Filebeat+Redis+Logstash+Elasticsearch+Kibana搭建日志采集分析系统

环境说明 Logstash、Elasticsearch、Kibana我放到一台机器上了，用Docker搭建的环境 Redis单独一台机器 Filebeat跟需要采集日志的项目在同一台机器 安装Docker参考  docker安装笔记 安装Redis

wget http://download.redis.io/releases/redis-6.0.8.tar.gz
tar xzf redis-6.0.8.tar.gz
cd redis-6.0.8
make

# 报错/bin/sh: cc: 未找到命令，执行以下命令
# yum install gcc-c++ -y

# 报错致命错误：jemalloc/jemalloc.h：没有那个文件或目录，执行以下命令
# make MALLOC=libc

# 报错 错误：‘struct redisServer’没有名为‘unixsocket’的成员，执行以下命令
# yum -y install centos-release-scl
# yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++ devtoolset-9-binutils
# scl enable devtoolset-9 bash

# 默认方式启动redis
cd src
./redis-server

# 补充信息
# redis.conf文件中
# 允许远程访问
# bind 0.0.0.0 
# 启用后台启动
# daemonize yes
# 设置密码为1234567890
# requirepass 1234567890

# 配置方式启动redis
cd src
./redis-server ../redis.conf

ELK安装 使用Docker搭建Elasticsearch:7.17.1

# 拉镜像
docker pull elasticsearch:7.17.1

# 修改vm.max_map_count数量，在sysctl.conf最后添加vm.max_map_count
vi /etc/sysctl.conf
vm.max_map_count=262144

# 保存sysctl.conf后重置系统设置
/sbin/sysctl -p


# 本机创建es挂载的配置文件和数据文件夹
cd /home
mkdir -p elasticsearch/config
mkdir -p elasticsearch/data
mkdir -p elasticsearch/plugins

echo "http.host: 0.0.0.0" >> elasticsearch/config/elasticsearch.yml

chmod 777 -R elasticsearch/

# 启动es
docker run --name elasticsearch -p 9200:9200 -p 9300:9300  -e "discovery.type=single-node" -e ES_JAVA_OPTS="-Xms64m -Xmx128m" -v /home/elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v /home/elasticsearch/data:/usr/share/elasticsearch/data -v /home/elasticsearch/plugins:/usr/share/elasticsearch/plugins -d elasticsearch:7.17.1

使用Docker搭建Kibana:7.17.1

docker pull kibana:7.17.1

docker run --name kibana --link elasticsearch:elasticsearch -p 5601:5601 -d kibana:7.17.1

使用Docker搭建logstash:7.17.1

docker pull logstash:7.17.1

cd /home
mkdir logstash
cd /home/logstash
mkdir config pipeline
cd /home/logstash/config
touch logstash.yml

vim logstash.yml

# 写入一下两个配置
# http.host: "0.0.0.0"
# xpack.monitoring.elasticsearch.hosts: [ "http://10.0.3.102:9200" ]

# 保存退出logstash.yml

cd /home/logstash/pipeline
touch logstash.conf

vim logstash.conf
# 写入input output配置,从redis获取日志信息，输出到es中
# input {
#     redis {
#         host => "10.0.3.101"
#         port => 6379
#         password => "1234567890"
#         data_type => list
#         key => "filebeat"
#     }
# }
# 
# output {
#   elasticsearch {
#     hosts => ["http://10.0.3.102:9200"]
#     index => "applog"
#   }
# }

# 保存退出logstash.conf

chmod 777 -R /home/logstash/

docker run -d --name logstash -p 5044:5044 -p 9600:9600 -v /home/logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml -v /home/logstash/pipeline/:/usr/share/logstash/pipeline/ logstash:7.17.1

Filebeat安装，和需要采集日志的项目放在同一台机器

cd /home

wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.17.1-linux-x86_64.tar.gz

tar -xvf filebeat-7.17.1-linux-x86_64.tar.gz

mv filebeat-7.17.1-linux-x86_64 filebeat

cd filebeat

touch log_redis.yml

vi log_redis.yml

# log_redis.yml替换成以下内容

# .global: &global
#   ignore_older: 30m
#   scan_frequency: 5m
#   harvester_limit: 1
#   close_inactive: 1m
#   clean_inactive: 45m
#   close_removed: true
#   clean_removed: true

# filebeat.inputs:
# - type: log
#   enabled: true
#   paths:
#     - /opt/myproject/logs/catalina.out
#   <<: *global

# output.redis:
#   hosts: ["10.0.3.101"]
#   key: "filebeat"
#   password: "1234567890"
#   db: 0
#   timeout: 5

# 保存退出log_redis.yml

# 运行filebeat

nohup ./filebeat -c log_redis.yml &

检查日志是否采集成功

登录kibana

http://10.0.3.102:5601/

找到Index Management

查看applog这个index是否创建了

创建一个Index patterns

去discover看一下日志是否正常采集