ELK的文档搭建

一、安装elasticsearch

官网：https://www.elastic.co/guide/index.html

https://www.elastic.co/guide/en/elasticsearch/reference/2.3/index.html

参考搭建文档

Elasticsearch-6.0.
logstash-6.0.
kibana-6.0.
filebeat-6.0.
https://blog.51cto.com/zero01/2079879   上篇
https://blog.51cto.com/zero01/2082794    下篇
参考  https://www.cnblogs.com/superlinux/p/10591428.html
filebeat写入kafka  :https://www.jianshu.com/p/da8113f58115

1）环境准备

[root@k8s6 ~]# java -version
openjdk version "1.8.0_201"
OpenJDK Runtime Environment (build 1.8.0_201-b09)
OpenJDK -Bit Server VM (build 25.201-b09, mixed mode)

)
[root@k8s6 ~]# ls elktools/
elasticsearch-2.3..rpm  kibana-4.5.-.x86_64.rpm  logstash-2.3.-.noarch.rpm

2）rpm包安装

[root@k8s6 ~]# rpm -ivh elktools/elasticsearch-2.3..rpm 

3）修改配置文件

备份配置文件
cp /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml.bak
修改配置文件
[root@k8s6 elasticsearch]# diff /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml.bak
17c17
< cluster.name: myes
---
> # cluster.name: my-application
23c23
< node.name: master_node
---
> # node.name: node-
54c54
< network.host: 192.168.10.22
---
> # network.host: 192.168.0.1
58c58
< http.port:
---
> # http.port: 

补充：

bootstrap.mlockall: false
bootstrap.system_call_filter: false

4）启动服务

[root@k8s6 elasticsearch]# systemctl start elasticsearch    启动服务
[root@k8s6 elasticsearch]# netstat -lntup|grep java
tcp6              192.168.10.22:      :::*                    LISTEN      /java
tcp6              192.168.10.22:      :::*                    LISTEN      /java 

5）对elasticsearch的api验证

[root@k8s6 elasticsearch]# curl http://192.168.10.22:9200
{
  "name" : "master_node",
  "cluster_name" : "myes",
  "version" : {
    "number" : "2.3.5",
    "build_hash" : "90f439ff60a3c0f497f91663701e64ccd01edbb4",
    "build_timestamp" : "2016-07-27T10:36:52Z",
    "build_snapshot" : false,
    "lucene_version" : "5.5.0"
  },
  "tagline" : "You Know, for Search"
}

二、安装elasticsearch的插件安装

1）查看执行的命令和插件位置

[root@k8s6 ~]# ls /usr/share/elasticsearch/
bin  lib  LICENSE.txt  modules  NOTICE.txt  plugins  README.textile

2）安装head插件

[root@k8s6 ~]# /usr/share/elasticsearch/bin/plugin install mobz/elasticsearch-head        从github下载
[root@k8s6 ~]# ls /usr/share/elasticsearch/plugins/head/
Dockerfile                          Gruntfile.js       LICENCE                       proxy           src
Dockerfile-alpine                   grunt_fileSets.js  package.json                  README.textile  test
elasticsearch-head.sublime-project  index.html         plugin-descriptor.properties  _site

2.1）访问测试

http://192.168.10.22:9200/_plugin/head/

3.1）安装 kopf 插件

[root@k8s6 ~]# /usr/share/elasticsearch/bin/plugin install lmenezes/elasticsearch-kopf

3.2）访问测试

http://192.168.10.22:9200/_plugin/kopf/

4）模拟提交post请求

刷新连接

二、es的集群测试

1）另一台机器同样安装好es,修改配置文件（主播模式）测试vm会存在问题

[root@node01 elasticsearch]# grep '^[a-Z]' elasticsearch.yml
cluster.name: myes
node.name: node01
path.data: /data/es-data
path.logs: /var/log/elasticsearch
bootstrap.mlockall: false
bootstrap.system_call_filter: false
network.host: 192.168.10.23
http.port: 

创建目录，并授权

[root@node01 elasticsearch]# mkdir -p /data/es-data
[root@node01 elasticsearch]# chown elasticsearch:elasticsearch /data/es-data/

2）单播模式

[root@node01 elasticsearch]# grep '^[a-Z]' elasticsearch.yml
cluster.name: myes
node.name: node01
path.data: /data/es-data
path.logs: /var/log/elasticsearch
bootstrap.mlockall: true
network.host: 192.168.10.23
http.port:
discovery.zen.ping.unicast.hosts: ["192.168.10.22", "192.168.10.23"]

3）启动服务

强调，一点要关闭防火墙。否则无法弄成集群

[root@node01 elasticsearch]# /etc/init.d/elasticsearch start

4）查询集群的状态

[root@node01 ~]# curl -XGET 'http://192.168.10.22:9200/_cluster/health?pretty=true'
{
  "cluster_name" : "myes",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : ,    # 2个节点
  "number_of_data_nodes" : ,
  "active_primary_shards" : ,
  "active_shards" : ,
  "relocating_shards" : ,
  "initializing_shards" : ,
  "unassigned_shards" : ,
  "delayed_unassigned_shards" : ,
  "number_of_pending_tasks" : ,
  "number_of_in_flight_fetch" : ,
  "task_max_waiting_in_queue_millis" : ,
  "active_shards_percent_as_number" : 100.0
}

三、在主节点安装 logstash

1）安装logstash

[root@k8s6 elktools]# rpm -ivh logstash-2.3.-.noarch.rpm
准备中...                          ################################# [%]
正在升级/安装...
   :logstash-:2.3.-               ################################# [%]
[root@k8s6 elktools]# rpm -qa|grep logstash
logstash-2.3.-.noarch
[root@k8s6 elktools]# rpm -ql logstash    # 查看安装生成了哪些文件

2）模拟日志标准输出：/opt/logstash/bin/logstash -e 'input { stdin{} } output { stdout{} }'

[root@k8s6 elktools]# /opt/logstash/bin/logstash -e 'input { stdin{} } output { stdout{} }'
Settings: Default pipeline workers:
Pipeline main started
hello
--15T04::.106Z k8s6 hello
hello world
--15T04::.121Z k8s6 hello world

json格式输出： /opt/logstash/bin/logstash -e 'input { stdin{} } output { stdout{ codec => rubydebug } }'

[root@k8s6 elktools]# /opt/logstash/bin/logstash -e 'input { stdin{} } output { stdout{ codec => rubydebug } }'
Settings: Default pipeline workers:
Pipeline main started
hello world
{
       "message" => "hello world",
      "@version" => "",
    "@timestamp" => "2019-03-15T04:47:12.509Z",
          "host" => "k8s6"
}

3）命令行模拟输出到elasticsearch： /opt/logstash/bin/logstash -e 'input { stdin{} } output { elasticsearch{ hosts => ["192.168.10.22:9200"] index => "logstash-%{+YYYY.MM.dd}" } }'

[root@k8s6 elktools]# /opt/logstash/bin/logstash -e 'input { stdin{} } output { elasticsearch{ hosts => ["192.168.10.22:9200"] index => "logstash-%{+YYYY.MM.dd}" } }'
Settings: Default pipeline workers:
Pipeline main started
hhhee

查询到输出的值

4）同时进行屏幕输出并写入es

[root@k8s6 elktools]# /opt/logstash/bin/logstash -e 'input { stdin{} } output { stdout{ codec => rubydebug }  elasticsearch{ hosts => ["192.168.10.22:9200"] index => "logstash-%{+YYYY.MM.dd}" } }'
Settings: Default pipeline workers:
Pipeline main started
天天向上
{
       "message" => "天天向上",
      "@version" => "",
    "@timestamp" => "2019-03-15T05:02:55.388Z",
          "host" => "k8s6"
}

四、使用配置文件启动logstash

检测语法

[root@node01 ~]# /opt/logstash/bin/logstash -t -f /etc/logstash/conf.d/nginx.conf
Configuration OK

1）进入到配置文件目录。cd /etc/logstash/conf.d/   ，该目录由/etc/init.d/logstash 这里定义的

[root@k8s6 elktools]# cd /etc/logstash/conf.d/
[root@k8s6 conf.d]# ls
[root@k8s6 conf.d]# 

编辑 demo.conf文件，既输出在屏幕，也存入es

YYYY.MM.dd  每天

[root@k8s6 conf.d]# cat demo.conf
input {
    stdin{}
}

filter{
}

output{
    elasticsearch {
        hosts => ["192.168.10.22:9200"]
        index => "logstash-%{+YYYY.MM.dd}"
    }

    stdout{ codec => rubydebug }
}

启动服务：[root@k8s6 conf.d]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/demo.conf

2)使用file插件，指定要记录日志的目录

[root@k8s6 conf.d]# cat file.conf
input {
    file{
        path => ["/var/log/messages", "/var/log/secure"]
        type => "system-log"
        start_position => "beginning"
    }
}

filter{
}

output{
    elasticsearch {
        hosts => ["192.168.10.22:9200"]
        index => "system-log-%{+YYYY.MM}"
    }
}

file.conf

启动服务： /opt/logstash/bin/logstash -f /etc/logstash/conf.d/file.conf

五、安装kibana

1）在主节点安装kibana

[root@k8s6 elktools]# rpm -ivh kibana-4.5.-.x86_64.rpm 

查看安装到了哪些位置

[root@k8s6 elktools]# rpm -ql kibana

2）修改配置文件

[root@k8s6 config]# pwd
/opt/kibana/config
[root@k8s6 config]# grep '^[a-Z]' kibana.yml
server.port:
server.host: "0.0.0.0"
elasticsearch.url: "http://192.168.10.22:9200"
kibana.index: ".kibana"

/opt/kibana/config/kibana.yml

启动服务：[root@k8s6 config]# /etc/init.d/kibana start

[root@k8s6 config]# netstat -lntup|grep
tcp               0.0.0.0:            0.0.0.0:*               LISTEN      /node    

网页访问：192.168.10.22:5601

2）配置索引，配置哪个，显示哪个的日志文件

匹配到了创建，即可