FILEBEAT+ELK日志收集平台搭建流程

filebeat+elk日志收集平台搭建流程

1、         整体简介:

模式:单机

平台:Linux - centos - 7

ELK:elasticsearch、logstash、kibana三款开源软件的集合。

FILEBEAT:代替logstash的采集功能,轻量、耗用小。

目前收集的有nginx日志、java日志[单行|多行]。

都是通过在客户端的生成日志配置文件中定义好初步json格式,然后利用filebeat采集到logstash,存储到elasticsearch,最后通过kibana在浏览器页面中展示出来。

elasticsearch、logstash、kibana 如果是root安装,默认会创建(elasticsearch、logstash、kibana)三个单独用户来独立运行。用www用户安装好后默认是以www用户运行。本文演示用的是www。

2、         软件环境安装:

(1)、java环境:

Elasticsearch需要安装Java 8的环境。

如果没有下载jdk1.8的软件包,可以直接安装java-1.8.0-openjdk。

(2)、下载elasticsearch(Linux版本)的二进制包并解压:

$ wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.4.0.tar.gz

$ unzip elasticsearch-6.4.0.tar.gz

$ mv elasticsearch-6.4.0 elasticsearch

$ vim elasticsearch/config/elasticsearch.yml

path.data: /data/soft/elasticsearch/data/

path.logs: /data/soft/elasticsearch/logs/

 

$ sudo sysctl -w vm.max_map_count=262144

$ vim /etc/sysctl.conf文件,添加:

vm.max_map_count=262144

 

$ sysctl -p

$ vim /etc/security/limits.conf文件,末尾添加:

*  soft    nproc        20536

*  hard   nproc        20536

*  soft    nofile        65536

*  hard   nofile        65536

 

退出重新登录生效。

将elasticsearch、logstash、kibana、filebeat的bin目录加入到环境变量PATH:

/data/soft/logstash/bin:/data/soft/kibana/bin:/data

/soft/elasticsearch/bin:/data/soft/filebeat
$ nohup elasticsearch -d >/data/soft/elasticsearch/nohup.out 2>&1 &

启动后,Elastic默认在9200端口运行。

$ curl -X GET localhost:9200或curl localhost:9200

{

  "name" : "zny0iRv",

  "cluster_name" : "elasticsearch",

  "cluster_uuid" : "AErImFrFQOaoFPzNSdVmfA",

  "version" : {

    "number" : "6.4.0",

    "build_flavor" : "default",

    "build_type" : "tar",

    "build_hash" : "595516e",

    "build_date" : "2018-08-17T23:18:47.308994Z",

    "build_snapshot" : false,

    "lucene_version" : "7.4.0",

    "minimum_wire_compatibility_version" : "5.6.0",

    "minimum_index_compatibility_version" : "5.0.0"

  },

  "tagline" : "You Know, for Search"

}

 

(3)、下载logstash(Linux版本)的二进制包并解压:

         $ wget https://artifacts.elastic.co/downloads/logstash/logstash-6.4.0.zip

         $ unzip logstash-6.4.0.zip logstash-6.4.0

         $ mv logstash-6.4.0 logstash

         $ cd logstash/config/

         $ cat config/logstash.yml|grep -vE '^$|#'

# pipeline 线程数,可优化为 ---> pipeline.workers: CPU内核数(或几倍cpu内核数)

pipeline.workers: 32

# 实际output 时的线程数,可优化为 ---> pipeline.output.workers: 不超过pipeline 线程数

pipeline.output.workers: 32

# 每次发送的事件数

pipeline.batch.size: 8000

#  发送延时

pipeline.batch.delay: 15

# filter设置multiline后,pipline worker会自动将为1,如果使用filebeat,建议在beat中就使用multiline,如果使用logstash作为shipper,建议在input 中设置multiline,不要在filter中设置multiline。

 

$ vim logstash.conf

input {

 

  beats {

 

    codec => json

 

port => 5044

#host => “0.0.0.0”

 

  }

 

}

 

filter {

 

  mutate {

 

    remove_field => ["@version","[beat][name]","[beat][version]","[beat][hostname]","tags"]

 

    #remove_field => "message"

 

  }

 

  if [nx_upstream_host] != "-" {

 

    mutate {

 

      convert => {"nx_upstream_response_time"=>"float"}

 

      convert => {"nx_upstream_response_length"=>"integer"}

 

      convert => {"nx_upstream_connect_time"=>"float"}

 

    }

 

  } else {

 

    mutate {

 

      remove_field => ["nx_upstream_host","nx_upstream_response_time","nx_upstream_response_length","nx_upstream_status","nx_upstream_connect_time"]

 

    }

 

  }

 

}

 

output {

 

  # 8bet-test-srv-4:nginx

 

  if [project] == "8bet-admin" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      index => "8bet-nginx-admin-%{+YYYY.MM.dd}"

 

    }

 

  } else if [project] == "8bet-h5" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      index => "8bet-nginx-h5-%{+YYYY.MM.dd}"

 

    }

 

  } else if [project] == "8bet-newadmin" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      index => "8bet-nginx-newadmin-%{+YYYY.MM.dd}"

 

    }

 

  } else if [project] == "8bet-newh5" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      index => "8bet-nginx-newh5-%{+YYYY.MM.dd}"

 

    }

 

  } else if [project] == "8bet-nginx-error" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      index => "8bet-nginx-error-%{+YYYY.MM.dd}"

 

    }

 

  # 8bet-test-srv-5:nginx

 

  } else if [project] == "pay-nginx-admin" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      index => "pay-nginx-admin-%{+YYYY.MM.dd}"

 

    }

 

  } else if [project] == "pay-nginx-user" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      index => "pay-nginx-user-%{+YYYY.MM.dd}"

 

    }

 

  } else if [project] == "pay-nginx-api" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      index => "pay-nginx-api-%{+YYYY.MM.dd}"

 

    }

 

  } else if [project] == "pay-nginx-error" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      index => "pay-nginx-error-%{+YYYY.MM.dd}"

 

    }

 

  # 8bet-test-srv-4:java

 

  } else if [source] == "/log/billing/info.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-billing-info-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/billing/error.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-billing-error-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/member/info.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-member-info-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/member/error.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-member-error-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/admin/info.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-admin-info-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/admin/error.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-admin-error-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/pay/info.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-pay-info-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/pay/error.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-pay-error-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/discount/info.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-discount-info-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/discount/error.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-discount-error-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/schedule/info.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-schedule-info-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/schedule/error.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-schedule-error-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/security/info.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-security-info-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/security/error.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-security-error-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/caipiao/info.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-caipiao-info-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/caipiao/error.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-caipiao-error-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/cpbilling/info.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-cpbilling-info-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/cpbilling/error.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-cpbilling-error-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/cpmessage/info.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-cpmessage-info-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/cpmessage/error.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-cpmessage-error-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/cpschedule/info.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-cpschedule-info-%{+YYYY.MM.dd}"

 

    }

 

  } else if [source] == "/log/cpschedule/error.log" {

 

    elasticsearch {

 

      hosts => ["http://localhost:9200"]

 

      #manage_template => true

 

      #template_overwrite => true

 

      index => "8bet-java-cpschedule-error-%{+YYYY.MM.dd}"

 

    }

 

  }

 

  stdout {

 

    codec => rubydebug

 

  }

 

}

 

#output {

 

#  stdout { codec => rubydebug }

 

#  elasticsearch {

 

#    hosts => ["http://localhost:9200"]

 

#    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM}"

 

#  }

 

#}

 

 

         检查logstash配置文件的语法命令:

$ logstash --path.settings /data/soft/logstash/config/ -f /data/soft/logstash/config/logstash.conf -t

         $ nohup logstash -f /data/soft/logstash/config/logstash.conf >/data/soft/logstash/out.log 2>&1 &

(4)、下载kibana(Linux版本)的二进制包并解压:

         $ wget https://artifacts.elastic.co/downloads/kibana/kibana-6.4.0-linux-x86_64.tar.gz

         $ tar -zxf kibana-6.4.0-linux-x86_64.tar.gz

         $ mv kibana-6.4.0-linux-x86_64 kibana

         $ vim kibana/config/kibana.yml

elasticsearch.url: "http://localhost:9200"

elasticsearch.shardTimeout: 0

pid.file: /data/soft/kibana/kibana.pid

 

         $ nohup /data/soft/kibana/bin/kibana >/data/soft/kibana/out.log 2>&1 &

3、         FILEBEAT(收集端)单独配置:

以一台filebeat采集端做示例:

(1)、nginx日志格式配置:

$ vim /data/soft/nginx/conf/nginx.conf

user www;

 

worker_processes  4;

 

worker_rlimit_nofile 20000;

 

worker_cpu_affinity 00000001 00000010 00000100 00001000;

 

error_log /log/nginx/error.log error;

 

pid       /log/nginx/nginx.pid;

 

events {

 

    use epoll;

 

    worker_connections  20000;

 

}

 

http {

 

    include       mime.types;

 

    default_type  application/octet-stream;

 

    sendfile        on;

 

    tcp_nodelay     on;

 

    tcp_nopush     on;

 

    client_body_timeout 10;

 

    client_header_timeout 10;

 

    send_timeout 10;

 

    keepalive_timeout  50;

 

    client_body_buffer_size  4k;

 

    client_header_buffer_size 1k;

 

    client_max_body_size 10m;

 

    large_client_header_buffers 2 1k;

 

    open_file_cache max=65535 inactive=20s;

 

    open_file_cache_valid 30s;

 

    open_file_cache_min_uses 1;

 

    gzip on;

 

    gzip_min_length 1k;

 

    gzip_buffers 8 16k;

 

    gzip_comp_level 3;

 

    gzip_http_version 1.1;

 

    gzip_disable "MSIE [1-6].";

 

    gzip_types text/plain application/x-javascript text/css application/xml application/x-httpd-php image/jpeg image/gif image/png;

 

gzip_vary on;

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/zwjxdz.html