=multi-user.target ``` ## 四、后续跟进 1、logstash 日志无法收集,报错: ``` [2022-09-21T11:52:17,879][WARN ][logstash.outputs.elasticsearch][main][158478b541e99d313d8fc5d80ff3e7af8fff1e3d4017d116ab05c55fa4cf2ff7] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"web02-out-muse-pay-2022.09.21", :routing=>nil, :_type=>"_doc"}, #<LogStash::Event:0x37f43ab>], :response=>{"index"=>{"_index"=>"web02-out-muse-pay-2022.09.21", "_type"=>"_doc", "_id"=>nil, "status"=>400, "error"=>{"type"=>"validation_exception", "reason"=>"Validation Failed: 1: this action would add [2] total shards, but this cluster currently has [1000]/[1000] maximum shards open;"}}}} ``` 解决方案: 分片满了, kibana devTool 里面执行 ``` PUT /_cluster/settings { "persistent": { "cluster.max_shards_per_node": "5000" } } ``` ## 五、 Kibana 配置 + 使用 ### 4.1 收集数据汇总的文件  ### 4.2 业务导入后展示细则  ### 4.3 构建业务看板  赞 0 分享 赏 您可以选择一种方式赞助本站 支付宝扫码赞助 BraveDu 署名: 网络副手~寻路人
