一、ELK介绍:
官网:https://demo.elastic.co/ 能够显示所有的ELK能收集展示的功能
最简单的ELK架构。ELK(Elasticsearch , Logstash, Kibana)
想要收集谁的日志,就在对应的设备上按装配置fileeat,并且传递给ES,存在ES后,kibana、es-head 提取数据并展示
日志收集的分类:
代理层:nginx、haproxy
web层: nginx
db层: mysql、redis、MongoDB、es
二、ELK部署:
准备:10.4.7.2、10.4.7.3、10.4.7.4
三台 nginx:10.4.7.2、10.4.7.3、10.4.7.4
一台 ES:10.4.7.2
一台 kibana:10.4.7.2
性能要求:
10.4.7.2 至少2G内存
10.4.7.3 至少512m内存
10.4.7.4 至少512m内存
1、部署ES
之前的文章已经讲述怎么部署,这里不介绍了
10.4.7.2:
[root@7-2 ]# yum install -y java-1.8.0-openjdk.x86_64
[root@7-2 ]# mkdir -p /opt/installpag;cd /opt/installpag
[root@7-2 installpag ]# rz elasticsearch-6.6.0.rpm
[root@7-2 installpag ]# rpm -ivh elasticsearch-6.6.0.rpm
[root@7-2 ]# systemctl daemon-reload;systemctl enable elasticsearch.service;systemctl start elasticsearch.service
[root@7-2 ]# vi /etc/elasticsearch/elasticsearch.yml
[root@7-2 installpag]# grep "^[a-Z]" /etc/elasticsearch/elasticsearch.yml
node.name: node-1
path.data: /data/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 10.4.7.2,127.0.0.1
http.port: 9200
[root@7-2 ]# mkdir -p /data/elasticsearch;chown -R elasticsearch:elasticsearch /data/elasticsearch/
[root@7-2 ]# systemctl restart elasticsearch;systemctl edit elasticsearch
[Service]
LimitMEMLOCK=infinity
[root@7-2 ]# systemctl daemon-reload;systemctl restart elasticsearch;systemctl status elasticsearch
[root@7-2 ]# netstat -tulpn |grep 9200
tcp6 0 0 10.4.7.2:9200 :::* LISTEN 3404/java
tcp6 0 0 127.0.0.1:9200 :::* LISTEN 3404/java 2、更新时间
三台 10.4.7.2、10.4.7.3、10.4.7.4:
yum install -y ntpdate
ntpdate time1.aliyun.com3、配置ES-head插件
之前的文章已经讲述怎么部署,这里不介绍了
4、部署kibana
4.1、安装kibana
由于只有一台ES在10.4.7.2,建议部署一台kibana。我们也部署在10.4.7.2
10.4.7.2:
[root@7-2 ]# cd /opt/installpag/
[root@7-2 installpag ]# rz kibana-6.6.0-linux-x86_64.tar.gz
[root@7-2 installpag]# tar -zxvf kibana-6.6.0-linux-x86_64.tar.gz -C /usr/local/
[root@7-2 ]# vim /usr/local/kibana-6.6.0/config/kibana.yml
[root@7-2 ]# grep "^[a-z]" /usr/local/kibana-6.6.0/config/kibana.yml
server.port: 5601
server.host: "10.4.7.2"
server.name: "db01"
elasticsearch.hosts: ["http://10.4.7.2:9200"]
kibana.index: ".kibana"
后台启动:
[root@7-2 ]# nohup /usr/local/kibana-6.6.0/bin/kibana >/dev/null 2>&1 &
解释:
1、elasticsearch.hosts: ["http://10.4.7.2:9200"] 从ES读数据,需要连接ES
2、kibana.index: ".kibana" Kibana使用Elasticsearch中的索引来存储保存的检索,可视化控件以及仪表板。如果没有索引,Kibana会创建一个新的索引。所以启动kibana后会在Elasticsearch中发现一个.kibana的索引,存放kibana
3、解释/kibana &
/kibana &:使用./kibana & 启动的话,需要在当前窗口exit才能停止Kibana (Ctrl+D)
4、>/dev/null 2>&1 &
我们经常使用nohup command &命令形式来启动一些后台程序,比如一些java服务:
nohup java -jar xxxx.jar &
为了不让一些执行信息输出到前台(控制台),我们还会加上刚才提到的>/dev/null 2>&1命令来丢弃所有的输出:nohup java -jar xxxx.jar >/dev/null 2>&1 &| 命令 | 标准输出 | 错误输出 |
|---|---|---|
| >/dev/null 2>&1 | 丢弃 | 丢弃 |
| 2>&1 >/dev/null | 丢弃 | 屏幕 |
4.2、查看kibana状态
首先先看ES,kibana_1就是/usr/local/kibana-6.6.0/config/kibana.yml 中的 kibana.index: ".kibana"
访问http://10.4.7.2:5601后,kibana启动很慢(跟内存大小有关)
等待一段时间后。Try our sample data尝试使用简单数据、Explore on my own自己创建。
点击Try our sample data后,其中最上面的是问卷调查关闭(Help us improve the Elastic Stack by providing usage statisti)。下面的三个为自带的体验功能
查看ES。其中kibana_sample_data_ecommerce就是刚才添加的体验功能模板
这里注意:一旦不小新误删除ES的.kibana_1,重启kibana后自动生成,但是生成的是默认的.kibana_1。
4、部署nginx
10.4.7.2、10.4.7.3、10.4.7.4:
[root@7-2 bin]# yum install nginx httpd-tools -y httpd-tools是用来做nginx压测
[root@7-3 nginx]# systemctl stop httpd;systemctl disable httpd 需要关闭httpd,因为我们只需要用httpd中的ab压测工具,而且httpd默认启动80-端口,nginx也是启动80端口导致,httpd启动了,nginx无法启动
[root@7-3 nginx]# systemctl start nginx
[root@7-3 nginx]# netstat -tulpn |grep 80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2754/nginx: master
tcp6 0 0 :::80 :::* LISTEN 2754/nginx: master
压测检测状态:
[root@7-2 nginx]# ab -n 100 -c 100 http://10.4.7.2/
查看日志,有日志说明没问题
[root@7-2 nginx]# tail -f access.log
10.4.7.2 - - [23/Feb/2021:13:43:14 +0800] "GET / HTTP/1.0" 200 4833 "-" "ApacheBench/2.3" "-"
10.4.7.2 - - [23/Feb/2021:13:43:14 +0800] "GET / HTTP/1.0" 200 4833 "-" "ApacheBench/2.3" "-"
10.4.7.2 - - [23/Feb/2021:13:43:14 +0800] "GET / HTTP/1.0" 200 4833 "-" "ApacheBench/2.3" "-"
10.4.7.2 - - [23/Feb/2021:13:43:14 +0800] "GET / HTTP/1.0" 200 4833 "-" "ApacheBench/2.3" "-"
10.4.7.2 - - [23/Feb/2021:13:43:14 +0800] "GET / HTTP/1.0" 200 4833 "-" "ApacheBench/2.3" "-"
10.4.7.2 - - [23/Feb/2021:13:43:14 +0800] "GET / HTTP/1.0" 200 4833 "-" "ApacheBench/2.3" "-"
10.4.7.2 - - [23/Feb/2021:13:43:14 +0800] "GET / HTTP/1.0" 200 4833 "-" "ApacheBench/2.3" "-"
10.4.7.2 - - [23/Feb/2021:13:43:14 +0800] "GET / HTTP/1.0" 200 4833 "-" "ApacheBench/2.3" "-"
10.4.7.2 - - [23/Feb/2021:13:43:14 +0800] "GET / HTTP/1.0" 200 4833 "-" "ApacheBench/2.3" "-"
10.4.7.2 - - [23/Feb/2021:13:43:14 +0800] "GET / HTTP/1.0" 200 4833 "-" "ApacheBench/2.3" "-"
5、部署tomcat
10.4.7.2、10.4.7.3、10.4.7.4:
[root@7-2 ~]# yum install tomcat tomcat-webapps tomcat-admin-webapps tomcat-docs-webapp tomcat-javadoc -y
启动:
[root@7-2 ~]# systemctl start tomcat;systemctl status tomcat
[root@7-2 ~]# lsof -i:8080
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 18915 tomcat 49u IPv6 61950 0t0 TCP *:webcache (LISTEN)
解释:
服务端 tomcat
自带实例页面 tomcat-webapps tomcat-admin-webapps tomcat-docs-webapp tomcat-javadoc -y6、部署filebeat
先部署10.4.7.2:
6.1、安装filebeat
[root@7-2 installage ]# rz filebeat-6.6.0-linux-x86_64.tar.gz
[root@7-2 installage ]# tar -zxvf filebeat-6.6.0-linux-x86_64.tar.gz -C /usr/local/
[root@7-2 installage ]# mv filebeat-6.6.0-linux-x86_64/ filebeat-6.6.0
[root@7-2 installage ]# vim /usr/local/filebeat-6.6.0/filebeat.yml
[root@7-2 ~]# egrep -v "#|^$" /usr/local/filebeat-6.6.0/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 3
setup.kibana:
output.elasticsearch:
hosts: ["10.4.7.2:9200"]
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
启动:
[root@7-2 installage ]# echo "export PATH=$PATH:/usr/local/filebeat-6.6.0/" >>/etc/profile
[root@7-2 installage ]# source /etc/profile
[root@7-2 installage ]# filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml >/dev/null 2>&1 &
解释:
###################### Filebeat Configuration Example #########################
Filebeat配置示例
#=========================== Filebeat inputs =============================
Filebeat输入。nginx输出日志,Filebeat接受输入日志,所以配置nginx
filebeat.inputs:
- type: log 定义日志类型
enabled: false 激不激活
paths: Filebeat收集日志的路径
- /var/log/*.log
#==================== Elasticsearch template setting ==========================
分片,Filebeat在ES中的分片数量
setup.template.settings:
index.number_of_shards: 3 默认3个,先不改
#================================ Outputs =====================================
Filebeat输出。
#-------------------------- Elasticsearch output ------------------------------
Filebeat接受nginx日志,输出到ES。
output.elasticsearch:
hosts: ["10.4.7.2:9200"] 输出到10.4.7.2 ES
6.2、查看状态
生成一个filebeat-6.6.0-2021.02.23,其中日志自动生成。docs是100条(/var/log/nginx/access.log中有多少),之前做压力测试
查看数据浏览,message里面是/var/log/nginx/access.log日志。
二、ELK--收集nginx日志
1、kibana 添加、查看讲解
1.1、kibana添加ES数据
点击 Index Patterns
在index pattern中填写ES中生成的索引,然后点击Next step
选择第一个@timestamp,然后create index pattern
等一会有了filebeat-6.6.0-2021.02.23,点击第一个Discover
默认显示15min内数据。
改成4h
可以查看日志
1.2、kibana 只查看日志信息
kibana 读取的是ES数据,而ES中只有(message)信息是日志信息,其他都是ES中自动添加的字段信息,不关注,过滤掉
点击
我们关心的只是日志中的message,不关心ES生成的其他信息,所以点击message的add
然后展示的是
1.3、kibana 某一个时间段数据
如果只想看某一个时间段的数据,按住鼠标左键变成+ 然后向→拖动
1.4、只看页面状态200的数据
只想看状态是200的页面。 注意:200上面的107是命中
只想看状态是404的页面
1.5、多条件查询
查询即是404还是10.4.7.3的数据。使用并联查询 is
其中√是隐藏跟不隐藏条件
查询即是404还是10.4.7.3的数据,但是不是访问8080。使用 is not
2、filebeat与ES原理讲解
1、验证:清空nginx的access.log日志,ES中的索引会不会删除
当清空nginx的access.log日志的时候,发现ES中的索引不会删除。说明filebeat没有删除ES的权限。
2、清空nginx的access.log日志,往此日志再次插入日志,ES中的索引会不会增加数据
清空nginx的access.log日志后,往此日志再次插入日志,ES有日志。说明他会实时插入日志。
3、停止filebeat,然后nginx插入2条日志,随后启动filebeat,ES中的索引会不会增加数据
验证后,启动filebeat后,日志立马更新,说明filebeat有特殊标志记录的功能,记录上次最后一次读取到什么位置,启动filebeat后,检查有2条日志没更新,日志立马更新。
4、停止filebeat,清空nginx的access.log日志,然后nginx插入2条日志,随后启动filebeat,ES中的索引会不会增加数据
验证后,启动filebeat后,日志立马更新,说明filebeat有特殊标志记录的功能,记录上次最后一次读取到什么位置(应该不是记录行数,因为停止filebeat后,清空了nginx日志,如果是行数的话,之前记录的是6条,启动filebeat后,会更新第7条以后,但是清空后,里面就2条。但是也有可能是检测日志中已经是空日志,所以所有的数据追加到ES),启动filebeat后,检查有2条日志没更新,日志立马更新。
5、如果删除ES中的索引,插入数据filebeat会怎么样
验证后,如果删除ES中的索引,插入数据后,ES中生成新的索引,记录的是插入的数据,以前的数据不会存。这就更加验证了,filebeat有特殊标志记录的功能,就算删除ES中的数据,filebeat无关,他还是记录你上一次的最后的数据。
2.1、实现filebeat从头读取数据
现象:如果不小心误删除ES中的索引,重新启动filebeat只能获取新的数据,不能从头到尾重新读取数据
停止filebeat:
[root@7-2 data]# ps -ef |grep filebeat
root 34987 1603 0 10:41 pts/0 00:00:00 filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml
root 35109 1603 0 10:45 pts/0 00:00:00 grep --color=auto filebeat
[root@7-2 data]# kill 34987
插入2条数据,查看后一共12条
[root@7-2 data]# ab -n 2 -c 2 http://10.4.7.2/ >/dev/null 2>&1
[root@7-2 data]# wc -l /var/log/nginx/access.log
12 /var/log/nginx/access.log
启动filebeat:
[root@7-2 data]# filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml >/dev/null 2>&1 &
filebeat记录上次最后一次读取到什么位置,导致的现象,如果能修改或者删除读取位置文件,能显示从头读取。
Filebeat将跟踪发送的最后一行,并在输出再次可用时继续读取文件。当Filebeat正在运行时,每个prospectors的状态信息也被保存在内存中。当Filebeat重新启动时,来自注册表文件(/usr/local/filebeat-6.0.0/data/registry)的数据被用来重建状态,并且Filebeat继续在最后一个已知位置的每个harvester。所以删除 /usr/local/filebeat-6.0.0/data下的registry 注意:只删除registry启动后,filebeat无法传递数据,ES不生成索引。所以这两个个文件应该是相辅相成,要删除 meta.json 跟registry
先停止filebeat,否则后续删除或者清空,又自动还原回来
[root@7-2 data]# ps -ef |grep filebeat
root 34981 1603 0 10:41 pts/0 00:00:00 filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml
root 35109 1603 0 10:45 pts/0 00:00:00 grep --color=auto filebeat
[root@7-2 data]# kill 34981
删需要重读日志的文件信息,修改要重读文件的offset不管用
[root@7-2 data]# rm -f /usr/local/filebeat-6.6.0/data/meta.json
[root@7-2 data]# rm -f /usr/local/filebeat-6.6.0/data/registry
启动filebeat:
[root@7-2 data]# filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml >/dev/null 2>&1 &
3、实现收集JSON日志
思考:message里面文字很多,如何配置只显示IP跟使用的什么浏览器
message:10.4.7.13 - - [23/Feb/2021:16:00:46 +0800] "GET /ds.html HTTP/1.1" 404 3650 "-" "ApacheBench/2.3 Chrome/88.0.4324.190 Safari/537.36" "-"拆分如下,让每一个字段对应一个数值,这样看IP跟使用的什么浏览器:
IP:10.4.7.13
time:[23/Feb/2021:16:00:46 +0800]
HTTP:GET /ds.html HTTP/1.1
CODE:404
SIZE:3650
agent:ApacheBench/2.3
Explorer:Chrome方式一:nginx支持以json形式输出日志
[root@7-2 data]# vi /etc/nginx/nginx.conf 修改如下
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format json '{ "time_local": "$time_local", '
'"remote_addr": "$remote_addr", '
'"referer": "$http_referer", '
'"request": "$request", '
'"status": $status, '
'"bytes": $body_bytes_sent, '
'"agent": "$http_user_agent", '
'"x_forwarded": "$http_x_forwarded_for", '
'"up_addr": "$upstream_addr",'
'"up_host": "$upstream_http_host",'
'"upstream_time": "$upstream_response_time",'
'"request_time": "$request_time"'
' }';
access_log /var/log/nginx/access.log json;
解释:
access_log /var/log/nginx/access.log json:修改 让他调用json,这样http就不会调用
清空nginx日志
[root@7-2 data]# > /var/log/nginx/access.log
重启nginx
[root@7-2 data]# systemctl restart nginx
压测
[root@7-2 data]# ab -n 2 -c 2 http://10.4.7.2/ >/dev/null 2>&1
查看nginx日志,json格式输出无问题
[root@7-2 data]# cat /var/log/nginx/access.log
{ "time_local": "24/Feb/2021:11:28:10 +0800", "remote_addr": "10.4.7.2", "referer": "-", "request": "GET / HTTP/1.0", "status": 200, "bytes": 4833, "agent": "ApacheBench/2.3", "x_forwarded": "-", "up_addr": "-","up_host": "-","upstream_time": "-","request_time": "0.000" }
{ "time_local": "24/Feb/2021:11:28:10 +0800", "remote_addr": "10.4.7.2", "referer": "-", "request": "GET / HTTP/1.0", "status": 200, "bytes": 4833, "agent": "ApacheBench/2.3", "x_forwarded": "-", "up_addr": "-","up_host": "-","upstream_time": "-","request_time": "0.000" }
删除ES中的索引数据,因为之前的ES存储的是以前的数据,导致表的结构跟现在的不一致
清空nginx日志
[root@7-2 data]# > /var/log/nginx/access.log
重启nginx
[root@7-2 data]# systemctl restart nginx
压测
[root@7-2 data]# ab -n 2 -c 2 http://10.4.7.2/ >/dev/null 2>&1
查看nginx日志,json格式输出无问题
[root@7-2 data]# cat /var/log/nginx/access.log
{ "time_local": "24/Feb/2021:11:28:10 +0800", "remote_addr": "10.4.7.2", "referer": "-", "request": "GET / HTTP/1.0", "status": 200, "bytes": 4833, "agent": "ApacheBench/2.3", "x_forwarded": "-", "up_addr": "-","up_host": "-","upstream_time": "-","request_time": "0.000" }
{ "time_local": "24/Feb/2021:11:28:10 +0800", "remote_addr": "10.4.7.2", "referer": "-", "request": "GET / HTTP/1.0", "status": 200, "bytes": 4833, "agent": "ApacheBench/2.3", "x_forwarded": "-", "up_addr": "-","up_host": "-","upstream_time": "-","request_time": "0.000" }
重新压测
[root@7-2 data]# ab -n 2 -c 2 http://10.4.7.2/ >/dev/null 2>&1注意:需要kibana 删除以前的filebeat-6.6.0-2021.02.23,然后重新添加
问题一:已经是输出json,但是还是没有解析成key,还是识别不出
原由:
[root@7-2 filebeat-6.6.0]# egrep -v "#|^$" /usr/local/filebeat-6.6.0/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
解释:因为filebeat.yml中读取的是type: log ,是读取的日志,所以对于filebeat来说,nginx的不论怎么写都是一段文字。解决方案:增加filebeat能解析json,然后传递给ES,kibana读取ES
[root@7-2 filebeat-6.6.0]# vi /usr/local/filebeat-6.6.0/filebeat.yml
paths:
- /var/log/nginx/access.log
#- c:\programdata\elasticsearch\logs\
json.keys_under_root: true
json.overwrite_keys: true
注意:要跟path对齐
删除ES中的索引
kibana 删除filebeat-6.6.0-2021.02.24
重启filebeat:
[root@7-2 filebeat-6.6.0]# ps -ef |grep filebeat
root 35116 1603 0 10:45 pts/0 00:00:01 filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml
root 38723 1603 0 13:23 pts/0 00:00:00 grep --color=auto filebeat
[root@7-2 filebeat-6.6.0]# kill 35116
[root@7-2 filebeat-6.6.0]# filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml >/dev/null 2>&1 &
[root@7-2 filebeat-6.6.0]# ab -n 2 -c 2 http://10.4.7.2/ >/dev/null 2>&1
最后我们实现显示IP跟使用的什么浏览器
4、模板讲解
比如:ES中filebeat的名字为什么是filebeat-版本-时间。
比如:filebeat 中添加的数据为什么有一些我没见过的
[root@7-2 filebeat-6.6.0]# vi /usr/local/filebeat-6.6.0/filebeat.yml
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["10.4.7.2:9200"]
index: "nginx-%{[beat.version]}-%{+yyyy.MM}"
注意:要跟hosts对齐
解释:
1、beat.version不要改,version是版本的意思,beat.version在filebeat.yml调用的是6.6.0,在7版本以后是agent.version
2、如果写成{+yyyy.MM.dd},就会出现日志是按照天数分割,例如今天生成的索引叫nginx-6.6.0-2021.02.23,今天所有的nginx日志都会存在这里。过了12点后,在生成索引叫nginx-6.6.0-2021.02.24,02.24所有的nginx日志都会存在这里。所以建议一个月分割一次写成{+yyyy.MM}
重启:
[root@7-2 filebeat-6.6.0]# ps -ef |grep filebeat
root 35116 1603 0 10:45 pts/0 00:00:01 filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml
root 38723 1603 0 13:23 pts/0 00:00:00 grep --color=auto filebeat
[root@7-2 filebeat-6.6.0]# kill 35116
[root@7-2 filebeat-6.6.0]# filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml
启动后发现报错:
2021-02-24T15:33:55.782+0800 INFO instance/beat.go:281 Setup Beat: filebeat; Version: 6.6.0
2021-02-24T15:33:55.782+0800 INFO instance/beat.go:360 filebeat stopped.
2021-02-24T15:33:55.782+0800 ERROR instance/beat.go:911 Exiting: setup.template.name and setup.template.pattern have to be set if index name is modified
Exiting: setup.template.name and setup.template.pattern have to be set if index name is modified
翻译:如果索引名称变了,必须改setup.template.name and setup.template.pattern,这两个参数就是默认模板[root@7-2 filebeat-6.6.0]# vi /usr/local/filebeat-6.6.0/filebeat.yml
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["10.4.7.2:9200"]
index: "nginx-%{[beat.version]}-%{+yyyy.MM}"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true
注意:要定格
解释:
1、setup.template.name 重新名命叫nginx
2、setup.template.pattern 模板要匹配哪一种,匹配nginx-*
nginx-*模糊匹配,filebeat.yml中关于nginx-*只有nginx-%{[agent.version]}-%{+yyyy.MM}"
3、setup.template.enabled: false 不适用初始化模板
4、setup.template.overwrite: true 是否覆盖原来的模板
重启:filebeat
[root@7-2 filebeat-6.6.0]# filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml >/dev/null 2>&1 &
[2] 42304
[root@7-2 filebeat-6.6.0]# ps -ef |grep filebeat
root 42304 1603 0 15:59 pts/0 00:00:00 filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml
root 42316 1603 0 15:59 pts/0 00:00:00 grep --color=auto filebeat
[root@7-2 filebeat-6.6.0]#
刷新后变成nginx-6.6.0-2021.02
添加nginx-6.6.0-2021.02,数据见过的
5、收集多台nginx数据
10.4.7.3、10.4.7.4 部署filebeat
[root@7-3 installpag]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.6.0-x86_64.rpm
[root@7-3 installpag]# rpm -ivh filebeat-6.6.0-x86_64.rpm
[root@7-3 installpag]# mv /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.bak
[root@7-3 installpag]# mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
[root@7-4 installpag]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.6.0-x86_64.rpm
[root@7-4 installpag]# rpm -ivh filebeat-6.6.0-x86_64.rpm
[root@7-4 installpag]# mv /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.bak
[root@7-4 installpag]# mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
[root@7-2 installpag]# scp /usr/local/filebeat-6.6.0/filebeat.yml 10.4.7.3:/etc/filebeat/
[root@7-2 installpag]# scp /usr/local/filebeat-6.6.0/filebeat.yml 10.4.7.4:/etc/filebeat/
[root@7-2 installpag]# scp /etc/nginx/nginx.conf 10.4.7.3:/etc/nginx/nginx.conf;scp /etc/nginx/nginx.conf 10.4.7.4:/etc/nginx/nginx.conf
[root@7-3 installpag]# systemctl restart nginx;systemctl restart filebeat
[root@7-4 installpag]# systemctl restart nginx;systemctl restart filebeat
验证:
[root@7-3 installpag]# ab -n 2 -c 2 http://10.4.7.3/db03 >/dev/null 2>&1
[root@7-4 installpag]# ab -n 2 -c 2 http://10.4.7.4/db04 >/dev/null 2>&1
查看ES:发现还是nginx-6.6.0-2012.02,条数数字变化。所以他们汇总在一起
汇总在一起,如何区分到底访问的是那台机器,可以通过host.name
查看10.4.7.3所有日志
6、收集Nginx正常日志和错误日志
注:/var/log/nginx/access.log收集的是所有日志(正常日志和错误日志)。而/var/log/nginx/error.log只收集404、200等错误日志
6.1、错误日志收集
收集一台10.4.7.2:
错误例子:只修改filebea.yml 增加收集/var/log/nginx/error.log
[root@7-2 filebeat-6.6.0]# vi /usr/local/filebeat-6.6.0/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
setup.kibana:
hosts: ["10.4.7.2:5601"]
output.elasticsearch:
hosts: ["10.4.7.2:9200"]
index: "nginx-%{[beat.version]}-%{+yyyy.MM}"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true
解释:因为错误日志的格式是log,没有json.keys_under_root: true、json.overwrite_keys: true,所以徐芬单独给错误日志写一个
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
如果都是一种形式,可以写成一起
重启filebea后,在ES中查看,错误日志也在nginx-6.6.0-2012.02,由于nginx-6.6.0-2012.02有错误日志,还有正常日志,一个是JSON,一个是日志,所以有问题
查看kibana中的错误日志报错,说不匹配一个是JSON,一个是日志
正确讲解:
需求:拆分正常日志跟错误日志
[root@7-2 filebeat-6.6.0]# vi /usr/local/filebeat-6.6.0/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["nginx-access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["nginx-error"]
setup.kibana:
hosts: ["10.4.7.2:5601"]
output.elasticsearch:
hosts: ["10.4.7.2:9200"]
#index: "nginx-%{[beat.version]}-%{+yyyy.MM}"
indices:
- index: "nginx-access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "nginx-access"
- index: "nginx-error-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "nginx-error"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true
解释:
tags: ["nginx-access"] 给正常日志打一个标签
tags: ["nginx-error"] 给错误日志打一个标签
indices:
- index: "nginx-access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "nginx-access" 如果匹配到了标签是nginx-access,使用此模板
- index: "nginx-error-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "nginx-error" 如果匹配到了标签是nginx-error,使用此模板
修改后,删除ES中原有的,然后重启filebeat
重新添加
最后把10.4.7.3、10.4.7.4 拆分正常日志跟错误日志
[root@7-3 installpag]# rm -f /etc/filebeat/filebeat.yml
[root@7-4 installpag]# rm -f /etc/filebeat/filebeat.yml
[root@7-2 filebeat-6.6.0]# scp /usr/local/filebeat-6.6.0/filebeat.yml 10.4.7.3:/etc/filebeat/;scp /usr/local/filebeat-6.6.0/filebeat.yml 10.4.7.4:/etc/filebeat/
[root@7-3 installpag]# systemctl restart filebeat
[root@7-4 installpag]# systemctl restart filebeat三、ELK--收集tomcat日志
1、环境准备
访问10.4.7.2:8080 增加日志
[root@7-2 filebeat-6.6.0]# cd /var/log/tomcat/
[root@7-2 tomcat]# ls
catalina.2021-02-25.log catalina.out host-manager.2021-02-25.log localhost.2021-02-25.log localhost_access_log.2021-02-25.txt manager.2021-02-25.log
[root@7-2 filebeat-6.6.0]# tail -f /var/log/tomcat/localhost_access_log.2021-02-25.txt
2月 25 08:56:17 7-2 systemd[1]: Started Apache Tomcat Web Application Container.
[root@7-2 filebeat-6.6.0]# tail -f /var/log/tomcat/localhost_access_log.2021-02-25.txt
10.4.7.13 - - [25/Feb/2021:09:04:18 +0800] "GET /asf-logo-wide.svg HTTP/1.1" 200 26447
10.4.7.13 - - [25/Feb/2021:09:04:18 +0800] "GET /bg-nav.png HTTP/1.1" 200 1401
10.4.7.13 - - [25/Feb/2021:09:04:18 +0800] "GET /bg-upper.png HTTP/1.1" 200 3103
10.4.7.13 - - [25/Feb/2021:09:04:18 +0800] "GET /bg-button.png HTTP/1.1" 200 713
10.4.7.13 - - [25/Feb/2021:09:04:18 +0800] "GET /bg-middle.png HTTP/1.1" 200 1918
10.4.7.13 - - [25/Feb/2021:09:04:18 +0800] "GET /favicon.ico HTTP/1.1" 200 21630
10.4.7.13 - - [25/Feb/2021:09:04:21 +0800] "GET /docs/security-howto.html HTTP/1.1" 200 43375
10.4.7.13 - - [25/Feb/2021:09:04:21 +0800] "GET /docs/images/asf-logo.svg HTTP/1.1" 200 19698
10.4.7.13 - - [25/Feb/2021:09:04:21 +0800] "GET /docs/images/tomcat.gif HTTP/1.1" 200 2066
10.4.7.13 - - [25/Feb/2021:09:05:13 +0800] "GET / HTTP/1.1" 200 11217
2、修改tomcat为json格式
[root@7-2 tomcat]# vim /etc/tomcat/server.xml
:set nu 删除第139行,然后添加如下
132 -->
133
134 <!-- Access log processes all example.
135 Documentation at: /docs/config/valve.html
136 Note: The pattern used is equivalent to using pattern="common" -->
137 <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
138 prefix="localhost_access_log." suffix=".txt"
139 pattern="{"clientip":"%h","ClientUser":"%l","authenticated":"%u","AccessTime ":"%t","method":"%r","status":"%s","SendBytes":"%b","Query?string":&quo t;%q","partner":"%{Referer}i","AgentVersion":"%{User-Agent}i"}"/>
140
141 </Host>
142 </Engine>
143 </Service>
144 </Server>
重启访问日志:
[root@7-2 tomcat]# systemctl restart tomcat
[root@7-2 tomcat]# tail -f /var/log/tomcat/localhost_access_log.2021-02-25.txt
{"clientip":"10.4.7.13","ClientUser":"-","authenticated":"-","AccessTime":"[25/Feb/2021:09:17:25 +0800]","method":"GET / HTTP/1.1","status":"200","SendBytes":"11217","Query?string":"","partner":"-","AgentVersion":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"}
{"clientip":"10.4.7.13","ClientUser":"-","authenticated":"-","AccessTime":"[25/Feb/2021:09:17:27 +0800]","method":"GET /docs/setup.html HTTP/1.1","status":"200","SendBytes":"15699","Query?string":"","partner":"http://10.4.7.2:8080/","AgentVersion":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"}
3、修改filebeat监控tomcat
[root@7-2 tomcat]# vi /usr/local/filebeat-6.6.0/filebeat.yml
filebeat.inputs:
################# nginx #################
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["nginx-access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["nginx-error"]
################# tomcat ##################
- type: log
enabled: true
paths:
- /var/log/tomcat/localhost_access_log.*.txt
json.keys_under_root: true
json.overwrite_keys: true
tags: ["tomcat-access"]
setup.kibana:
hosts: ["10.4.7.2:5601"]
output.elasticsearch:
hosts: ["10.4.7.2:9200"]
#index: "nginx-%{[beat.version]}-%{+yyyy.MM}"
indices:
- index: "nginx-access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "nginx-access"
- index: "nginx-error-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "nginx-error"
- index: "tomcat-access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "tomcat-access"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true
重启:
[root@7-2 tomcat]# kill `pidof filebeat`;filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml > /dev/null 2>&1 &
注意:我们增加了- type: log 是tomcat。有增加了 - index: "tomcat-access-%{[beat.version]}-%{+yyyy.MM}"。
但是默认使用模板setup.template.pattern: "nginx-*"为什么不需要增加,因为只要之前用nginx已经代替使初始模板,所以只要代理过一次,生效后,这个地就不需要改了
四、ELK--收集java多行日志
java日志我们选择收集elasticsearch日志
错误配置:
[root@7-2 tomcat]# vim /var/log//elasticsearch/elasticsearch.log 通过查看红框的是一条报错日志,只不过中将有换行。这种日志在ES、filebea怎么显示
在filebea是按照一行一行显示,由于elasticsearch.log有些数据换行了,导致一个报错识别成不同行
正确配置:
分析:在elasticsearch日志中除了正确日志,其他的就是错误日志这两种形式。正确日志能自动识别,错误日志一条报错(多行)怎么识别成一个报错。
错误日志中特点:以[2021-02-25T07:14:18,553] 直到下一个[2021-02-25T07:14:19,553],也就是按照 [ 时间 ]→[ 时间 ] 里面的一个内容识别成一个报错。正确日志也是一样,所以需要在filebeat中配置(识别打头的第一个字母是 [ 直到识别第二个打头的第一个字母是 [ 为一个报错)
正确日志:
[2021-02-25T07:14:18,553][INFO ][o.e.c.m.MetaDataIndexTemplateService] [node-1] adding template [kibana_index_template:.kibana] for index patterns [.kibana]
[2021-02-25T07:14:18,601][INFO ][o.e.c.m.MetaDataIndexTemplateService] [node-1] adding template [kibana_index_template:.kibana] for index patterns [.kibana]
[2021-02-25T07:16:59,272][INFO ][o.e.c.m.MetaDataIndexTemplateService] [node-1] adding template [kibana_index_template:.kibana] for index patterns [.kibana]
[2021-02-25T07:16:59,568][INFO ][o.e.c.m.MetaDataIndexTemplateService] [node-1] adding template [kibana_index_template:.kibana] for index patterns [.kibana]
[2021-02-25T07:17:00,720][INFO ][o.e.c.m.MetaDataIndexTemplateService] [node-1] adding template [kibana_index_template:.kibana] for index patterns [.kibana]
[2021-02-25T07:19:08,114][INFO ][o.e.c.m.MetaDataIndexTemplateService] [node-1] adding template [kibana_index_template:.kibana] for index patterns [.kibana]
[2021-02-25T07:19:08,387][INFO ][o.e.c.m.MetaDataIndexTemplateService] [node-1] adding template [kibana_index_t
错误日志:
[2021-02-22T09:10:03,949][WARN ][o.e.d.z.ZenDiscovery ] [node-1] not enough master nodes discovered during pinging (found [[Candidate{node={node-1}{uZ_U4U9BTfiW6Lyy9KIydg}{8rYhiQaTTQmHbC1dXfO3cQ}{10.4.7.2}{10.4.7.2:9300}{ml.machine_memory=1907724288, xpack.installed=true, ml.max_open_jobs=20, ml.enabled=true}, clusterStateVersion=19}]], but needed [2]), pinging again
[2021-02-22T09:10:04,705][WARN ][o.e.d.z.UnicastZenPing ] [node-1] failed to send ping to [{node-2}{966tysb4Q4eRwS95evNV-g}{XTXJ4vW_Su-_cnC6W1lGLA}{10.4.7.3}{10.4.7.3:9300}{ml.machine_memory=1019580416, ml.max_open_jobs=20, xpack.installed=true, ml.enabled=true}]
org.elasticsearch.transport.ReceiveTimeoutTransportException: [node-2][10.4.7.3:9300][internal:discovery/zen/unicast] request_id [66691] timed out after [3884ms]
at org.elasticsearch.transport.TransportService$TimeoutHandler.run(TransportService.java:1011) [elasticsearch-6.6.0.jar:6.6.0]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:660) [elasticsearch-6.6.0.jar:6.6.0]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_282]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_282]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_282]
[2021-02-22T09:10:04,705][WARN ][o.e.d.z.UnicastZenPing ] [node-1] failed to send ping to [{node-3}{-4wYfVUQSbWN3B8yO_wd8g}{MWcPBJQJSV6Q5obwuLlOUQ}{10.4.7.4}{10.4.7.4:9300}{ml.machine_memory=1019580416, ml.max_open_jobs=20, xpack.installed=true, ml.enabled=true}]
org.elasticsearch.transport.ReceiveTimeoutTransportException: [node-3][10.4.7.4:9300][internal:discovery/zen/unicast] request_id [66692] timed out after [3884ms]
at org.elasticsearch.transport.TransportService$TimeoutHandler.run(TransportService.java:1011) [elasticsearch-6.6.0.jar:6.6.0]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:660) [elasticsearch-6.6.0.jar:6.6.0]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_282]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_282]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_282]
[2021-02-22T09:10:05,746][WARN ][o.e.d.z.UnicastZenPing ] [node-1] failed to send ping to [{node-2}{966tysb4Q4eRwS95evNV-g}{XTXJ4vW_Su-_cnC6W1lGLA}{10.4.7.3}{10.4.7.3:9300}{ml.machine_memory=1019580416, ml.max_open_jobs=20, xpack.installed=true, ml.enabled=true}]
配置filebeat
[root@7-2 tomcat]# vim /usr/local/filebeat-6.6.0/filebeat.yml
:set nu
:17,24t25 17到24行内复制到25下
1 filebeat.inputs:
2 ################# nginx ##################
3 - type: log
4 enabled: true
5 paths:
6 - /var/log/nginx/access.log
7 json.keys_under_root: true
8 json.overwrite_keys: true
9 tags: ["nginx-access"]
10
11 - type: log
12 enabled: true
13 paths:
14 - /var/log/nginx/error.log
15 tags: ["nginx-error"]
16
17 ################# tomcat ##################
18 - type: log
19 enabled: true
20 paths:
21 - /var/log/tomcat/localhost_access_log.*.txt
22 json.keys_under_root: true
23 json.overwrite_keys: true
24 tags: ["tomcat-access"]
25
26 ################# ES ##################
27 - type: log
28 enabled: true
29 paths:
30 - /var/log/elasticsearch/elasticsearch.log
31 tags: ["es"]
32 multiline.pattern: '^\['
33 multiline.negate: true
34 multiline.match: after
35
36 setup.kibana:
37 hosts: ["10.4.7.2:5601"]
38
39 output.elasticsearch:
40 hosts: ["10.4.7.2:9200"]
41 #index: "nginx-%{[beat.version]}-%{+yyyy.MM}"
42 indices:
43 - index: "nginx-access-%{[beat.version]}-%{+yyyy.MM}"
44 when.contains:
45 tags: "nginx-access"
46 - index: "nginx-error-%{[beat.version]}-%{+yyyy.MM}"
47 when.contains:
48 tags: "nginx-error"
49 - index: "tomcat-access-%{[beat.version]}-%{+yyyy.MM}"
50 when.contains:
51 tags: "tomcat-access"
52 - index: "elasticsearch-%{[beat.version]}-%{+yyyy.MM}"
53 when.contains:
54 tags: "es"
55 setup.template.name: "nginx"
56 setup.template.pattern: "nginx-*"
57 setup.template.enabled: false
58 setup.template.overwrite: true
解释:
multiline.pattern: '^\[' multiline多线,pattern模式,所以他的意思是匹配的是一条报警有多条语句的模式,匹配识别打头的第一个字母是 [ ,\转意字符
33 multiline.negate: true negate否定的,默认定义是否定模式,默认值为false,true开启
34 multiline.match: after 指定Filebeat如何将匹配的行组合到事件中。设置为after或before。这些设置的行为取决于您为negate以下内容指定的内容:
例子 pattern: ^b
negate 设置为 案例 match 结果 结论
true after bacbde bac,bde 开头第一行是b,直到遇到下一个开头第一行是b另起一个 ,与模式不匹配的连续行将追加到匹配的前一行
true before bacbdeb b,acb,deb 结尾必须是b。比如开头第一行是b,自己组成,下一个是非b,直到遇到b,把这些组,不匹配模式的连续行将被添加到下一个匹配的行之前 
五、收集docker日志
docker安装:
[root@7-2 ~ ]# curl http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -o [root@7-2 ~ ]# yum install -y yum-utils device-mapper-persistent-data lvm2 安装依赖包
[root@7-2 ~ ]# yum install -y docker-ce
[root@7-2 ~ ]# mkdir -p /etc/docker
[root@7-2 ~ ]# 复制粘贴
tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://uoggbpok.mirror.aliyuncs.com"]
}
EOF
[root@7-2 ~ ]# systemctl daemon-reload
[root@7-2 ~ ]# systemctl restart docker
启动nginx docker,把80端口映射给宿主机81
[root@7-2 ~ ]# docker pull nginx
[root@7-2 ~ ]# docker container run -d -p 81:80 –p 443:443/udp --name='nginx_curl' nginx
这里讲解一下,其实我们要不用把容器的 nginx 日志挂载到宿主机的目录上,这个 日志默认保存在/var/lib/docker/containers/。其中docker logs -f nginx_81也是
[root@7-2 containers]# docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4a1f19393490 nginx "/docker-entrypoint.…" 5 minutes ago Up 5 minutes 0.0.0.0:443->443/udp, 0.0.0.0:81->80/tcp nginx_81
[root@7-2 tomcat]# cd /var/lib/docker/containers/
[root@7-2 containers]# ls 由于容器的ID叫4a1f19393490,所以日志就是4a1f19393490开头
4a1f19393490f533e41d234e74cde45540941e56927eed7a0a5b91812db4ccfc
[root@7-2 containers]# tail -f ./4a1f19393490f533e41d234e74cde45540941e56927eed7a0a5b91812db4ccfc/4a1f19393490f533e41d234e74cde45540941e56927eed7a0a5b91812db4ccfc-json.log
{"log":"10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf\n","stream":"stdout","time":"2021-02-25T05:43:13.92778684Z"}
{"log":"10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf\n","stream":"stdout","time":"2021-02-25T05:43:13.937373151Z"}
{"log":"/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh\n","stream":"stdout","time":"2021-02-25T05:43:13.939559724Z"}
{"log":"/docker-entrypoint.sh: Configuration complete; ready for start up\n","stream":"stdout","time":"2021-02-25T05:43:13.951185938Z"}
{"log":"127.0.0.1 - - [25/Feb/2021:05:44:06 +0000] \"GET / HTTP/1.1\" 200 612 \"-\" \"curl/7.64.0\" \"-\"\n","stream":"stdout","time":"2021-02-25T05:44:06.823776149Z"}
{"log":"10.4.7.2 - - [25/Feb/2021:05:44:19 +0000] \"GET / HTTP/1.1\" 200 612 \"-\" \"curl/7.29.0\" \"-\"\n","stream":"stdout","time":"2021-02-25T05:44:19.199704666Z"}
{"log":"10.4.7.13 - - [25/Feb/2021:05:44:45 +0000] \"GET / HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36\" \"-\"\n","stream":"stdout","time":"2021-02-25T05:44:45.130277571Z"}
{"log":"2021/02/25 05:44:45 [error] 29#29: *3 open() \"/usr/share/nginx/html/favicon.ico\" failed (2: No such file or directory), client: 10.4.7.13, server: localhost, request: \"GET /favicon.ico HTTP/1.1\", host: \"10.4.7.2:81\", referrer: \"http://10.4.7.2:81/\"\n","stream":"stderr","time":"2021-02-25T05:44:45.227219021Z"}
{"log":"10.4.7.13 - - [25/Feb/2021:05:44:45 +0000] \"GET /favicon.ico HTTP/1.1\" 404 555 \"http://10.4.7.2:81/\" \"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36\" \"-\"\n","stream":"stdout","time":"2021-02-25T05:44:45.227280583Z"}
{"log":"10.4.7.13 - - [25/Feb/2021:05:49:17 +0000] \"GET / HTTP/1.1\" 304 0 \"-\" \"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36\" \"-\"\n","stream":"stdout","time":"2021-02-25T05:49:17.480076186Z"}以下都不是最终的结果
5.1、收集一个容器的整体日志
首先查看docker容器的ID
[root@7-2 containers]# docker inspect nginx_81|grep -w "Id"
"Id": "4a1f19393490f533e41d234e74cde45540941e56927eed7a0a5b91812db4ccfc",
[root@7-2 containers]# vi /usr/local/filebeat-6.6.0/filebeat.yml
filebeat.inputs:
################# Docker ##################
- type: docker
containers.ids:
- '4a1f19393490f533e41d234e74cde45540941e56927eed7a0a5b91812db4ccfc'
tags: ["docker"]
setup.kibana:
hosts: ["10.4.7.2:5601"]
output.elasticsearch:
hosts: ["10.4.7.2:9200"]
indices:
- index: "docker-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "docker"
setup.template.name: "docker"
setup.template.pattern: "docker-*"
setup.template.enabled: false
setup.template.overwrite: true
5.2、收集整个容器的整体日志
[root@7-2 containers]# vi /usr/local/filebeat-6.6.0/filebeat.yml
filebeat.inputs:
- type: docker
containers.ids:
- '*
setup.kibana:
hosts: ["10.4.7.2:5601"]
output.elasticsearch:
hosts: ["10.4.7.2:9200"]
index: "docker-%{[beat.version]}-%{+yyyy.MM}"
setup.template.name: "docker"
setup.template.pattern: "docker-*"
setup.template.enabled: false
setup.template.overwrite: true
解释:
- '*'代表整个容器日志
5.3、docker容器日志类型分类归属
分析:查看日志,根本没有哪个地方能区分是nginx日志、还是tomcat日志、还是mysql日志。所以使用docker-compose 编排工具,实现给docker加标签,让日志中带有标签,实现日志分类,让各个日志都存放在各自归属类别
1、安装docker-compose
方式一:
1、安装pip工具
[root@7-2 ~]# yum install -y python2-pip
2、这里使用pip安装,默认源为国外,可以使用国内加速,相关网站
[root@7-2 ~]# pip install -i https://pypi.tuna.tsinghua.edu.cn/simple pip -U
[root@7-2 ~]# pip config set global.index-url https://pypi.tuna.tsinghua.edu.cn/simple
3、安装docker-compose
[root@7-2 ~]# pip install docker-compose
4、检查
[root@7-2 ~]# docker-compose version
方式二:
[root@7-2 ~]# yum install -y docker-compose
2、编写docker-compose.yml
[root@elk-176 ~]# vi docker-compose.yml
version: '3'
services:
nginx:
image: nginx:v2
# 设置labels
labels:
service: nginx
# logging设置增加labels.service
logging:
options:
labels: "service"
ports:
- "8080:80"
db:
image: nginx:latest
# 设置labels
labels:
service: db
# logging设置增加labels.service
logging:
options:
labels: "service"
ports:
- "80:80"
解释:
version: '3' 默认写法
services: 定义了一个service服务,其中下面的nginx、db都属于这个服务
image: nginx:v2 使用容器的镜像
labels:service: nginx 给上面的容器打一个标签,名字叫nginx
logging: 记录日志
labels: "service" 把标签service内容记录到日志里面。
3、启动docker-compose.yaml
启动docker-compose.yaml之前,需要先确定80、8080端口没有被占用
[root@7-2 containers]# netstat -tulpn |grep '80\|8080'
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1280/master
tcp6 0 0 ::1:25 :::* LISTEN 1280/master
启动docker-compose.yaml
[root@7-2 ~]# docker-compose up
Starting root_db_1 ...
Starting root_nginx_1 ... done
Attaching to root_db_1, root_nginx_1
db_1 | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
db_1 | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
db_1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
db_1 | 10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
db_1 | 10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
db_1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
db_1 | /docker-entrypoint.sh: Configuration complete; ready for start up
nginx_1 | 10.4.7.13 - - [26/Feb/2021:02:59:10 +0000] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36" "-"
启动docker-compose.yaml后会生成两个容器
[root@7-2 ~]# docker container ls
5c3933dad170 nginx:1.14 "nginx -g 'daemon of…" 2 minutes ago Up 17 seconds 0.0.0.0:8080->80/tcp root_nginx_1
ca8a6bcff86d nginx:latest "/docker-entrypoint.…" 2 minutes ago Up 17 seconds 0.0.0.0:80->80/tcp root_db_1
查看日志
[root@7-2 ~]# cd /var/lib/docker/containers/
[root@7-2 containers]# ls
5c3933dad170dba281e1d5141457c79b507aa436148eecbd039076b5f9ff12fd ca8a6bcff86db81f9eddea4a61eae7f9eb9ad69fefdf4536f770182133ba0a83
[root@7-2 containers]# tail -f 5c3933dad170dba281e1d5141457c79b507aa436148eecbd039076b5f9ff12fd/5c3933dad170dba281e1d5141457c79b507aa436148eecbd039076b5f9ff12fd-json.log
{"log":"10.4.7.13 - - [26/Feb/2021:02:59:10 +0000] \"GET / HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36\" \"-\"\n","stream":"stdout","attrs":{"service":"nginx"},"time":"2021-02-26T02:59:10.80980667Z"}
[root@7-2 containers]# tail -f ca8a6bcff86db81f9eddea4a61eae7f9eb9ad69fefdf4536f770182133ba0a83/ca8a6bcff86db81f9eddea4a61eae7f9eb9ad69fefdf4536f770182133ba0a83-json.log
{"log":"/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration\n","stream":"stdout","attrs":{"service":"db"},"time":"2021-02-26T02:57:55.497932183Z"}
{"log":"/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/\n","stream":"stdout","attrs":{"service":"db"},"time":"2021-02-26T02:57:55.498111313Z"}
{"log":"/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh\n","stream":"stdout","attrs":{"service":"db"},"time":"2021-02-26T02:57:55.611703269Z"}
{"log":"10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf\n","stream":"stdout","attrs":{"service":"db"},"time":"2021-02-26T02:57:55.822807488Z"}
{"log":"10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf\n","stream":"stdout","attrs":{"service":"db"},"time":"2021-02-26T02:57:56.00967769Z"}
{"log":"/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh\n","stream":"stdout","attrs":{"service":"db"},"time":"2021-02-26T02:57:56.041073605Z
4、解析json日志
发现标签已经生效
5、配置filebeat
[root@7-2 filebeat-6.6.0]# ll /var/lib/docker/containers/*/*-json.log
-rw-r----- 1 root root 298 2月 26 10:59 /var/lib/docker/containers/5c3933dad170dba281e1d5141457c79b507aa436148eecbd039076b5f9ff12fd/5c3933dad170dba281e1d5141457c79b507aa436148eecbd039076b5f9ff12fd-json.log
-rw-r----- 1 root root 1259 2月 26 10:57 /var/lib/docker/containers/ca8a6bcff86db81f9eddea4a61eae7f9eb9ad69fefdf4536f770182133ba0a83/ca8a6bcff86db81f9eddea4a61eae7f9eb9ad69fefdf4536f770182133ba0a83-json.log
[root@7-2 filebeat-6.6.0]# vi /usr/local/filebeat-6.6.0/filebeat.yml
filebeat.inputs:
- type: log
paths:
- /var/lib/docker/containers/*/*-json.log
json.keys_under_root: true
json.overwrite_keys: true
setup.kibana:
hosts: ["10.4.7.2:5601"]
output.elasticsearch:
hosts: ["10.4.7.2:9200"]
indices:
- index: "docker-nginx-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
attrs.service: "nginx"
- index: "docker-db-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
attrs.service: "db"
setup.template.name: "docker"
setup.template.pattern: "docekr-*"
setup.template.enabled: false
setup.template.overwrite: true
重启filebeat
[root@7-2 filebeat-6.6.0]# kill `pidof filebeat`;filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml > /dev/null 2>&1 &
解释:
1、/var/lib/docker/containers/*/*-json.log 匹配所有日志
2、json.keys_under_root: true、json.overwrite_keys: truedocker
日志原本就是json格式,现在通过给日志中加标签,所以我们需要让filebeat识别日志中的每一个字段,让他识别lable然后传递给ES,所以需要配置json
3、 attrs.service: "nginx"、attrs.service: "db" 识别的标识变了,是按照lable标识识别
问题:日志跟错误日志都在一起
5.4、实现日志类型、正常、错误分类
上面已经实现了类型的分类,由于docker中把正常日志、错误日志都混在一起,如果实现分类。
所以我们对比ES中查看docker中nginx的日志,发现stdout标识正常日志,stderr标识错误日志
配置filebeat
[root@7-2 filebeat-6.6.0]# vim /usr/local/filebeat-6.6.0/filebeat.yml
filebeat.inputs:
- type: log
paths:
- /var/lib/docker/containers/*/*-json.log
json.keys_under_root: true
json.overwrite_keys: true
setup.kibana:
hosts: ["10.4.7.2:5601"]
output.elasticsearch:
hosts: ["10.4.7.2:9200"]
indices:
- index: "docker-nginx-access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
attrs.service: "nginx"
stream: "stdout"
- index: "docker-nginx-error-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
attrs.service: "nginx"
stream: "stderr"
- index: "docker-db-access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
attrs.service: "db"
stream: "stdout"
- index: "docker-db-error-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
attrs.service: "db"
stream: "stderr"
setup.template.name: "docker"
setup.template.pattern: "docekr-*"
setup.template.enabled: false
setup.template.overwrite: true
删除ES中的docker记录,重启filebeat
[root@7-2 filebeat-6.6.0]# kill `pidof filebeat`;filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml > /dev/null 2>&1 &
六、filebeat modules配置
nginx日志不让修改怎么办:
1、可以用logstash 一句一句写匹配规则
2、filebeat 自带了解析普通日志的功能的模块。配置官方自带的模块后,log日志通过filebeat模块解析,直接以json形式转到ES,但有局限性
filebeat自带的解析模板
[root@7-2 filebeat-6.6.0]# cd /usr/local/filebeat-6.6.0/modules.d
[root@7-2 modules.d]# ll
-rw-r--r-- 1 root root 371 1月 24 2019 apache2.yml.disabled
-rw-r--r-- 1 root root 175 1月 24 2019 auditd.yml.disabled
-rw-r--r-- 1 root root 845 1月 24 2019 elasticsearch.yml.disabled
-rw-r--r-- 1 root root 269 1月 24 2019 haproxy.yml.disabled
-rw-r--r-- 1 root root 546 1月 24 2019 icinga.yml.disabled
-rw-r--r-- 1 root root 371 1月 24 2019 iis.yml.disabled
-rw-r--r-- 1 root root 396 1月 24 2019 kafka.yml.disabled
-rw-r--r-- 1 root root 188 1月 24 2019 kibana.yml.disabled
-rw-r--r-- 1 root root 361 1月 24 2019 logstash.yml.disabled
-rw-r--r-- 1 root root 189 1月 24 2019 mongodb.yml.disabled
-rw-r--r-- 1 root root 368 1月 24 2019 mysql.yml.disabled
-rw-r--r-- 1 root root 369 1月 24 2019 nginx.yml.disabled
-rw-r--r-- 1 root root 388 1月 24 2019 osquery.yml.disabled
-rw-r--r-- 1 root root 192 1月 24 2019 postgresql.yml.disabled
-rw-r--r-- 1 root root 463 1月 24 2019 redis.yml.disabled
-rw-r--r-- 1 root root 190 1月 24 2019 suricata.yml.disabled
-rw-r--r-- 1 root root 574 1月 24 2019 system.yml.disabled
-rw-r--r-- 1 root root 195 1月 24 2019 traefik.yml.disabled
查看目前可以使用的模板:
[root@7-2 filebeat-6.6.0]# cd /usr/local/filebeat-6.6.0/
[root@7-2 filebeat-6.6.0]# ./filebeat modules list
Error in modules manager: modules management requires 'filebeat.config.modules.path' setting
报错了,因为这个命令会获取filebeat.yml配置,必须先配置
[root@7-2 filebeat-6.6.0]# vim /usr/local/filebeat-6.6.0/filebeat.yml
setup.template.settings:
index.number_of_shards: 3
output.elasticsearch:
hosts: ["10.4.7.2:9200"]
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: true
reload.period: 10s
重启后,或者都不用重启filebeat,执行./filebeat modules list
[root@7-2 filebeat-6.6.0]# ./filebeat modules list
Enabled:
Disabled:
apache2
auditd
elasticsearch
haproxy
icinga
iis
kafka
kibana
logstash
mongodb
mysql
nginx
osquery
postgresql
redis
suricata
system
traefik
6.1、确保nginx所有日志为log
停止之前做的docker
[root@7-2 modules.d]# docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5c3933dad170 nginx:1.14 "nginx -g 'daemon of…" 4 hours ago Up 4 hours 0.0.0.0:8080->80/tcp root_nginx_1
ca8a6bcff86d nginx:latest "/docker-entrypoint.…" 4 hours ago Up 4 hours 0.0.0.0:80->80/tcp root_db_1
[root@7-2 modules.d]# docker stop root_nginx_1
root_nginx_1
[root@7-2 modules.d]# docker stop root_db_1
root_db_1
清空nginx日志,否则会出现两种日志类型:
[root@7-2 modules.d]# systemctl stop nginx
[root@7-2 filebeat]# > /var/log/nginx/access.log
[root@7-2 filebeat]# > /var/log/nginx/error.log
[root@7-2 modules.d]# vi /etc/nginx/nginx.conf
[root@7-2 modules.d]# systemctl start nginx
恢复nginx日志为log,然后重启nginx
6.2、激活nginx模块
激活nginx模块:
[root@7-2 ~ ]# cd /usr/local/filebeat-6.6.0/modules.d
[root@7-2 modules.d]# ./filebeat modules enable nginx
Enabled nginx
查看激活状态:
[root@7-2 filebeat-6.6.0]# ./filebeat modules list
Enabled: 激活
nginx
Disabled: 未激活
apache2
auditd
..........
激活就是把nginx.yml.disabled 重命名nginx.yml,所以,直接改是一样的
[root@7-2 modules.d]# ll
..........
-rw-r--r-- 1 root root 189 1月 24 2019 mongodb.yml.disabled
-rw-r--r-- 1 root root 368 1月 24 2019 mysql.yml.disabled
-rw-r--r-- 1 root root 369 1月 24 2019 nginx.yml
-rw-r--r-- 1 root root 388 1月 24 2019 osquery.yml.disabled
..........6.3、配置nginx模块
1、先配置一个不分错误、正常日志的nginx模块
[root@7-2 ~]# vim /usr/local/filebeat-6.6.0/filebeat.yml
setup.template.settings:
index.number_of_shards: 3
output.elasticsearch:
hosts: ["10.4.7.2:9200"]
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: true
[root@7-2 ~]# vim /usr/local/filebeat-6.6.0/modules.d/nginx.yml
- module: nginx
# Access logs
access:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
var.paths: ["/var/log/nginx/access.log"] 添加access日志路径
# Error logs
error:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
var.paths: ["/var/log/nginx/error.log"] 添加错误日志路径
重启filebeat
[root@7-2 modules.d]# kill `pidof filebeat`;filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml >>/var/log/filebeat/filebeat.log 2>&1 &
重启filebeat报错
查看日志,报错:
[root@7-2 modules.d]# cat /var/log/filebeat/filebeat.log
2021-03-01T14:19:56.839+0800 ERROR fileset/factory.go:142 Error loading pipeline: Error loading pipeline for fileset nginx/access: This module requires the following Elasticsearch plugins: ingest-user-agent, ingest-geoip. You can install them by running the following commands on all the Elasticsearch nodes:
sudo bin/elasticsearch-plugin install ingest-user-agent
sudo bin/elasticsearch-plugin install ingest-geoip
bin/elasticsearch-plugin install ingest-user-agent 插件,浏览器访问类型
bin/elasticsearch-plugin install ingest-geoip 插件,分析IP所属的地址
解决方案:
[root@7-2 ~ ]# cd /opt/installage
[root@7-2 installage ]# rz ingest-geoip-6.6.0.zip ingest-user-agent-6.6.0.zip 或者
[root@7-2 installage ]# wget https://artifacts.elastic.co/downloads/elasticsearch-plugins/ingest-geoip/ingest-geoip-6.6.0.zip
[root@7-2 installage ]# wget https://artifacts.elastic.co/downloads/elasticsearch-plugins/ingest-user-agent/ingest-user-agent-6.6.0.zip
[root@7-2 installage ]# /usr/share/elasticsearch/bin/elasticsearch-plugin install file:///opt/installage/ingest-geoip-6.6.0.zip
[root@7-2 installage ]# /usr/share/elasticsearch/bin/elasticsearch-plugin install file:///opt/installage/ingest-user-agent-6.6.0.zip
[root@7-2 installage ]# systemctl restart elasticsearch
重启filebeat
[root@7-2 modules.d]# kill `pidof filebeat`;filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml >>/var/log/filebeat/filebeat.log 2>&1 &
发现了fileset.name可以区别access日志、错误日志
2、配置区分错误、正常日志的nginx模块
[root@7-2 filebeat-6.6.0]# vim filebeat.yml
setup.template.settings:
index.number_of_shards: 3
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: true
setup.kibana:
host: "10.4.7.2:5601"
output.elasticsearch:
hosts: ["10.4.7.2:9200"]
indices:
- index: "nginx_access-%{[beat.version]}-%{+yyyy.MM.dd}"
when.contains:
fileset.name: "access"
- index: "nginx_error-%{[beat.version]}-%{+yyyy.MM.dd}"
when.contains:
fileset.name: "error"
setup.template.name: "nginx"
setup.template.pattern: "nginx_*"
setup.template.enabled: false
setup.template.overwrite: true
[root@7-2 filebeat-6.6.0]# vim modules.d/nginx.yml
- module: nginx
# Access logs
access:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
var.paths: ["/var/log/nginx/access.log"]
# Error logs
error:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
var.paths: ["/var/log/nginx/error.log"]
重启ES、重启filebeat
注意:error 选择如下
七、kibana 视图
1、kibana 视图导入
默认是如果使用filebeat模板导入的视图会把所有的服务都导入进去,而且每年实际上并不需要这么多视图,而且默认的视图模板只能匹配filebet-* 开头的索引
需要解决:
1、通过一定的处理只导需要的模板
2、导入的视图模板索引名称可以自定义
解决方案:
1、备份一份fileabeat的kibana视图,删除不需要的视图模板文件
2、修改视图文件里默认的索引名称为我们需要的索引名称
2、kibana 画图举例
[root@7-2 bin]# cat /usr/local/filebeat-6.6.0/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["nginx-access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["nginx-error"]
setup.kibana:
hosts: ["10.4.7.2:5601"]
output.elasticsearch:
hosts: ["10.4.7.2:9200"]
#index: "nginx-%{[beat.version]}-%{+yyyy.MM}"
indices:
- index: "nginx-access-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "nginx-access"
- index: "nginx-error-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "nginx-error"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true
[root@7-2 bin]# cat /etc/nginx/nginx.conf
略
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format json '{ "time_local": "$time_local", '
'"remote_addr": "$remote_addr", '
'"referer": "$http_referer", '
'"request": "$request", '
'"status": $status, '
'"bytes": $body_bytes_sent, '
'"agent": "$http_user_agent", '
'"x_forwarded": "$http_x_forwarded_for", '
'"up_addr": "$upstream_addr",'
'"up_host": "$upstream_http_host",'
'"upstream_time": "$upstream_response_time",'
'"request_time": "$request_time"'
' }';
access_log /var/log/nginx/access.log json;
略
在画图上画图,然后拼成一起在面板显示
7.2.1、画图
点击
增加IP
下面的nginx.access.remote_ip_list.keyword 改成 remote_addr.keyword
调整文字方向
查看IP地址什么类型
点击保存
增加饼图(状态码对比)
增加筛选量
修改颜色
增加图标top10_url(状态码对比)
增加仪表盘统计范围
range是范围
7.2.2、面板
八、使用redis作为缓存收集日志
假如ES容量不够了,性能有瓶颈,加上一个redis,存在redis不会导致数据丢失。logstash作为redis跟ES的桥梁
filebeat 目前只支持单节点传递redis。filebeat不支持传递集群redis、传递redis哨兵
1、redis缓存收集正常日志
1、安装redis
[root@7-2 ~ ]# wget http://download.redis.io/releases/redis-5.0.8.tar.gz
[root@7-2 ~ ]# tar -zxvf redis-5.0.8.tar.gz -C /usr/local
[root@7-2 ~ ]# cd /usr/local/redis-5.0.8/
[root@7-2 redis-5.0.8 ]# yum install -y gcc-c++
[root@7-2 redis-5.0.8 ]# make
[root@7-2 redis-5.0.8 ]# make install
[root@7-2 redis-5.0.8 ]# cd /usr/local/bin/
[root@7-2 bin ]# cp /usr/local/redis-5.0.8/redis.conf .
[root@7-2 bin ]# mkdir kconfig
[root@7-2 bin ]# mv redis.conf kconfig/
[root@7-2 bin ]# vi kconfig/redis.conf
daemonize yes 改成yes
bind 10.4.7.2 改成自己的IP,如果不该只能自己的redis连接
[root@7-2 bin ]# redis-server kconfig/redis.conf
[root@7-2 bin]# redis-cli -p 6379 -h 10.4.7.2
2、filebeat怎么传递数据给redis
[root@7-2 bin]# vi /usr/local/filebeat-6.6.0/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["nginx-access"]
setup.kibana:
hosts: ["10.4.7.2:5601"]
output.redis:
hosts: ["10.4.7.2"]
key: "filebeat"
db: 0
timeput: 5
[root@7-2 bin]# kill `pidof filebeat`;filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml >>/var/log/filebeat/filebeat.log 2>&1 &
[root@7-2 bin]# redis-cli -p 6379 -h 10.4.7.2
10.4.7.2:6379> keys * 测试redis数据库中key中有filebeat
1) "filebeat"
10.4.7.2:6379> type filebeat 查看类型
list
10.4.7.2:6379> LLEN filebeat 查看数据长度
(integer) 32
10.4.7.2:6379> LRANGE filebeat 1 32
{\"path\":\"/var/log/nginx/error.log\"}},\"message\":\"2021/03/02 13:47:06 [error] 15554#0: *5 open() \\\"/usr/share/nginx/html/qwe\\\" failed (2: No such file or directory), client: 10.4.7.2, server: _, request: \\\"GET /qwe HTTP/1.1\\\", host: \\\"10.4.7.2\\\"\",\"beat\":{\"name\":\"7-2\",\"hostname\":\"7-2\",\"version\":\"6.6.0\"},\"host\":{\"name\":\"7-2\"}}"
30) "{\"@timestamp\":\"2021-03-02T12:43:55.704Z\",\"@metadata\":{\"beat\":\"filebeat\",\"type\":\"doc\",\"version\":\"6.6.0\"},\"source\":\"/var/log/nginx/error.log\",\"prospector\":{\"type\":\"log\"},\"host\":{\"name\":\"7-2\"},\"tags\":[\"nginx-error\"],\"input\":{\"type\":\"log\"},\"beat\":{\"hostname\":\"7-2\",\"version\":\"6.6.0\",\"name\":\"7-2\"},\"offset\":1906,\"log\":{\"file\":{\"path\":\"/var/log/nginx/error.log\"}},\"message\":\"2021/03/02 13:47:08 [error] 15554#0: *6 open() \\\"/usr/share/nginx/html/rty\\\" failed (2: No such file or directory), client: 10.4.7.2, server: _, request: \\\"GET /rty HTTP/1.1\\\", host: \\\"10.4.7.2\\\"\"}"
31) "{\"@timestamp\":\"2021-03-02T12:44:50.716Z\",\"@metadata\":{\"beat\":\"filebeat\",\"type\":\"doc\",\"version\":\"6.6.0\"},\"offset\":7258,\"log\":{\"file\":{\"path\":\"/var/log/nginx/access.log\"}},\"time_local\":\"02/Mar/2021:20:44:47 +0800\",\"agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36\",\"tags\":[\"nginx-access\"],\"input\":{\"type\":\"log\"},\"host\":{\"name\":\"7-2\"},\"request_time\":\"0.000\",\"source\":\"/var/log/nginx/access.log\",\"referer\":\"-\",\"up_host\":\"-\",\"bytes\":0,\"remote_addr\":\"10.4.7.13\",\"up_addr\":\"-\",\"x_forwarded\":\"-\",\"request\":\"GET / HTTP/1.1\",\"upstream_time\":\"-\",\"prospector\":{\"type\":\"
报错:重启filebeat后发现报错,导致数据无法写入redis
[root@7-2 bin]# cat /var/log/filebeat/filebeat.log 2021-03-02T20:47:06.460+0800 ERROR pipeline/output.go:100 Failed to connect to redis(tcp://10.4.7.2:6379): dial tcp 10.4.7.2:6379: connect: connection refused 2021-03-02T20:47:49.503+0800 ERROR pipeline/output.go:100 Failed to connect to redis(tcp://10.4.7.2:6379): dial tcp 10.4.7.2:6379: connect: connection refused 2021-03-02T20:48:42.206+0800 ERROR pipeline/output.go:100 Failed to connect to redis(tcp://10.4.7.2:6379): dial tcp 10.4.7.2:6379: connect: connection refused 2021-03-02T20:49:00.738+0800 INFO log/harvester.go:280 File is inactive: /var/log/nginx/error.log. Closing because close_inactive of 5m0s reached. 2021-03-02T20:49:29.777+0800 ERROR pipeline/output.go:100 Failed to connect to redis(tcp://10.4.7.2:6379): dial tcp 10.4.7.2:6379: connect: connection refused问题的主要原因在于 kconfig/redis.conf 的配置中bind:127.0.0.1,导致filebeat无法写入redis。
解决方案:[root@7-2 bin ]# vi kconfig/redis.conf daemonize yes 改成yes bind 10.4.7.2 改成自己的IP,让filebeat写入redis。
3、部署logstash
[root@7-2 installpag]# wget https://artifacts.elastic.co/downloads/logstash/logstash-6.6.0.rpm
[root@7-2 installpag]# rpm -ivh logstash-6.6.0.rpm
[root@7-2 installpag]# cd /etc/logstash/conf.d/4、配置logstash连接redis
[root@7-2 conf.d]# vi redis.conf
input {
redis {
host => "10.4.7.2"
port => "6379"
db => "0"
key => "filebeat"
data_type => "list"
}
}
filter {
mutate {
convert => ["upstream_time", "float"]
convert => ["request_time", "float"]
}
}
output {
stdout {}
elasticsearch {
hosts => "http://10.4.7.2:9200"
manage_template => false
index => "nginx-access-%{+yyyy.MM}"
}
}
解释:
1、input { : logstash 从哪里取数据
2、convert => ["upstream_time", "float"] upstream_time PHP跟nginx之间解析的时间,查看nginx.conf有upstream_time字段,在nginx日志里面是写实浮点数,所以filebeat传递redis浮点数,redis拿出来后可能不是浮点数,然后通过logstash把这个字段在次解析成浮点数给ES。浮点数就可以按照大学排序,就可以实现那个网页访问最慢
3、output {: logstash 取数据给谁清空ES
启动logstash
[root@7-2 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/redis.conf
如果有如下结果:
"request" => "GET /asd HTTP/1.1",
"referer" => "-",
"remote_addr" => "10.4.7.13",
"offset" => 9589,
"up_addr" => "-",
"log" => {
"file" => {
"path" => "/var/log/nginx/access.log"
}
},
"tags" => [
[0] "nginx-access"
],
"upstream_time" => 0.0,
"agent" => "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/53.36",
"time_local" => "03/Mar/2021:09:43:08 +0800",
"beat" => {
"name" => "7-2",
"version" => "6.6.0",
"hostname" => "7-2"
},
"up_host" => "-",
"input" => {
"type" => "log"
},
"@version" => "1",
"@timestamp" => 2021-03-03T01:43:16.262Z,
"prospector" => {
"type" => "log"
},
"request_time" => 0.0,
"bytes" => 3650,
"source" => "/var/log/nginx/access.log"
}
查看结果:
2、redis缓存收集错误、正常日志
配置filebeat传递数据给redis
[root@7-2 ~]# vi /usr/local/filebeat-6.6.0/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
setup.kibana:
hosts: ["10.4.7.2:5601"]
output.redis:
hosts: ["10.4.7.2"]
keys:
- key: "nginx_access"
when.contains:
tags: "access"
- key: "nginx_error"
when.contains:
tags: "error"
[root@7-2 conf.d]# kill `pidof filebeat`;filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml >>/var/log/filebeat/filebeat.log 2>&1 &
刷新网页
[root@7-2 conf.d]# redis-cli -p 6379 -h 10.4.7.2
10.4.7.2:6379> keys *
1) "nginx-access"
2) "nginx-error"
10.4.7.2:6379> LLEN nginx-access 查看是不是有数据
(integer) 29
10.4.7.2:6379> LLEN nginx-access 查看是不是有数据
(integer) 29
解释:
output.redis:
- key: "nginx-access"
when.contains:
tags: "access" 如果日志tags是access,就把他存到key是nginx-access的redis中",然后logstash的redis.conf中input key声明 ,说明从redis中key=nginx-access获取
- key: "nginx-error"
when.contains:
tags: "error" 如果日志tags是access,就把他存到key是nginx-error的redis中",然后logstash的redis.conf中input key声明 ,说明从redis中key=nginx-error获取配置logstash连接redis
[root@7-2 ~]# vi /etc/logstash/conf.d/redis.conf
input {
redis {
host => "10.4.7.2"
port => "6379"
db => "0"
key => "nginx_access"
data_type => "list"
}
redis {
host => "10.4.7.2"
port => "6379"
db => "0"
key => "nginx_error"
data_type => "list"
}
}
filter {
mutate {
convert => ["upstream_time", "float"]
convert => ["request_time", "float"]
}
}
output {
stdout {}
if "access" in [tags] {
elasticsearch {
hosts => "http://10.4.7.2:9200"
manage_template => false
index => "nginx-access-%{+yyyy.MM}"
}
}
if "error" in [tags] {
elasticsearch {
hosts => "http://10.4.7.2:9200"
manage_template => false
index => "nginx-error-%{+yyyy.MM}"
}
}
}
删除第一步的nginx-access
启动logstash
[root@7-2 ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/redis.conf >>/var/log/logstash/logstash.log 2>&1 &
[root@7-2 ~]# tail -f /var/log/logstash/logstash.log
优化方案
总结:如何ES如何识别数据
所以既然logstash通过tags传递给ES,所以filebeat就不需要区分access.log、error.log
[root@7-2 ~]# vi /usr/local/filebeat-6.6.0/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
setup.kibana:
hosts: ["10.4.7.2:5601"]
output.redis:
hosts: ["10.4.7.2"]
key: "nginx"
[root@7-2 ~]# vi /etc/logstash/conf.d/redis.conf
input {
redis {
host => "10.4.7.2"
port => "6379"
db => "0"
key => "nginx"
data_type => "list"
}
}
filter {
mutate {
convert => ["upstream_time", "float"]
convert => ["request_time", "float"]
}
}
output {
stdout {}
if "access" in [tags] {
elasticsearch {
hosts => "http://10.4.7.2:9200"
manage_template => false
index => "nginx-access-%{+yyyy.MM}"
}
}
if "error" in [tags] {
elasticsearch {
hosts => "http://10.4.7.2:9200"
manage_template => false
index => "nginx-error-%{+yyyy.MM}"
}
}
} 九、kibana监控ES
使用x-pack,当前版本已经集成在kibana
点击
十、使用kafka缓存日志
什么是kafka:实时处理消息,消息队列。架构:nginx→filebeat→kafka→logstash→ES
制作标准三节点,准备:10.4.7.2、10.4.7.3、10.4.7.4:
1、配置主机名
10.4.7.2、10.4.7.3、10.4.7.4:
[root@7-2 bin]# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.4.7.2 7-2
10.4.7.3 7-3
10.4.7.4 7-4 zookeeper集群特性:整个集群中只要有超过集群数量一半的zookeeper工作是正常的,那么整个集群对外就是可用的,例如有2台服务器做了一个zaookeeper,只要有任何一台故障或宕机,那么这个zookeeper集群就是不可用的了.因为剩下的一台没有超过集群的一半的数量,但是假如有三台zookeeper组成一个集群,那么损坏一台还剩两台,大于3台的一半,所以损坏一台还是可以正常运行的,但是再损坏一台就只剩下一台,集群就不可用了。
如果是4台组成,损坏一台正常,损坏两台还剩两台,不满足集群总数的一半,所以3台的集群和4台的集群算坏两台的结果都是集群不可用.所以这也是为什么集群一般是奇数的原因。
2、部署java
10.4.7.2、10.4.7.3、10.4.7.4:
下载安装包:jdk-8u151-linux-x64.tar.gz
[root@7-2 ~ ]# cd /opt/installpag
[root@7-2 ~ ]# rz jdk-8u151-linux-x64.tar.gz
[root@7-2 ~ ]# tar zxf jdk-8u151-linux-x64.tar.gz -C /opt/
[root@7-2 ~ ]# ln -s /opt/jdk1.8.0_151/ /opt/jdk
[root@7-2 ~ ]# sed -i.bak '$a export JAVA_HOME=/opt/jdk\nexport PATH=$JAVA_HOME/bin:$JAVA_HOME/jre/bin:$PATH\nexport CLASSPATH=.$CLASSPATH:$JAVA_HOME/lib:$JAVA_HOME/jre/lib:$JAVA_HOME/lib/tools.jar' /etc/profile
[root@kafka72 soft]# vim /etc/profile
[root@kafka72 soft]# source /etc/profile
[root@kafka72 soft]# java -version
java version "1.8.0_151"
Java(TM) SE Runtime Environment (build 1.8.0_151-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.151-b12, mixed mode)3、部署并验证zookeeper
10.4.7.2、10.4.7.3、10.4.7.4:
10.4.7.2:
[root@7-2 ~ ]# cd /opt/installpag
[root@7-2 installpag]# rz kafka_2.11-1.0.0
[root@7-2 installpag]# rz zookeeper-3.4.11.tar
[root@7-2 installpag]# tar -zxvf zookeeper-3.4.11.tar.gz -C /opt/
[root@7-2 installpag]# ln -s /opt/zookeeper-3.4.11/ /opt/zookeeper
[root@7-2 installpag]# cd /opt
[root@7-2 opt]# cp /opt/zookeeper/conf/zoo_sample.cfg /opt/zookeeper/conf/zoo.cfg 修改简易zoo_sample.cfg配置文件为正式
[root@7-2 opt]#vi /opt/zookeeper/conf/zoo.cfg
tickTime=2000
initLimit=10
syncLimit=5
dataDir=/data/zookeeper
clientPort=2181
server.1=10.4.7.2:2888:3888
server.2=10.4.7.3:2888:3888
server.3=10.4.7.4:2888:3888
[root@7-2 opt]# mkdir -p /data/zookeeper
[root@7-2 opt]# echo "1" > /data/zookeeper/myid 每个人都有自己的myid,这样三个节点才能成为集群,而且注意,myid数字必须跟zoo.cfg中对应的server后面的数字一致,比如10.4.7.2的zoo.cfg中server.1=10.4.7.2:2888:3888,所以myid就是1
10.4.7.3:
[root@7-2 ~ ]# cd /opt/installpag
[root@7-2 installpag]# rz kafka_2.11-1.0.0
[root@7-2 installpag]# rz zookeeper-3.4.11.tar
[root@7-2 installpag]# tar -zxvf zookeeper-3.4.11.tar.gz -C /opt/
[root@7-2 installpag]# ln -s /opt/zookeeper-3.4.11/ /opt/zookeeper
[root@7-2 installpag]# cd /opt
[root@7-2 opt]# cp /opt/zookeeper/conf/zoo_sample.cfg /opt/zookeeper/conf/zoo.cfg
[root@7-2 opt]#vi /opt/zookeeper/conf/zoo.cfg
tickTime=2000
initLimit=10
syncLimit=5
dataDir=/data/zookeeper
clientPort=2181
server.1=10.4.7.2:2888:3888
server.2=10.4.7.3:2888:3888
server.3=10.4.7.4:2888:3888
[root@7-2 opt]# mkdir -p /data/zookeeper
[root@7-2 opt]# echo "2" > /data/zookeeper/myid
10.4.7.4:
[root@7-2 ~ ]# cd /opt/installpag
[root@7-2 installpag]# rz kafka_2.11-1.0.0
[root@7-2 installpag]# rz zookeeper-3.4.11.tar
[root@7-2 installpag]# tar -zxvf zookeeper-3.4.11.tar.gz -C /opt/
[root@7-2 installpag]# ln -s /opt/zookeeper-3.4.11/ /opt/zookeeper
[root@7-2 installpag]# cd /opt
[root@7-2 opt]# cp /opt/zookeeper/conf/zoo_sample.cfg /opt/zookeeper/conf/zoo.cfg
[root@7-2 opt]#vi /opt/zookeeper/conf/zoo.cfg
tickTime=2000
initLimit=10
syncLimit=5
dataDir=/data/zookeeper
clientPort=2181
server.1=10.4.7.2:2888:3888
server.2=10.4.7.3:2888:3888
server.3=10.4.7.4:2888:3888
[root@7-2 opt]# mkdir -p /data/zookeeper
[root@7-2 opt]# echo "3" > /data/zookeeper/myid
各节点启动zookeeper:
[root@7-2 opt]# /opt/zookeeper/bin/zkServer.sh start
[root@7-3 opt]# /opt/zookeeper/bin/zkServer.sh start
[root@7-4 opt]# /opt/zookeeper/bin/zkServer.sh start
查看状态zookeeper:
[root@7-2 zookeeper]# /opt/zookeeper/bin/zkServer.sh status
ZooKeeper JMX enabled by default
Using config: /opt/zookeeper/bin/../conf/zoo.cfg
Mode: follower
[root@7-3 ~]# /opt/zookeeper/bin/zkServer.sh status
ZooKeeper JMX enabled by default
Using config: /opt/zookeeper/bin/../conf/zoo.cfg
Mode: follower
[root@7-4 ~]# /opt/zookeeper/bin/zkServer.sh status
ZooKeeper JMX enabled by default
Using config: /opt/zookeeper/bin/../conf/zoo.cfg
Mode: leader
报错:Zookeeper无法启动Error contacting service. It is probably not running
https://blog.csdn.net/Jerry00713/article/details/114374360
[root@7-2 ~]# /opt/zookeeper/bin/zkCli.sh -server 10.4.7.2:2181 连接到任意节点生成数据
[zk: 10.4.7.2:2181(CONNECTED) 0] create /test "hello"
Created /test
[zk: 10.4.7.2:2181(CONNECTED) 0]
[root@7-3 ~]# /opt/zookeeper/bin/zkCli.sh -server 10.4.7.3:2181 然后在其他节点验证数据
[zk: 10.4.7.3:2181(CONNECTED) 0] get /test
hello
cZxid = 0x300000002
ctime = Thu Mar 04 11:27:04 CST 2021
mZxid = 0x300000002
mtime = Thu Mar 04 11:27:04 CST 2021
pZxid = 0x300000002
cversion = 0
dataVersion = 0
aclVersion = 0
ephemeralOwner = 0x0
dataLength = 5
numChildren = 0
[zk: 10.4.7.3:2181(CONNECTED) 1] 4、安装并测试kafka
安装:
10.4.7.2:
[root@7-2 ~]# cd /opt/installpag/
[root@7-2 installpag]# rz tar zxf kafka_2.11-1.0.0.tgz
[root@7-2 installpag]# tar zxf kafka_2.11-1.0.0.tgz -C /opt/
[root@7-2 installpag]# ln -s /opt/kafka_2.11-1.0.0/ /opt/kafka
[root@7-2 installpag]# mkdir /opt/kafka/logs
[root@7-2 installpag]# vim /opt/kafka/config/server.properties
broker.id=1
listeners=PLAINTEXT://10.4.7.2:9092
log.dirs=/opt/kafka/logs
log.retention.hours=24
zookeeper.connect=10.4.7.2:2181,10.4.7.3:2181,10.4.7.4:2181
10.4.7.3:
[root@7-3 ~]# cd /opt/installpag/;rz kafka_2.11-1.0.0.tgz
[root@7-3 installpag]# tar zxf kafka_2.11-1.0.0.tgz -C /opt/
[root@7-3 installpag]# ln -s /opt/kafka_2.11-1.0.0/ /opt/kafka;mkdir /opt/kafka/logs
[root@7-3 installpag]# vim /opt/kafka/config/server.properties
broker.id=2
listeners=PLAINTEXT://10.4.7.3:9092
log.dirs=/opt/kafka/logs
log.retention.hours=24
zookeeper.connect=10.4.7.2:2181,10.4.7.3:2181,10.4.7.4:2181
10.4.7.4:
[root@7-4 ~]# cd /opt/installpag/;rz kafka_2.11-1.0.0.tgz
[root@7-4 installpag]# tar zxf kafka_2.11-1.0.0.tgz -C /opt/
[root@7-4 installpag]# ln -s /opt/kafka_2.11-1.0.0/ /opt/kafka;mkdir /opt/kafka/logs
[root@7-4 installpag]# vim /opt/kafka/config/server.properties
broker.id=3
listeners=PLAINTEXT://10.4.7.4:9092
log.dirs=/opt/kafka/logs
log.retention.hours=24
zookeeper.connect=10.4.7.2:2181,10.4.7.3:2181,10.4.7.4:2181启动:
各节点启动kafka:
前台启动,方便查看错误日志
[root@7-2 opt]# /opt/kafka/bin/kafka-server-start.sh /opt/kafka/config/server.properties
[2021-03-04 14:07:25,521] INFO [KafkaServer id=3] started (kafka.server.KafkaServer)
最后一行出现KafkaServer id和started字样,就表明启动成功了,然后就可以放到后台启动了
后台启动然后查看日志
[root@7-4 opt]# /opt/kafka/bin/kafka-server-start.sh -daemon /opt/kafka/config/server.properties
[root@7-4 opt]# tail -f /opt/kafka/logs/server.log
[2021-03-04 14:15:50,341] INFO [ProducerId Manager 3]: Acquired new producerId block (brokerId:3,blockStartProducerId:1000,blockEndProducerId:1999) by writing to Zk with path version 2 (kafka.coordinator.transaction.ProducerIdManager)
[2021-03-04 14:15:50,428] INFO [TransactionCoordinator id=3] Starting up. (kafka.coordinator.transaction.TransactionCoordinator)
[2021-03-04 14:15:50,436] INFO [TransactionCoordinator id=3] Startup complete. (kafka.coordinator.transaction.TransactionCoordinator)
[2021-03-04 14:15:50,458] INFO [Transaction Marker Channel Manager 3]: Starting (kafka.coordinator.transaction.TransactionMarkerChannelManager)
[2021-03-04 14:15:50,725] INFO Creating /brokers/ids/3 (is it secure? false) (kafka.utils.ZKCheckedEphemeral)
[2021-03-04 14:15:50,754] INFO Result of znode creation is: OK (kafka.utils.ZKCheckedEphemeral)
[2021-03-04 14:15:50,757] INFO Registered broker 3 at path /brokers/ids/3 with addresses: EndPoint(10.4.7.4,9092,ListenerName(PLAINTEXT),PLAINTEXT) (kafka.utils.ZkUtils)
[2021-03-04 14:15:50,769] INFO Kafka version : 1.0.0 (org.apache.kafka.common.utils.AppInfoParser)
[2021-03-04 14:15:50,769] INFO Kafka commitId : aaa7af6d4a11b29d (org.apache.kafka.common.utils.AppInfoParser)
[2021-03-04 14:15:50,773] INFO [KafkaServer id=3] started (kafka.server.KafkaServer)
测试kafka启动成功:
[root@7-4 bin]# jps
1248 QuorumPeerMain
2536 Jps
2473 Kafka 代表kafka启动成功
如果报错
[root@7-2 zookeeper]# jps
-bash: jps: 未找到命令
[root@7-4 bin]# yum install -y java-1.8.0-openjdk-devel.x86_64 5、测试kafka集群
1、测试创建topic(聊天室),意思就是开一个窗口聊天室,如果每个kafka都加进来,发消息都能看到
创建名为kafkatest,partitions(分区)为3,replication(复制)为3的topic(主题), 在任意机器操作即可--测试创建topic
[root@7-2 zookeeper]# /opt/kafka/bin/kafka-topics.sh --create --zookeeper 10.4.7.2:2181,10.4.7.3:2181,10.4.7.4:2181 --partitions 3 --replication-factor 3 --topic kafkatest
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
Created topic "kafkatest".
2、测试获取所有的topic列表
可以在任意一台kafka服务器进行测试
[root@7-2 zookeeper]# /opt/kafka/bin/kafka-topics.sh --describe --zookeeper 10.4.7.2:2181,10.4.7.3:2181,10.4.7.4:2181 --topic kafkatest
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
Topic:kafkatest PartitionCount:3 ReplicationFactor:3 Configs:
Topic: kafkatest Partition: 0 Leader: 1 Replicas: 2,1,3 Isr: 3,1,2
Topic: kafkatest Partition: 1 Leader: 3 Replicas: 3,2,1 Isr: 3,1,2
Topic: kafkatest Partition: 2 Leader: 1 Replicas: 1,3,2 Isr: 1,3,2
[root@7-2 zookeeper]#
3、登录kafka测试命令发送消息
1、创建一个名为messagetest的topic(相当于建房)。在任意机器操作
/opt/kafka/bin/kafka-topics.sh --create --zookeeper 192.168.47.70:2181,192.168.47.71:2181,192.168.47.72:2181 --partitions 3 --replication-factor 3 --topic messagetest
2、在10.4.7.3、10.4.7.4 登录名为messagetest的topic(相当于着他俩已经进房间了)
[root@7-3 zookeeper]# /opt/kafka/bin/kafka-console-consumer.sh --zookeeper 10.4.7.2:2181,10.4.7.3:2181,10.4.7.4:2181 --topic messagetest --from-beginning
[root@7-4 zookeeper]# /opt/kafka/bin/kafka-console-consumer.sh --zookeeper 10.4.7.2:2181,10.4.7.3:2181,10.4.7.4:2181 --topic messagetest --from-beginning
3、在10.4.7.2发送消息(相当10.4.7.2进房发送消息)
发送消息:注意,端口是 kafka的9092,而不是zookeeper的2181
[root@7-2 zookeeper]# /opt/kafka/bin/kafka-console-producer.sh --broker-list 10.4.7.2:9092,10.4.7.3:9092,10.4.7.4:9092 --topic messagetest
>Hello 进入之后输入Hello
4、这时候在10.4.7.3、10.4.7.4 直接显示Hello
5、而且退出这个聊天室,在进入有历史记录
6、使用kibana存数据
1、filebeat配置
[root@7-2 zookeeper]# vim /usr/local/filebeat-6.6.0/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["access"]
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
tags: ["error"]
setup.template.settings:
index.number_of_shards: 3
setup.kibana:
host: "192.168.47.175:5601"
output.kafka:
hosts: ["10.4.7.2:9092","10.4.7.3:9092","10.4.7.4:9092"]
topic: elklog
解释:
1、setup.kibana:输出到kibana
2、logstash配置
[root@7-2 zookeeper]# vi /etc/logstash/conf.d/kafka.conf
input{
kafka{
bootstrap_servers=>"10.4.7.2:9092"
topics=>["elklog"]
group_id=>"logstash"
codec => "json"
}
}
filter {
mutate {
convert => ["upstream_time", "float"]
convert => ["request_time", "float"]
}
}
output {
if "access" in [tags] {
elasticsearch {
hosts => "http://10.4.7.2:9200"
manage_template => false
index => "nginx_access-%{+yyyy.MM.dd}"
}
}
if "error" in [tags] {
elasticsearch {
hosts => "http://10.4.7.2:9200"
manage_template => false
index => "nginx_error-%{+yyyy.MM.dd}"
}
}
}
解释:
1、只写一个input,因为是集群 重启filebeat、logstash
[root@7-2 zookeeper]# kill `pidof filebeat`;filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml > /dev/null 2>&1 &
[root@7-2 zookeeper]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/redis.conf >>/var/log/logstash/logstash.log 2>&1 &
[root@7-2 ~]# tail -f /var/log/logstash/logstash.log十一、ELK集群架构
nginx+filebeat:10.4.7.2
nginx反向代理+keepalived:10.4.7.2 VIP:10.4.7.6
redis: 10.4.7.3 、10.4.7.4
logstash:10.4.7.2
ES:10.4.7.2
操作步骤:
1、nginx改成输出json格式
2、filebeat
3、keepalived:
[root@7-2 ~]]# yum install -y keepalived
[root@7-2 ~]]# vi /etc/keepalived/keepalived.conf
global_defs {
router_id lb01
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 50
priority 150
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.4.7.6
}
}
[root@7-3 ~]]# yum install -y keepalived
[root@7-3 ~]]# vi /etc/keepalived/keepalived.conf
global_defs {
router_id lb02
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 50
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.4.7.6
}
}
[root@7-2 ~]]# systemctl start keepalived
[root@7-3 ~]]# systemctl start keepalived3、redis:
[root@7-3 ~ ]# cd /usr/local/bin/
[root@7-3 bin ]# redis-server kconfig/redis.conf
[root@7-3 bin ]# redis-cli -p 6379 -h 10.4.7.3
10.4.7.3: 6379> set k1 v1
OK
[root@7-4 ~ ]# cd /usr/local/bin/
[root@7-4 bin ]# redis-server kconfig/redis.conf
[root@7-4 bin ]# redis-cli -p 6379 -h 10.4.7.4
10.4.7.4: 6379> set k1 v1
OK4、nginx反向代理:
注意:添加stream模块,要在nginx.conf里最后添加,而不是在conf.d里面添加子配置。代理4层,使用stream
[root@7-2 ~ ]# cat /etc/nginx/nginx.conf
..........................
stream {
upstream redis {
server 10.4.7.3:6379 max_fails=2 fail_timeout=10s;
server 10.4.7.4:6379 max_fails=2 fail_timeout=10s;
}
server {
listen 6379;
proxy_connect_timeout 1s;
proxy_timeout 3s;
proxy_pass redis;
[root@7-2 ~ ]# systemctl restart nginx
扫一扫
276
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
