日志分析ELK

---

大多数Linux发行版默认的日志守护进程为rsyslog

开发语言的warning（警告级别）可以不用查

系统及服务的warning（警告级别）必须查

---

ELK

E：搜索引擎，存放数据

L：安装于服务器中，将各个服务器中的日志存于E中

K：用于显示

用处

收集文件，收集正则方式，收集json

全文索引

实时分析

处理PB级结构化或非结构化数据

ELK配置（本机IP：192.168.199.103）

elasticsearch-5.6.8配置(ES)

1. 配置jdk，jdk环境变量

   确保安装java1.8以上版本

   1. 解压java-jdk

      tar zxvf jdk-8u171-linux-x64.tar.gz /data/server/

   2. 设置环境变量

      vim /etc/profile
         
      export JAVA_HOME=/data/server/jdk1.8.0_171
      export CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar:$JAVA_HOME/jre/lib/rt.jar
      export PATH=$PATH:$JAVA_HOME/bin

   3. 使/etc/profile生效

      source /etc/profile

2. 解压elasticsearch-5.6.8.tar.gz包并执行安装

   mv  elasticsearch-5.6.8/  /data/server
   cd /data/server/elasticsearch-5.6.8/bin/
   ./elasticsearch

   1. 错误一：不能以root用户执行

      useradd elas
      chown -R elas.elas elasticsearch-5.6.8/

   2. 错误二：文件描述符

      echo fs.file-max=65536 >> /etc/sysctl.conf
      sysctl -p

   3. 错误三：虚拟内存数

      echo vm.max_map_count=655360 >> /etc/sysctl.conf
      sysctl -p

   4. 错误四：JVM heap size

      vim /data/server/elasticsearch-5.6.8/config/jvm.options
      更改		-Xms2g与-Xmx2g

3. 验证安装

   curl http://127.0.0.1:9200

logstash-5.6.10配置

1. 解压logstash-5.6.10.tar.gz包

   mv  logstash-5.6.10/  /data/server/

2. 修改elasticsearch配置文件

   vim /data/server/elasticsearch-5.6.8/config/elastic search.yml
      
   cluster.name: my-application
   node.name: node-1
   network.host: 192.168.199.103
   http.port: 9200

   验证：浏览器访问http://192.168.199.103:9200

3. 配置远程日志服务器

   vim /etc/rsyslog.conf
      
   *.*   @192.168.199.103:5000

4. 编写logstash配置文件.conf

   cd /data/logger/
   vim logstash.conf
      
   input {
   	tcp { 
   		port => 5000
   		type => syslog		#可选
   		}
   	udp {
   		port => 5000
   		type => syslog
   		}
   }
   output {
   	elasticsearch {
   		hosts => ["192.168.199.103:9200"]
   			index => "ad"		#索引，用于kibana建立实例时使用
   	}
   	stdout {
   		codec => rubydebug
   	}
   }

5. 启动ES

   cd /data/server/elasticsearch-5.6.8/bin/
   ./elasticsearch

6. 启动logstash

   cd /data/server/logstash-5.6.10/bin/
   ./logstash -f /data/logger/logstash.conf

7. 验证

   logger -i -s "asdasd"	#产生日志
   logstash 中产生日志记录

kibana-5.6.8配置（版本与ES相同）

1. 解包

   tar xvf kibana-5.6.8-linux-x86_64.tar.gz
   mv kibana-5.6.8-linux-x86_64 /data/server/
   cd /data/server/kibana-5.6.8-linux-x86_64

2. 更改配置文件

   vim config/kibana.yml
      
   server.port: 5601
   server.host: "192.168.199.103"
   elasticsearch.url: "http://192.168.199.177:9200"
   kibana.index: ".kibana"
   elasticsearch.username: "elastic"
   elasticsearch.password: "changeme"

3. 启动

   首先启动ES，logstash

   然后启动kibana

   cd /data/server/kibana-5.6.8-linux-x86_64/bin
   ./kibana

4. 验证安装

   访问http://192.168.199.103:5601

安装x-pack插件

1. 下载

   版本与ES和kibana相同

2. 安装

   1. 安装ES部分

      cd /data/server/elasticsearch-5.6.8/bin
      ./elasticsearch-plugin install file:////usr/local/src/x-pack-5.6.10.zip

   2. 安装kibana部分

      cd /data/server/kibana-5.6.8-linux-x86_64/bin
      ./kibana-plugin install file:////usr/local/src/x-pack-5.6.10.zip

   3. 修改logstash.conf

      添加x-pack身份验证

      	output {
      	elasticsearch {
      		hosts => ["192.168.199.103:9200"]
      		user => elastic
      		password => changeme
      	}
      	stdout {
      		codec => rubydebug
      	}
      }

   4. 验证安装

      访问http://192.168.199.103:5601

      默认用户名：elastic 默认密码：changeme

导入日志文件

1. 创建logstash_file.conf

   cd  /data/logger
   vim logstash_file.conf
      
   input {
   	file {
   		path => ["/data/server/nginx/logs/acc.log"]
   		type => "nginx_log"
   		start_position => "beginning"
   	}
   }
   
   output {
   	if [type] == "nginx_log" {
   		elasticsearch {
   			hosts => ["192.168.199.103:9200"]
   			index => "access-%{+YYYY.MM.dd}"
   			user => elastic
   			password => changeme
   		}
   	}
   	stdout {
   		codec => rubydebug
   	}
   }

2. 启动ES，logstash，kibana，调整时间，查看导入日志

ELRK

1. 启动redis

   cd /data/server/redis/bin
   ./redis-server

2. 创建logstash_redis.conf

   cd  /data/logger
   vim  logstash_redis.conf
   
   input {
   	file {
   		path => "/data/server/nginx/logs/acc.log"
   		type => "nginx_log"
   	}
   }
   output {
   	redis {
   		host => "192.168.199.103"
   		port => "6379"
   		data_type => "list"
   		key => "nginx:redis"
   	}
   }

3. 创建logstash_redis1.conf

   cd  /data/logger
   vim  logstash_redis1.conf
   
   input {
   	redis {
   		host => "192.168.199.103"
   		port => "6379"
   		data_type => "list"
   		type => "redis_input"
   		key => "nginx:redis"
   	}
   }
   output {
   	elasticsearch {
   		hosts => ["192.168.199.103:9200"]
   		index => "nginxlog-%{+YYYY.MM.dd}"
   		user => elastic
   		password => changeme
   	}
   	stdout {
   		codec => rubydebug
   	}
   }

4. 启动ES，两个logstash，kibana，调整时间，查看导入日志