Elasticsearch + Logstash + Kibana（ELK）是一套開源的日誌管理方案。

Elasticsearch是個開源分布式搜索引擎，它的特點有：分布式，零配置，自動發現，索引自動分片，索引副本機制，restful風格接口，多數據源，自動搜索負載等。

Logstash是一個完全開源的工具，它可以對你的日誌進行收集、分析，並將其存儲供以後使用

kibana 是一個開源和免費的工具，它可以為 Logstash 和 ElasticSearch 提供的日誌分析友好的 Web 界面，可以幫助您匯總、分析和搜索重要數據日誌。

ELK官網：https://www.elastic.co/

ELK官網文檔：https://www.elastic.co/guide/index.html

ELK中文手冊：http://kibana.logstash.es/content/elasticsearch/monitor/logging.html

二、本次試驗環境說明

系統：centos6.5_x86_64

軟件：elasticsearch-6.1.2、kibana-6.1.2-linux-x86_64、logstash-6.1.2、redis-3.2.6、jdk1.8

1、服務端（所有軟件全部安裝）

ip：10.10.123.201

公網ip：123.206.57.23

hostname：VM_123_201_centos

2、客戶端（安裝jdk和logstash）

ip：10.10.30.86

hostname：VM_30_86_centos

三、服務端安裝配置

1、安裝redis

#!/bin/bash
yum -y install make gcc gcc-c++ zlib-devel openssl openssl-devel pcre-devel patch perl tcl 
cd /var/ftp/
tar xf redis-3.2.6.tar.gz
mv redis-3.2.6 /usr/local/redis
cd /usr/local/redis
make && make test && make install
if [ ! -d  "/usr/local/bin" ];   
then 
    mkdir -p /usr/local/bin
fi
ln -s  /usr/local/redis/redis.conf  /etc/redis.conf 
sed -i '/^daemonize no/cdaemonize yes' /etc/redis.conf
redis-server /etc/redis.conf         #啟動redis服務
echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf
sysctl -p
cat> /etc/init.d/redis <<'EOF'
#!/bin/sh
# chkconfig:   2345 90 10
# description:  Redis is a persistent key-value database
# redis    Startup script for redis processes
# processname: redis
redis_path="/usr/local/bin/redis-server"
redis_conf="/etc/redis.conf"
redis_pid="/var/run/redis.pid"
# Source function library.
. /etc/rc.d/init.d/functions
[ -x $redis_path ] || exit 0
RETVAL=0
prog="redis"
# Start daemons.
start() {
if [ -e $redis_pid -a ! -z $redis_pid ];then
echo $prog" already running...."
exit 1
fi
echo -n $"Starting $prog "
# Single instance for all caches
$redis_path $redis_conf
RETVAL=$?
[ $RETVAL -eq 0 ] && {
touch /var/lock/subsys/$prog
success $"$prog"
}
echo
return $RETVAL
}
# Stop daemons.
stop() {
echo -n $"Stopping $prog "
killproc -d 10 $redis_path
echo
[ $RETVAL = 0 ] &&rm -f $redis_pid /var/lock/subsys/$prog
RETVAL=$?
return $RETVAL
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status $prog
RETVAL=$?
;;
restart)
stop
start
;;
condrestart)
if test "x`pidofredis`" != x; then
stop
start
fi
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart}"
exit 1
esac
exit $RETVAL
EOF
sleep 3
chmod 755 /etc/init.d/redis
chkconfig --add redis
chkconfig --level 2345 redis on
chkconfig redis on
service redis restart

2、安裝elasticsearch

# vim /etc/sysctl.conf

vm.overcommit_memory=1

vm.overcommit_memory = 1

vm.max_map_count=262144

kernel.msgmax = 65536

kernel.msgmnb = 65536

# sysctl -p #使配置生效

# vim /etc/security/limits.conf

* hard nofile 65536

* soft nofile 65536

# vim /etc/security/limits.d/90-nproc.conf

* soft nproc 4096

root soft nproc unlimited

# groupadd elk
# useradd elk -g elk
# cd /data/elk/
# tar zxvf elasticsearch-6.1.2.tar.gzvim elasticsearch.yml

# vim /data/elk/elasticsearch-6.1.2/config/elasticsearch.yml

cluster.name: my-application

node.name: node-201

bootstrap.memory_lock: false

bootstrap.system_call_filter: false

network.host: 10.10.123.201

http.port: 9200

http.cors.enabled: true

http.cors.allow-origin: "*"

path.data: /usr/deploy/elk/elasticsearch-6.1.2/data

path.logs: /usr/deploy/elk/elasticsearch-6.1.2/logs

# chown -R elk:elk  /data/elk/elasticsearch-6.1.2/*
# su - elk
$ /data/elk/elasticsearch-6.1.2/bin/elasticsearch -d                             #啟動elasticsearch服務

3、安裝logstash+jdk

# cd /data/elk/
# tar zxf jdk-8u162-linux-x64.tar.gz
# mv  jdk-8u162-linux-x64  /opt/jdk1.8

# vim /etc/profile

export JAVA_HOME=/opt/jdk1.8

export PATH=$JAVA_HOME/bin:$PATH

# source /etc/profile

# tar zxvf logstash-6.1.2.tar.gz

# vim /data/elk/logstash-6.1.2/config/input.conf

input {

redis {

type => "tomcat-10.10.30.86"

host => "123.206.57.23"

key => "tomcat"

data_type => 'list'

port => "6379"

db => "6"

}

redis {

type => "nginx-10.10.30.86"

host => "123.206.57.23"

key => "nginx"

data_type => 'list'

port => "6379"

db => "6"

}

filter {

if [type] == "nginx-10.10.30.86"{

geoip {

source => "clientip"

target => "geoip"

database => "/usr/deploy/elk/GeoLite2-City.mmdb"

add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]

add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]

}

}

}

output {

if [type] == "tomcat-10.10.30.86" {

elasticsearch {

hosts => ["123.206.57.23:9200"]

index => "logstash-tomcat-10.10.30.86-%{+YYYY.MM.dd}"

}

}

if [type] == "nginx-10.10.30.86" {

elasticsearch {

hosts => ["123.206.57.23:9200"]

index => "logstash-nginx-10.10.30.86-%{+YYYY.MM.dd}"

}

}

}

# cd /usr/deploy/elk/
# wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz          #地圖的庫
# gzip -d GeoLite2-City.mmdb.gz
# logstash-plugin install logstash-filter-geoip
# /data/elk/logstash-6.1.2/bin/logstash -f  /data/elk/logstash-6.1.2/config/input.conf       #啟動logstash服務

4、安裝kibana

# cd /data/elk/

# tar zxvf kibana-6.1.2-linux-x86_64.tar.gz

# vim /usr/deploy/elk/kibana-6.1.2-linux-x86_64/config/kibana.yml

server.port: 5601

server.host: "0.0.0.0"

elasticsearch.url: http://10.10.123.201:9200

kibana.index: ".kibana"

tilemap.url: http://webrd02.is.autonavi.com/appmaptile?lang=zh_cn&size=1&scale=1&style=7&x={x}&y={y}&z={z} #地圖顯示鏈接

# /data/elk/kibana-6.1.2-linux-x86_64/bin/kibana & #後臺運行kibana服務

四、客戶端安裝配置

# cd /data/elk/

# tar zxf jdk-8u162-linux-x64.tar.gz

# mv jdk-8u162-linux-x64 /opt/jdk1.8

# vim /etc/profile

export JAVA_HOME=/opt/jdk1.8

export PATH=$JAVA_HOME/bin:$PATH

# source /etc/profile

# tar zxvf logstash-6.1.2.tar.gz

# vim /data/elk/logstash-6.1.2/config/output.conf

input {

file {

path => "/usr/deploy/server/tomcat/tomcat1/logs/catalina*"

type => "tomcat-10.10.30.86"

start_position => "beginning"

codec => multiline {

pattern => "^\["

negate => true

what => "previous"

}

}

file {

path => "/usr/deploy/server/openresty/nginx/logs/access_json.log"

codec => json

type => "nginx-10.10.30.86"

start_position => "beginning"

}

}

output {

if [type] == "tomcat-10.10.30.86" {

redis {

host => "123.206.57.23"

key => "tomcat"

data_type => 'list'

port => "6379"

db => "6"

}

}

if [type] == "nginx-10.10.30.86" {

redis {

host => "123.206.57.23"

key => "nginx"

data_type => 'list'

port => "6379"

db => "6"

}

}

}

客戶端nginx日誌設置為json格式的日誌，方便顯示地圖分布圖

log_format json '{"@timestamp":"$time_iso8601",'

'"host":"$server_addr",'

'"clientip":"$remote_addr",'

'"size":$body_bytes_sent,'

'"responsetime":$request_time,'

'"upstreamtime":"$upstream_response_time",'

'"upstreamhost":"$upstream_addr",'

'"http_host":"$host",'

'"url":"$uri",'

'"domain":"$host",'

'"xff":"$http_x_forwarded_for",'

'"referer":"$http_referer",'

'"agent":"$http_user_agent",'

'"status":"$status"}';

access_log /usr/deploy/server/openresty/nginx/logs/access_json.log json;

# /data/elk/logstash-6.1.2/bin/logstash -f /data/elk/logstash-6.1.2/config/input.conf #啟動logstash服務

在瀏覽器訪問：

http://123.206.57.23:5601

五、常用瀏覽器分析設置

1、顯示top10 的ip地址條形統計圖

2、在地圖上顯示訪問ip的分布

3、餅狀圖顯示各個時間段的訪問數量

4、可以下載到本地的ip統計數據

圖形定義完成後保存，在Dashboard面板添加定義好的圖形，就顯示一組我們需要的圖形了。

Dashboard顯示如下圖：

elk分析nginx日誌和tomcat日誌