開源實時日誌分析ELK平臺部署
ELK架構圖:
1. JDK環境
-------------------
1.1 下載最新JDK,解壓到/usr/local/java目錄。
1.2 設置環境變量
打開/etc/profile,添加下面內容
export JAVA_HOME=/usr/local/java
export JRE_HOME=$JAVA_HOME/jre
export PATH=$PATH:$JAVA_HOME/bin
export CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar:$JRE_HOME/lib:$CLASSPATH
export ES_HOME=/data/elk/elasticsearch
1.3 使設置生效
source /etc/profile
2. 安裝配置Elasticsearch
---------------------------
2.1 下載
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.5.0.tar.gz
2.2 安裝
tar xf elasticsearch-5.5.0.tar.gz
mv elasticsearch-5.5.1 /data/elk/elasticsearch
2.3 配置文件
默認會加載config目錄下的三個配置文件
elasticsearch.yml:主配置文件
jvm.options:java運行環境參數設置,最主要是下面兩個參數,根據系統實際情況設置
-Xms4g
-Xmx8g
log4j2.properties:日誌格式配置文件,可以忽略。
2.4 啟動和關閉
啟動:最新版不允許使用root啟動elasticsearch,添加elastic用戶作為運行用戶
groupadd elastic
useradd elastic -g elastic
chown -R elastic:elastic /data/elk/elasticsearch
su – elastic
/data/elk/elasticsearch/bin/elasticsearch -d
netstat -ntl |grep 9200
關閉:kill -9 `ps aux |grep elasticsearch |grep java |awk -F" " ‘{print $2}‘`
2.5 安裝x-pack插件
/data/elk/elasticsearch/bin/elasticsearch-plugin install x-pack
2.6 數據查詢
curl -u elastic:xxxx12345 http://127.0.0.1:9200/logstash-web-zx-proxy-nginx-access/_search?size=1000&from=0&pretty
3. 安裝配置 kibana
----------------------
3.1 下載
wget https://artifacts.elastic.co/downloads/kibana/kibana-5.5.1-linux-x86_64.tar.gz
3.2 安裝
tar -xzf kibana-5.5.1-linux-x86_64.tar.gz
mv kibana-5.5.1-linux-x86_64 /data/elk/kibana
3.3 配置文件:kibana.yml
##kibana默認只偵聽127.0.0.1,所以需要更改為0.0.0.0
vi /data/elk/kibana/config/kibana.yml
server.host: 0.0.0.0
3.4 啟動和關閉
啟動:nohup /data/elk/kibana/bin/kibana &
netstat -na |grep 5601
關閉:kill -9 `ps aux |grep kibana |grep elk|awk -F" " ‘{print $2}‘`
3.5 安裝x-pack插件
/data/elk/kibana/bin/kibana-plugin install x-pack
4. 安裝配置Logstash
----------------------
4.1 下載
wget https://artifacts.elastic.co/downloads/logstash/logstash-5.5.1.tar.gz
4.2 安裝
tar xf logstash-5.5.1.tar.gz
mv logstash-5.5.1 /data/elk/logstash
4.3 測試安裝是否正確
/data/elk/logstash/bin/logstash -e ‘input { stdin {} } output { stdout {} }‘
##終端輸入 hello world,有添加時間戳輸出即是正常
2017-07-29T22:34:01.643Z server.lishen.com hello world
4.4 安裝x-pack插件
/data/elk/logstash/bin/logstash-plugin install x-pack
4.5 配置文件
默認會自動加載config下面三個文件:
logstash.yml:主配置文件
jvm.options:java運行環境參數設置,最主要是下面兩個參數,根據系統實際情況設置
-Xms6144m
-Xmx8g
log4j2.properties:日誌格式配置文件,可以忽略。
同時可以自定義配置文件,然後在啟動的時候使用 -f選項指定自定義的配置文件: nginx_log.conf
input {
kafka {
bootstrap_servers => "59.188.25.2xx:9092"
#group_id => ""
topics => ["web-proxy-nginx-log","web-zx-proxy-nginx-log","phone-proxy-nginx-log","tiger-proxy-nginx-log","exter-tiger-proxy-nginx-log","chat-proxy-nginx-log"]
codec => "json"
consumer_threads => 5
decorate_events => true
}
}
filter {
######大陸專線
if[fields][log_type] == "web-zx-proxy-nginx-access" {
grok {
match => { "message" => "%{NGINXPHONEACCESS}" }
}
mutate {
remove_field => ["message"]
}
mutate {
convert => ["upstream_response_time", "float"]
convert => ["body_bytes_sent", "integer"]
}
geoip {
source => "user_real_ip"
target => "geoip"
database => "/data/elk/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-geoip-4.2.1-java/vendor/GeoLite2-City.mmdb"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
if[fields][log_type] == "web-zx-proxy-nginx-error" {
grok {
match => { "message" => "%{NGINXPHONEERROR}" }
}
mutate {
remove_field => ["message"]
}
}
}
output {
if[fields][log_type] == "web-zx-proxy-nginx-access" {
elasticsearch {
hosts => [ "127.0.0.1:9200" ]
index => "logstash-web-zx-proxy-nginx-access"
user => elastic
password => xxxx12345
}
}
if[fields][log_type] == "web-zx-proxy-nginx-error" {
elasticsearch {
hosts => [ "127.0.0.1:9200" ]
index => "logstash-web-zx-proxy-nginx-error"
user => elastic
password => xxxx12345
}
}
}
4.6 啟動和關閉
啟動:nohup /data/elk/logstash/bin/logstash -f /data/elk/logstash/config/nginx_log.conf &
關閉:kill -9 `ps aux|grep logstash|grep java|awk -F" " ‘{print $2}‘`
5 ELK安全
------------------
X-Pack插件提供了基本的安全認證
5.1 安裝x-pack插件(elasticsearch/kibana/logstash)
5.2 更改默認管理員密碼:
curl -XPUT -u elastic ‘localhost:9200/_xpack/security/user/elastic/_password‘ -H "Content-Type: application/json" -d ‘{
"password" : "xxxx12345"
}‘
curl -XPUT -u elastic ‘localhost:9200/_xpack/security/user/kibana/_password‘ -H "Content-Type: application/json" -d ‘{
"password" : "xxxx12345"
}‘
curl -XPUT -u elastic ‘localhost:9200/_xpack/security/user/logstash_system/_password‘ -H "Content-Type: application/json" -d ‘{
"password" : "xxxx12345"
}‘
默認超級管理員賬號密碼是:elastic changeme
##一旦修改了密碼,需要更改kibana配置文件kibana.yml中的密碼
elasticsearch.password: xxxx12345
##重啟kibana
##同時也要修改logstash配置文件logstash.yml的密碼,增加一行
xpack.monitoring.elasticsearch.password: xxxx12345
##如果要修改密碼和增加用戶,也可以到kibana頁面修改:
訪問kibana:http://ip:5601
到Management > Security > User中進行操作
開源實時日誌分析ELK平臺部署