ELK(6.x版本)日志分析平台+Granfan可视化

栏目: 后端 · 发布时间: 6年前

内容简介:log_files -> filebeat –> logstash -> - elasticsearch -> kibanalog_files -> filebeat -> logstash –> redis -> - logstash -> - elasticsearch -> kibanalog_files -> filebeat -> elasticsearch-> kibana

ELK(6.x版本)日志分析平台+Granfan可视化

系统环境准备

# 系统版本及内核信息
[root@test03 config]# uname  -a
Linux test03 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

# 配置 java 1.8版本
[root@test03 local]# wget jdk-8u171-linux-x64.tar.gz
[root@test03 local]# tar -zxvf jdk-8u171-linux-x64.tar.gz -C /usr/local/

echo "JAVA_HOME=/usr/local/jdk1.8.0_171 >> /etc/profile
echo "CLASSPATH=.:\$JAVA_HOME/lib/tools.jar:\$JAVA_HOME/lib/dt.jar" >> /etc/profile 
echo "PATH=\$JAVA_HOME/bin:\$PATH" >> /etc/profile 
source /etc/profile

采集方案(本教程采用第三种方案)

方案一

log_files -> filebeat –> logstash -> - elasticsearch -> kibana

方案二

log_files -> filebeat -> logstash –> redis -> - logstash -> - elasticsearch -> kibana

方案三

log_files -> filebeat -> elasticsearch-> kibana

配置nginx日志格式log_format

log_format  main  '$host $remote_addr - $remote_user [$time_local] "$request" '
                '$status $body_bytes_sent $upstream_response_time "$http_referer" '
                '"$http_user_agent" "$http_x_forwarded_for" "$uid_got" "$uid_set" "$http_x_tencent_ua" "$upstream_addr" "$upstream_http_x_cached_from" "$upstream_http_cache_control"';

配置filebeat(根据官网改造支持nginx日志格式)

下载软件:

[root@test03 local]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.3.2-linux-x86_64.tar.gz
[root@test03 local]# tar -zxvf filebeat-6.3.2-linux-x86_64.tar.gz

配置filebeat:

[root@WEB3 include]# cat /etc/filebeat/config.yml  | grep -Ev  '#|^$'
filebeat.prospectors:
- input_type: log
  paths:
    - /var/log/nginx/*access.log
  grok_pattern: '%{USERNAME:domain} %{IPV4:client_ip} (.*) \[%{HTTPDATE:timestamp}\] (.*) %{URIPATH:path}(.*)\" (?:%{INT:response_status}|-) (?:%{INT:response_bytes}|-) (?:%{NUMBER:response_time}|-)'
  ignore_older: 1h
name: 192.168.1.1
output.elasticsearch:
  enabled: true
  hosts: ["192.168.1.1:9200"]
  index: "beijing-web-%{+yyyy.MM.dd}"
  template.enabled: false
  template.versions.2x.enabled: false
  template.versions.6x.enabled: false
output.file:
  enabled: true
  path: /tmp/filebeat
path.config: /etc/filebeat
path.data: /tmp/filebeat/data
path.logs: /var/log
logging.to_files: true
logging.files:
  path: /var/log
  name: filebeat

配置logstash

下载软件:

[root@test03 local]# wget https://artifacts.elastic.co/downloads/logstash/logstash-6.3.2.tar.gz
[root@test03 local]# tar -zxvf logstash-6.3.2.tar.gz

几种插件的使用:

1、grok插件

作用:解析message信息或其他操作

nginx日志的正则匹配

match => { 
          "message" => "(?<domain>%{IP:ip}|(?:%{NOTSPACE:subsite}\.)?(?<site>[-a-zA-Z0-9]+?).com|%{NOTSPACE:unknown}) %{IPORHOST:dayuip} - (?<user>[a-zA-Z\.\@\-\+_%]+) \[%{HTTPDATE:timestamp}\] \"%{WORD:verb} (?<request_path>(?<biz>\/[^/?]*)%{URIPATH:}?)(?:%{URIPARAM:request_param})? HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:%{BASE10NUM:request_duration}|-) (?:\"(?:%{URI:referrer}|-)\"|%{QS:referrer}) %{QS:agent} \"(?:%{IPORHOST:clientip}(?:[^\"]*)|-)\" %{QS:uidgot} %{QS:uidset} \"(?:[^\" ]* )*(?<upstream>[^ \"]*|-)\""
      }

Java的正则匹配

match => {
      "message" => "\[entry\]\[ts\](?<ts>.*)\[/ts\]\[lv\](?<lv>.*)\[/lv\]\[th\](?<th>.*)\[/th\]\[lg\](?<lg>.*)\[/lg\]\[cl\](?<cl>.*)\[/cl\]\[m\](?<m>.*)\[/m\]\[ln\](?<ln>.*)\[/ln\]\[bsid\](?<bsid>.*)\[/bsid\]\[esid\](?<esid>.*)\[/esid\](\[cmid\](?<cmid>.*)\[/cmid\])?\[txt\](?<txt>.*)\[/txt\]\[ex\](?<ex>.*)\[/ex\]\[/entry\]"
}

PHP的正则匹配

match => {
        "message" => "\[entry\]\[ts\](?<ts>.*)\[/ts\]\[lv\](?<lv>.*)\[/lv\]\[th\](?<th>.*)\[/th\]\[lg\](?<lg>.*)\[/lg\]\[cl\](?<cl>.*)\[/cl\]\[m\](?<m>.*)\[/m\]\[ln\](?<ln>.*)\[/ln\]\[bsid\](?<bsid>.*)\[/bsid\]\[esid\](?<esid>.*)\[/esid\]\[txt\](?<txt>.*)\[/txt\]\[proj\](?<proj>.*)\[/proj\]\[iid\](?<iid>.*)\[/iid\]\[file\](?<file>.*)\[/file\]\[ex\](?<ex>.*)\[/ex\]\[type\](?<logtype>.*)\[/type\]\[/entry\]"
}

2、date 插件

作用:将解析到的时间作为展示在kibana的time

filter {
        date {
               match => [ "logdate", "MMM dd yyyy HH:mm:ss" ]
             }
      }

logstash配置优化

input {
    beats {
        port => "5043"
    }
}
filter {
    grok {
        match => { "message" => "^(?<domain>%{IP:ip}|(?:%{NOTSPACE:subsite}\.)?(?<site>[-a-zA-Z0-9]+?).com|%{NOTSPACE:unknown}) %{IPORHOST:dayuip} - (?<user>[a-zA-Z\.\@\-\+_%]+) \[%{HTTPDATE:timestamp}\] \"%{WORD:verb} (?<request_path>(?<biz>\/[^/?]*)%{URIPATH:}?)(?:%{URIPARAM:request_param})? HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:%{BASE10NUM:request_duration}|-) (?:\"(?:%{URI:referrer}|-)\"|%{QS:referrer}) %{QS:agent} \"(?:%{IPORHOST:clientip}(?:[^\"]*)|-)\" %{QS:uidgot} %{QS:uidset} %{QS:tencentua} \"(?:[^\" ]* )*(?<upstream>[^ \"]*|-)\" %{QS:cachedfrom} %{QS:cachectrl}"}
    }

   date {
      # Try to pull the timestamp from the 'timestamp' field (parsed above with
      # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
      locale => "en"
      timezone => "Asia/Shanghai"
      match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
      add_tag => [ "tsmatch" ]
    }

    if [ip] {
         mutate { add_field => { "site" => "unknown" "subsite" => "ip" } }    
    } else if [unknown] {
         mutate { add_field => { "site" => "unknown" "subsite" => "unknown" } }    
    } else if ! [subsite] {
         mutate { add_field => { "subsite" => "-" } }    
    }

    if ![site] {
         mutate { add_field => { "site" => "unknown" } }    
    }


    mutate {
        convert => { "bytes" => "integer" "request_duration" => "float"}
    }

    if [request_path] =~ "\/count\/a682ab23d4b4c95f84c744b2826419cd" {
        mutate { add_field => {"clkstrm" => "1" } }
    }
    
    if [clientip] =~ "." {
        geoip {
            source => "clientip"
        }
    }
}

output {
    elasticsearch {
        hosts => [ "192.168.1.1:9200" ]
    }

#    http {
#        format=>"json"
#        http_method=>"post"
#        url => "http://localhost:8989/api/v1/metrics"
#    }
}

elasticsearch配置调优

下载软件:

[root@test03 local]# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.3.2.tar.gz
[root@test03 local]# tar -zxvf elasticsearch-6.3.2.tar.gz

优化文件描述符:

ulimit -n 65536

cat >>/etc/security/limits.conf<<EOF
# allow user 'elasticsearch' mlockall
* soft nofile 65536
* hard nofile 131072
* soft nproc 2048
* hard nproc 4096
EOF

sed -i 's#*          soft    nproc     1024#*          soft    nproc     2048#'g /etc/security/limits.d/90-nproc.conf 

echo "vm.max_map_count=655360" >>/etc/sysctl.conf
sysctl -p

创建对应目录:

useradd -M -s /sbin/nologin elasticsearch
mkdir -p /var/log/elasticsearch /mnt/elasticsearch /mnt/backups
chown -R elasticsearch. /var/log/elasticsearch /mnt/elasticsearch /mnt/backups /usr/local/elasticsearch

vim ./bin/elasticsearch
ES_JAVA_OPTS="-Xms8g -Xmx8g" 
export JAVA_HOME=/usr/java/jdk1.8.0_171

vim config/elasticsearch.yml
bootstrap.memory_lock: true

swapoff -a

es配置文件优化:

[root@test03 elasticsearch-6.3.2]# cat config/elasticsearch.yml

cluster.name: bill-eye
node.name: node-test1

node.master: true 
node.data: true 
node.ingest: true

path.logs: /var/log/elasticsearch
path.data: /mnt/elasticsearch
path.repo: /mnt/backups

bootstrap.memory_lock: false
bootstrap.system_call_filter: false

network.host: [_site_, _local_, _ens160_]
network.publish_host: [_site_, _local_, _ens160_]
transport.tcp.port: 9300
http.port: 9200
http.enabled: true
http.cors.enabled: true
http.cors.allow-origin: "*"

discovery.zen.ping_timeout: 60s
discovery.zen.join_timeout: 30s
discovery.zen.fd.ping_timeout: 180s
discovery.zen.fd.ping_retries: 8
discovery.zen.fd.ping_interval: 30s

discovery.zen.ping.unicast.hosts: ["192.168.1.1:9200"]
discovery.zen.minimum_master_nodes: 2
discovery.zen.commit_timeout: 120s

gateway.expected_nodes: 1
gateway.recover_after_time: 5m
gateway.recover_after_nodes: 2

indices.breaker.total.limit: 70%
indices.breaker.fielddata.limit: 60%  
indices.breaker.request.limit: 60%
indices.fielddata.cache.size: 30% 
indices.queries.cache.size: 10%
indices.requests.cache.size: 2%
indices.recovery.max_bytes_per_sec: 20mb

启动es:

sudo -u elasticsearch ./bin/elasticsearch -d

配置kibana

下载软件:

[root@test03 local]# wget https://artifacts.elastic.co/downloads/kibana/kibana-6.3.2-linux-x86_64.tar.gz
[root@test03 local]# tar -zxvf kibana-6.3.2-linux-x86_64.tar.gz

配置kibana:

[root@test03 kibana-6.3.2-linux-x86_64]# grep -Ev '^$|#' config/kibana.yml
server.port: 5601
server.host: "192.168.1.1"
elasticsearch.url: "http://192.168.1.1:9200"
kibana.index: ".kibana"
elasticsearch.pingTimeout: 2500
elasticsearch.requestTimeout: 60000

启动kibana:

nohup ./bin/kibana &

配置granfan

下载软件:

[root@test03 local]# wget https://s3-us-west-2.amazonaws.com/grafana-releases/release/grafana-5.2.2.linux-amd64.tar.gz 
[root@test03 local]# tar -zxvf grafana-5.2.2.linux-amd64.tar.gz

启动:

[root@test03 grafana-5.2.2]# nohup ./bin/grafana-server  &

最终效果

ELK(6.x版本)日志分析平台+Granfan可视化

参考


以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

プログラミングコンテストチャレンジブック

プログラミングコンテストチャレンジブック

秋葉 拓哉、岩田 陽一、北川 宜稔 / 毎日コミュニケーションズ / 2010-09-11 / JPY 34.44

現在、プログラミングコンテストは数多く開催されています。Google Code Jam、TopCoder、ACM/ICPCなどの名前を聞いたことがある人も少なくないでしょう。本書で扱うのはそれらのような、問題を正確にできるだけ多く解くことを競うプログラミングコンテストです。 プログラミングコンテストは気軽に参加することができます。例えば、Google Code JamやTopCoderはイン......一起来看看 《プログラミングコンテストチャレンジブック》 这本书的介绍吧!

HTML 压缩/解压工具
HTML 压缩/解压工具

在线压缩/解压 HTML 代码

CSS 压缩/解压工具
CSS 压缩/解压工具

在线压缩/解压 CSS 代码

XML、JSON 在线转换
XML、JSON 在线转换

在线XML、JSON转换工具