因公司數據安全和分析的需要,故調研了一下 GlusterFS + lagstash + elasticsearch + kibana 3 + redis 整合在一起的日志管理應用:
安裝,配置過程,使用情況等續
一,glusterfs分布式文件系統部署: 說明: 公司想做網站業務日志及系統日志統一收集和管理,經過對mfs, fastdfs 等分布式文件系統的調研,最后選擇了 glusterfs,因為Gluster具有高擴展性、高性能、高可用性、可橫向擴展的彈性特點,無元數據服務器設計使glusterfs沒有單點故障隱 患,官網:www.gluster.org
1. 系統環境准備:
Centos 6.4 服務端: 192.168.10.101 192.168.10.102 192.168.10.188 192.168.10.189 客戶端: 192.168.10.103 EPEL源和GlusterFS源 增加EPEL源和GLusterFS源,EPEL源中包含GLusterFS,版本比較舊,相對穩定,本次測試采用最新的3.5.0版本。
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
wget -P /etc/yum.repos.dhttp://download.gluster.org/pub/gluster/glusterfs/LATEST/CentOS/glusterfs-epel.repo
2. 部署過程
服務端安裝:
yum -y install glusterfs glusterfs-fuseglusterfs-server
chkconfig glusterd on
service glusterd start
服務端配置:
將4個存儲節點組成一集群,本文在第一個節點執行,只需要在任意節點執行就ok。
[root@db1 ~]# gluster peer probe192.168.10.102
probe successful
[root@db1 ~]# gluster peer probe192.168.10.188
probe successful
[root@db1 ~]# gluster peer probe 192.168.10.189
probe successful
查看集群的節點信息:
[root@db1 ~]# gluster peer status
number of peers: 3
hostname: 192.168.10.102
uuid:b9437089-b2a1-4848-af2a-395f702adce8
state: peer in cluster (connected)
hostname: 192.168.10.188
uuid: ce51e66f-7509-4995-9531-4c1a7dbc2893
state: peer in cluster (connected)
hostname: 192.168.10.189
uuid:66d7fd67-e667-4f9b-a456-4f37bcecab29
state: peer in cluster (connected)
以/data/gluster為共享目錄,創建名為test-volume的卷,副本數為2:
sh cmd.sh "mkdir /data/gluster"
[root@db1 ~]# gluster volume create test-volume replica 2192.168.10.101:/data/gluster 192.168.10.102:/data/gluster192.168.10.188:/data/gluster 192.168.10.189:/data/gluster
creation of volume test-volume has beensuccessful. please start the volume to access data.
啟動卷:
[root@db1 ~]# gluster volume starttest-volume
starting volume test-volume has beensuccessful
查看卷狀態:
[root@db1 ~]# gluster volume info
volume name: test-volume
type: distributed-replicate
status: started
number of bricks: 2 x 2 = 4
transport-type: tcp
bricks:
brick1: 192.168.10.101:/data/gluster
brick2: 192.168.10.102:/data/gluster
brick3: 192.168.10.188:/data/gluster
brick4: 192.168.10.189:/data/gluster
3. 客戶端安裝配置:
安裝:
yum -y installglusterfs glusterfs-fuse
掛載:
mount -t glusterfs 192.168.10.102:/test-volume/mnt/ (掛載任意一個節點即可)推薦用這種方式。
mount -t nfs -o mountproto=tcp,vers=3192.168.10.102:/test-volume /log/mnt/ (使用nfs掛載,注意遠端的rpcbind服務必須開啟)
echo "192.168.10.102:/test-volume/mnt/ glusterfs defaults,_netdev 0 0" >> /etc/fstab (開機自動掛載)
4. 測試
檢查文件正確性
dd if=/dev/zero of=/mnt/1.img bs=1Mcount=1000 # 在掛載客戶端生成測試文件
cp /data/navy /mnt/ # 文件拷貝到存儲上
宕機測試。
使用glusterfs-fuse掛載,即使目標服務器故障,也完全不影響使用。用NFS則要注意掛載選項,否則服務端故障容易導致文件系統halt住而影響服務!
# 將其中一個節點停止存儲服務service glusterd stop
service glusterfsd stop# 在掛載客戶端刪除測試文件
rm -fv /mnt/navy# 此時在服務端查看,服務被停止的節點上navy並未被刪除。此時啟動服務:serviceglusterd start# 數秒后,navy就被自動刪除了。新增文件效果相同!
5. 運維常用命令:
刪除卷
gluster volume stop test-volume
gluster volume delete test-volume
將機器移出集群
gluster peer detach 192.168.10.102
只允許172.28.0.0的網絡訪問glusterfs
gluster volume set test-volumeauth.allow 192.168.10.*
加入新的機器並添加到卷里(由於副本數設置為2,至少要添加2(4、6、8..)台機器)
gluster peer probe 192.168.10.105
gluster peer probe 192.168.10.106
gluster volume add-brick test-volume192.168.10.105:/data/gluster 192.168.10.106:/data/gluster
收縮卷
# 收縮卷前gluster需要先移動數據到其他位置
gluster volume remove-brick test-volume192.168.10.101:/data/gluster/test-volume192.168.10.102:/data/gluster/test-volume start
# 查看遷移狀態
gluster volume remove-brick test-volume192.168.10.101:/data/gluster/test-volume192.168.10.102:/data/gluster/test-volume status
# 遷移完成后提交
gluster volume remove-brick test-volume192.168.10.101:/data/gluster/test-volume192.168.10.102:/data/gluster/test-volume commit
遷移卷
# 將192.168.10.101的數據遷移到,先將192.168.10.107加入集群
gluster peer probe 192.168.10.107
gluster volume replace-bricktest-volume 192.168.10.101:/data/gluster/test-volume192.168.10.107:/data/gluster/test-volume start
# 查看遷移狀態gluster volume replace-brick test-volume192.168.10.101:/data/gluster/test-volume192.168.10.107:/data/gluster/test-volume status
# 數據遷移完畢后提交gluster volume replace-brick test-volume192.168.10.101:/data/gluster/test-volume192.168.10.107:/data/gluster/test-volume commit
# 如果機器192.168.10.101出現故障已經不能運行,執行強制提交然后要求gluster馬上執行一次同步
gluster volume replace-bricktest-volume 192.168.10.101:/data/gluster/test-volume192.168.10.102:/data/gluster/test-volume commit -force
gluster volume heal test-volumes full
24007
二.日志收集系統部署
說明簡解:
系統各部分應用介紹
Logstash:做系統log收集,轉載的工具。同時集成各類日志插件,對日志查詢和分析的效率有很大的幫助.一般使用shipper作為log收集、indexer作為log轉載.
Logstash shipper收集log 並將log轉發給redis 存儲
Logstash indexer從redis中讀取數據並轉發給elasticsearch
redis:是一個db,logstash shipper將log轉發到redis數據庫中存儲。Logstash indexer從redis中讀取數據並轉發給elasticsearch。
kafka:這里我們把redis換作用kafka,主要用於處理活躍的流式數據,高吞吐率,顯式分布式,支持數據並行加載
Elasticsearch:開源的搜索引擎框架,前期部署簡單,使用也簡單,但后期需要做必要的優化具體請參照博客http://chenlinux.com/categories.html#logstash-ref 中logstash部分.可進行多數據集群,提高效率。從redis中讀取數據,並轉發到kibana中
Kibana: 開源web展現。
日志收集系統架構圖:
虛擬服務器准備:
192.168.10.143 logstash shipper 日志數據生產端
192.168.10.144 logstash indexer kafka 日志消費端將日志寫入elasticsearch集群
192.168.10.145 elasticsearch-node1 kibana3 kibana展顯elasticsearch中的數據
192.168.10.146 elasticsearch-node2
1.三台主機都要安裝jdk 1.7 推薦oracle jdk 1.7+版本 java -version 設置java的環境變量,比如
vim ~/.bashrc
>>
JAVA_HOME=/usr/java/jdk1.7.0_55
PATH=$PATH:/$JAVA_HOME/bin
CLASSPATH=.:$JAVA_HOME/lib
JRE_HOME=$JAVA_HOME/jre
export JAVA_HOME PATH CLASSPATH JRE_HOME
>>
source ~/.bashrc
2.安裝kafka(192.168.10.144) wget http://mirrors.hust.edu.cn/apache/kafka/0.8.1.1/kafka2.9.2-0.8.1.1.tgz tar zxvf kafka2.9.2-0.8.1.1.tgz ln –s kafka_2.9.2-0.8.1.1 /usr/local/kafka vim /usr/local/kafka/config/server.properties broker.id=10-144 host.name=kafka-10-144 echo “192.168.10.144 kafka-10-144” >> /etc/hosts 注意kafka啟動依懶於zookeeper,需要安裝一下zookeeper-server cdh5.2源上有,配置好yum源即可 yum install zookeeper-server –y vim /etc/zookeeper/conf/zoo.cfg dataDir=/data/zookeeper 配置一下zookeeper 數據存放路徑 啟動zookeeper和kafka /etc/init.d/zookeeper-server start nohup /usr/local/kafka/bin/kafka-server-start.sh /usr/local/kafka/config/server.properties &
3.安裝Elasticsearch(192.168.10.145)
wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.4.1.tar.gz
elasticsearch解壓即可使用非常方便,接下來我們看一下效果,首先啟動ES服務,切換到elasticsearch目錄,運行bin下的elasticsearch
tar zxvf elasticsearch-1.4.1.tar.gz
ln –s elasticsearch-1.4.1 /usr/local/es
cd /usr/local/es/
vim config/elasticsearch.yml 添加如下配置,要不然kibana調es時會報錯(es 1.4 和kibana 3.1.2版本的問題)
cluster.name: elasticsearch 打開前面注釋
node.name: "G1-logs-es02" 打開前面注釋,根據主機名配置,做集群
http.cors.enabled: true
http.cors.allow-origin: "*"
nohup bin/elasticsearch &
訪問默認的9200端口
curl -X GET http://localhost:9200
Elasticsearch(192.168.10.146)的安裝同上:
4.安裝logstash (192.168.10.143 ,192.168.10.144)生產端和消費端都要安裝 這里參考了 http://blog.csdn.net/xzwdev/article/details/41278033 https://github.com/joekiller/logstash-kafka git clone https://github.com/joekiller/logstash-kafka
cd /usr/local/src/logstash-kafka
make tarball 編譯kakfa支持logstash 時間比較長,大概兩個小時
會在/usr/local/src/logstash-kafka/build/ 目錄生成logstash-1.4.2.tar.gz 文件,
logstash-1.4.2.tar.gz文件后面會在日志生產端和消費日志傳輸用,
生產日志端配置並啟動(192.168.10.143)
配置收集haproxy日志示例:
tar zxvf logstash-1.4.2.tar.gz
ln –s logstash-1.4.2 /usr/local/logstash
vim /usr/local/logstash/conf/ logstash_shipper_haproxy.conf
input{
file{
path => "/data/application/haproxy-1.4.18/logs/haproxy.log" 指定所收集的日志文件路徑
type => "haproxylog" 日志所屬業務服務名稱
}
}
output{
kafka{
broker_list => "192.168.10.144:9092" kafka服務地址
topic_id => "logstash-haproxylog" 標識消費端取日志的id
}
}
啟動生產端日志收集服務
nohup /usr/local/logstash/bin/logstash –f /usr/local/logstash/conf/ logstash_shipper_haproxy.conf &
消費端服務器配置:
tar zxvf logstash-1.4.2.tar.gz
ln –s logstash-1.4.2 /usr/local/logstash
vim /usr/local/logstash/consumer_conf/logstash_haproxylog_es.conf
input{
kafka{
zk_connect => "192.168.10.144:2181"
group_id => 'logstash-haproxylog'
topic_id => 'logstash-haproxylog'
}
}
output{
elasticsearch{
host => "192.168.10.145"
port => "9300"
index => "haproxy-5-13-%{+YYYY.MM.dd}"
}
}
啟動消費端服務
nohup /usr/local/logstash/bin/logstash –f /usr/local/logstash/consumer_conf/logstash_haproxylog_es.conf &
優化補充:
1,es中建立不同業務的索引,需要做if判斷,這里是在logstash消費端配置的
如:
input{
kafka{
zk_connect => "192.168.35.130:2181"
group_id => "g1.api.test.com"
topic_id => 'g1.api.test.com'
}
kafka{
zk_connect => "192.168.35.130:2181"
group_id => "go.clientinner.test.com"
topic_id => "go.clientinner.test.com"
}
kafka{
zk_connect => "192.168.35.130:2181"
group_id => "api7.mobile.test.com_app"
topic_id => "api7.mobile.test.com_app"
}
}
filter {
ruby {
init => "@kname = ['time','uid','ip','uname','stime','etime','exec_time','url','ua','module','response_status','http_status','query_string']"
code => "event.append(Hash[@kname.zip(event['message'].split('|'))])"
}
mutate {
convert => ["exec_time", "float"]
}
geoip {
database => "/data/application/logstash/patterns/GeoLiteCity.dat"
source => "ip"
fields => ["country_name","city_name"]
}
useragent {
source => "ua"
target => "useragent"
}
}
output{
if [type] == "go.clientinner.test.com"{
elasticsearch{
template => "/usr/local/logstash/conf/logstash.json"
template_overwrite => true #修改url 不分詞的屬性,
host => "192.168.35.131"
port => "9300"
index => "go.clientinner.test.com-%{+YYYY.MM.dd}"
}
} else if [type] == "g1.api.test.com"{
elasticsearch{
template => "/usr/local/logstash/conf/logstash.json"
template_overwrite => true
host => "192.168.35.131"
port => "9300"
index => "g1.api.test.com-%{+YYYY.MM.dd}"
}
}else if [type] == "api7.mobile.test.com_app"{
elasticsearch{
template => "/usr/local/logstash/conf/logstash.json"
template_overwrite => true
host => "192.168.35.131"
port => "9300"
index => "api7.mobile.test.com_app-%{+YYYY.MM.dd}"
}
}
}
2,logstash 往es存數據,每天建立時間索引,默認會用utc時間,是早上8點才建立,造成當前的日志數據存入昨天的索引中,需要做如下修改:
修改logstash/lib/logstash/event.rb 可以解決這個問題
第226行
.withZone(org.joda.time.DateTimeZone::UTC)
修改為
.withZone(org.joda.time.DateTimeZone.getDefault())
5 安裝kibana(192.168.10.145)
logstash的最新版已經內置kibana,你也可以單獨部署kibana。kibana3是純粹JavaScript+html的客戶端,所以可以部署到任意http服務器上。
wget http://download.elasticsearch.org/kibana/kibana/kibana-latest.zip
unzip kibana-latest.zip
cp -r kibana-latest /var/www/html
可以修改config.js來配置elasticsearch的地址和索引。
修改以下行。
elasticsearch: "http://192.168.10.145:9200",
6,最終實現如下圖:
7,日志系統維護:
1,elsasticsearch 集群擴展
這里主要說給新添加一下es新節點
Es節點的elsasticsearch安裝參考上面,
添加新節點前,需要執行以下命令
1) 先暫停集群的shard自動均衡:
在主節點上
curl -XPUT http://192.168.35.131:9200/_cluster/settings -d '{"transient" : {"cluster.routing.allocation.enable" : "none"}}'
關閉其它節點和主節點:如下:
curl -XPOST http://192.168.35.132:9200/_cluster/nodes/_local/_shutdown
curl -XPOST http://192.168.35.131:9200/_cluster/nodes/_local/_shutdown
2) 啟動主節點,和其它從節點,
3) 添加新節點,啟動和配置參考其它從節點
2,kafka+zookeeper集群擴展:
安裝包:kafka_2.9.2-0.8.1.1.tgz elasticsearch-1.4.1.tar.gz
Kafka+zookeeper配置如下:
Cat kafka/config/server.properties 主要配置
broker.id=35125
host.name=192.168.35.125
advertised.host.name=192.168.35.125
log.dirs=/data/kafka-logs
zookeeper.connect=192.168.35.130:2181,192.168.35.124:2181,192.168.35.125:2181
cat /etc/zookeeper/conf/zoo.cfg
dataDir=/data/zookeeper 節點信息存放目錄
clientPort=2181
# zookeeper cluster
server.35130=G1-logs-kafka:2888:3888
server.35124=bj03-bi-pro-tom01:2888:3888
server.35125=bj03-bi-pro-tom02:2888:3888
啟動服務
Chown zookeeper.zookeeper /data/zookeeper -R
/etc/init.d/zookeeper-server init 第一次啟動時需要初始化/data/zookeeper目錄
Echo “35130” > /data/zookeeper/myid
Chown zookeeper.zookeeper /data/zookeeper -R
/etc/init.d/zookeeper-server start 先啟動zookeeper
nohup ./bin/kafka-server-start.sh config/server.properties > /data/kafka-logs/kafka.log & 再啟動kafka
8,kibana登錄認證安裝配置:
應用說明:
Nginx: 記錄日志,做es的反向代理
Nodejs: 跑 kibana-authentication-proxy
Kibana: 把原來kibana目錄鏈接到kibana-authentication-proxy 下
kibana-authentication-proxy:用戶認證和代理請求es,
8.1,nginx安裝配置 #wget http://nginx.org/download/nginx-1.2.9.tar.gz # yum -y install zlib zlib-devel openssl openssl--devel pcre pcre-devel #tar zxvf nginx-1.2.9.tar.gz # cd nginx-1.2.9 # ./configure --prefix=/usr/local/nginx #make && make install
配置如下:
#cat /usr/local/nginx/conf/nginx.conf
user web;
worker_processes 4;
error_log logs/error.log info;
pid logs/nginx.pid;
events {
worker_connections 1024;
use epoll;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
upstream kianaca {
server 192.168.35.131:9200 fail_timeout=30s;
server 192.168.35.132:9200 fail_timeout=30s;
server 192.168.35.125:9200 fail_timeout=30s;
}
server {
listen 8080;
server_name 192.168.35.131;
location / {
root /var/www/html/kibana-proxy;
index index.html index.htm;
proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
proxy_pass http://kianaca;
proxy_set_header Host lashou.log.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/html/kibana-proxy;
}
}
}
# /usr/local/nginx/sbin/nginx -t
#/usr/local/nginx/sbin/nginx
8.2 安裝kibana-authentication-proxy
#cd /var/www/html/
#git clone https://github.com/wangganyu188/kibana-authentication-proxy.git
#mv kibana-authentication-proxy kibana-proxy
# cd kibana-proxy
#yum install npm
#npm install express
#git submodule init
#npm install
#node app.js
配置 kibana-proxy/config.js
可能有如下參數需要調整:
es_host #這里是nginx地址
es_port #nginx的8080
listen_port #node的監聽端口, 9201
listen_host #node的綁定IP, 可以0.0.0.0
cas_server_url
8.3請求路徑
node(9201) <=> nginx(8080) <=> es(9200)