ES、Kibana、Logstash、Filebeat尽量安装同一版本,本文安装的是6.2.3版本。
环境准备:关闭防火墙、SElinux。需java环境,采用的jdk1.8。
Filebeat->Kafka->Logstash->ES->Kibana
ES、Kibana
IP:10.0.1.190安装目录:ES:/data/elasticsearch
Kibana:/usr/local/kibana
Logstash
IP:10.0.1.189安装目录:/usr/local/logstash
Filebeat 部署在各应用服务器
一、ES安装部署下载所需软件包。
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.2.3.tar.gz
解压。移动至/data目录下(此目录需有较大预留空间,否则空间使用率超过95%后将无法正常使用)
给ES单独创建用户和用户组创建用户组:groupadd elasticsearch
创建用户加入用户组:useradd elasticsearch -g elasticsearch
设置ElasticSerach文件夹为用户elasticsearch所有
chown -R elasticsearch.elasticsearch /data/elasticsearch修改ES的配置文件/data/elasticsearch/config/elasticsearch.yml
network.host: 0.0.0.0
http.port: 9200切换到用户elasticsearch启动ES
/data/elasticsearch/bin/elasticsearch -dnetstat -tunlp |grep 9200检查服务是否正常响应 curl 127.0.0.1:9200定时清理索引脚本,放入crontab
#!/bin/bash
function delete_indices() {
comp_date=`date -d "3 day ago" +"%Y-%m-%d"`
data1="$1 00:00:00"
data2="$comp_date 00:00:00"
t1=`date -d "$data1" +%s`
t2=`date -d "$data2" +%s`
if [[ $t1 -le $t2 ]]; then
index_date=`echo $1| sed 's/-/./g'`
# curl --user 'elastic:Jybd2019$!' -XDELETE "127.0.0.1:9200/*-$index_date" 2>&1 >> /dev/null
curl -XDELETE "127.0.0.1:9200/*-$index_date" 2>&1 >> /dev/null
fi
}
curl --user 'elasticsearch:jybd123' -XGET '127.0.0.1:9200/_cat/indices' | awk -F" " '{print $3}' | awk -F"-" '{print $NF}' | egrep "[0-9]*.[0-9]*.[0-9]*" | sort | uniq | while read LINE
do
for i in $LINE;
do
line=`echo $i | sed 's/./-/g'`;
done
delete_indices $line
done
二、filebeat安装部署
- 下载所需软件包。
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.2.3-x86_64.rpmrpm安装
rpm -ivh filebeat-6.2.3-x86_64.rpm修改配置文件
/etc/filebeat/filebeat.yml配置所采集的日志文件、tag,kafka的IP、topic启动filebeat /etc/init.d/filebeat start
配置文件示例
filebeat.prospectors:
-
enabled: true
paths:
- /data/wwwroot/runtime/log/jybd_erp/jybd_log.*.log
tags: test-taiji
type: log
output.kafka:
hosts:
- "10.0.0.247:9092"
topic: testlog
setup.template.settings:
index.number_of_shards: ~
(filebeat检测
/usr/share/filebeat/bin/filebeat test config -c /etc/filebeat/filebeat.yml
手动启动
nohup /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml &)
- 下载所需软件包。
wget https://artifacts.elastic.co/downloads/logstash/logstash-6.2.3.tar.gz解压。移动至/usr/local目录下修改Logstash配置文件,在/usr/local/logstash/conf下,包含多个配置文件。
例如通讯服务的配置文件
input {
kafka {
bootstrap_servers => "10.0.0.247:9092"
consumer_threads => 4
topics => "testlog"
decorate_events => false
auto_offset_reset => "latest"
codec => json
}
}
filter {
if "test-communication" in [tags]
{
grok{
match => ["message", "^(?.*?)s|s(?.*?)s|s(?.*?)s|s(?.*?)s|s(?.*?)s|s(?.*)"]
remove_field => [ "message","@version" ]
remove_tag => ["beats_input_codec_plain_applied"]
}
}
}
output {
if "test-communication" in [tags]
{
elasticsearch {
hosts => ["10.0.1.190:9200"]
index => "communication-test-%{+YYYY.MM.dd}"
timeout => "120"
retry_initial_interval => "2"
retry_max_interval => "64"
}
}
} 启动logstash服务nohup /usr/local/logstash/bin/logstash -f /usr/local/logstash/conf &查询日志看是否有报错
tail -f /usr/local/logstash/logs/logstash-plain.log
(kafka查询topic
./kafka-topics.sh --list --zookeeper localhost:2181)
下载所需软件包。
wget https://artifacts.elastic.co/downloads/kibana/kibana-6.2.3-linux-x86_64.tar.gz
解压。移动至/usr/local目录下
修改配置文件/usr/local/kibana/config/kibana.ymlserver.host: "0.0.0.0"
pid.file: /var/run/kibana.pid
启动kibana
nohup /usr/local/kibana/bin/kibana &
- 下载汉化包wget https://github.com/anbai-inc/Kibana_Hanization/archive/master.zip解压unzip Kibana_Hanization-master.zip进入目录执行脚本 python main.py /usr/local/kibana/ (参数为kibana安装目录)完成后会提示“恭喜,Kibana汉化完成!”停止Kibana,ps -ef|grep node,杀进程重新启动Kibana
(ES查询索引
curl localhost:9200/_cat/indices?v
删除索引,通配符形式
curl -XDELETE localhost:9200/索引*
索引起别名
curl -XPUT localhost:9200/索引/_alias/别名
查看别名
curl -XPUT localhost:9200/_cat/aliases?v)
