jdk版本用的是11
測試用了兩台虛擬機,一台搭建elk,另外一台安裝filebeat
我的測試java程序放到了gitee上面,其中的collector文件夾下有相應的程序
https://gitee.com/guoanhao/Architect-Stage-Kafka.git
第一步 安裝elk7.6.0(第一台機器)
docker pull sebp/elk:760
docker images
運行elk
1,運行之前,需要編輯兩個文件
vi /etc/sysctl.conf #添加如下代碼 vm.max_map_count=262144 #刷新一下,否則不生效 sysctl -p
第二個文件
vim /etc/security/limits.conf
添加以下內容,注意要添加在End of file之前,否則報錯
* soft nofile 65536 * hard nofile 131072 * soft nproc 2048 * hard nproc 4096
2,運行,設置一下ES_MIN_MEM和ES_MAX_MEM,因為我的虛擬機內存比較小。
docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -itd -e ES_MIN_MEM=128m -e ES_MAX_MEM=128m --name elk sebp/elk:760
# 查看elk日志,會輸出很多信息,不太容易確定是否啟動成功了。 # 等到日志信息不再增加了,說明啟動好了 docker logs -f -t elk # 通過docker ps命令查看,也不足以證明沒有問題。
怎么確定啟動成功呢?訪問一下下面的地址,出現頁面就是啟動成功了。
# elasticsearch地址 http://192.168.186.135:9200/ # kibana地址 http://192.168.186.135:5601/
# 或者這樣檢查elasticsearch
curl 127.0.0.1:9200
啟動后有可能報錯,我們修改一些配置文件就可以了
# 進入容器 docker exec -it elk bash # 進入目錄 cd /etc/logstash/conf.d # 編輯文件,將ssl相關的配置刪除,如下圖 vim 02-beats-input.conf # 退出容器,並且重啟elk exit docker restart elk
第二步,搭建filebeat(第二台機器)
下載與elk相同版本的filebeat7.6.0,我在華為開源鏡像站上下載的。上傳到第二台服務器上(我放到了/home/software下)
# 也可以直接通過wget安裝 wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.0-linux-x86_64.tar.gz
1. 解壓到/usr/local目錄下
tar -zxvf filebeat-7.6.0-linux-x86_64.tar.gz -C /usr/local/
2. 配置filebeat(filebeat.yml)
cd /usr/local/filebeat-7.6.0-linux-x86_64
vim filebeat.yml
配置信息如下
-
配置日志收集路徑
-
關閉filebeat輸出到elasticsearch
-
打開filebeat輸出到logstash的配置(在logstash中配置輸出到elasticsearch)
-
配置文件注意縮進
-
這里我用的filebeat是7.6版本,不同於6.0之前的,這里沒有了document_type,我們使用fields:service:來代替,logstash配置文件也要相應的修改。
版本更新踩的坑: https://blog.51cto.com/kexiaoke/2092029
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
# - /var/log/*.log
- /home/software/logs/app-collector.log
#- c:\programdata\elasticsearch\logs\*
fields:
service: app-log
- type: log
enabled: true
paths:
- /home/software/logs/error-collector.log
#- c:\programdata\elasticsearch\logs\*
fields:
service: error-log
# output.elasticsearch:
# Array of hosts to connect to.
# hosts: ["localhost:9200"]
output.logstash:
# The Logstash hosts
hosts: ["192.168.186.135:5044"]
配置文件中我們配置了兩個- type: log,作用是將不同的log文件輸出到logstash中,並且可以在logstash中通過fields:service: app-log或者fields:service: error-log確定是哪一個log,以便elasticsearch以不同的index輸出。詳見下面的logstash配置文件。
我的filebeat.yml如下
###################### Filebeat Configuration Example ######################### # This file is an example configuration file highlighting only the most common # options. The filebeat.reference.yml file from the same directory contains all the # supported options with more comments. You can use it as a reference. # # You can find the full configuration reference here: # https://www.elastic.co/guide/en/beats/filebeat/index.html # For more available modules and options, please see the filebeat.reference.yml sample # configuration file. #=========================== Filebeat inputs ============================= filebeat.inputs: # Each - is an input. Most options can be set at the input level, so # you can use different inputs for various configurations. # Below are the input specific configurations. - type: log # Change to true to enable this input configuration. enabled: true # Paths that should be crawled and fetched. Glob based paths. paths: # - /var/log/*.log - /home/software/logs/app-collector.log #- c:\programdata\elasticsearch\logs\* multiline: #pattern: '^\s*(\d{4}|\d{2})\-(\d{2}|[a-zA-Z]{3})\-(\d{2}|\d{4})' # 指定匹配的表達式(匹配以 2017-11-15 08:04:23:889 時間格式開頭的字符串) pattern: '^\[' # 指定匹配的表達式(匹配以 "{ 開頭的字符串) negate: true # 是否匹配到 match: after # 合並到上一行的末尾 max_lines: 2000 # 最大的行數 timeout: 2s # 如果在規定時間沒有新的日志事件就不等待后面的日志 fields: service: app-log - type: log enabled: true paths: - /home/software/logs/error-collector.log #- c:\programdata\elasticsearch\logs\* multiline: #pattern: '^\s*(\d{4}|\d{2})\-(\d{2}|[a-zA-Z]{3})\-(\d{2}|\d{4})' # 指定匹配的表達式(匹配以 2017-11-15 08:04:23:889 時間格式開頭的字符串) pattern: '^\[' # 指定匹配的表達式(匹配以 "{ 開頭的字符串) negate: true # 是否匹配到 match: after # 合並到上一行的末尾 max_lines: 2000 # 最大的行數 timeout: 2s # 如果在規定時間沒有新的日志事件就不等待后面的日志 fields: service: error-log # Exclude lines. A list of regular expressions to match. It drops the lines that are # matching any regular expression from the list. #exclude_lines: ['^DBG'] # Include lines. A list of regular expressions to match. It exports the lines that are # matching any regular expression from the list. #include_lines: ['^ERR', '^WARN'] # Exclude files. A list of regular expressions to match. Filebeat drops the files that # are matching any regular expression from the list. By default, no files are dropped. #exclude_files: ['.gz$'] # Optional additional fields. These fields can be freely picked # to add additional information to the crawled log files for filtering #fields: # level: debug # review: 1 ### Multiline options # Multiline can be used for log messages spanning multiple lines. This is common # for Java Stack Traces or C-Line Continuation # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [ #multiline.pattern: ^\[ # Defines if the pattern set under pattern should be negated or not. Default is false. #multiline.negate: false # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern # that was (not) matched before or after or as long as a pattern is not matched based on negate. # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash #multiline.match: after #============================= Filebeat modules =============================== filebeat.config.modules: # Glob pattern for configuration loading path: ${path.config}/modules.d/*.yml # Set to true to enable config reloading reload.enabled: false # Period on which files under path should be checked for changes #reload.period: 10s #==================== Elasticsearch template setting ========================== setup.template.settings: index.number_of_shards: 1 #index.codec: best_compression #_source.enabled: false #================================ General ===================================== # The name of the shipper that publishes the network data. It can be used to group # all the transactions sent by a single shipper in the web interface. #name: # The tags of the shipper are included in their own field with each # transaction published. #tags: ["service-X", "web-tier"] # Optional fields that you can specify to add additional information to the # output. #fields: # env: staging #============================== Dashboards ===================================== # These settings control loading the sample dashboards to the Kibana index. Loading # the dashboards is disabled by default and can be enabled either by setting the # options here or by using the `setup` command. #setup.dashboards.enabled: false # The URL from where to download the dashboards archive. By default this URL # has a value which is computed based on the Beat name and version. For released # versions, this URL points to the dashboard archive on the artifacts.elastic.co # website. #setup.dashboards.url: #============================== Kibana ===================================== # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. # This requires a Kibana endpoint configuration. setup.kibana: # Kibana Host # Scheme and port can be left out and will be set to the default (http and 5601) # In case you specify and additional path, the scheme is required: http://localhost:5601/path # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 #host: "localhost:5601" # Kibana Space ID # ID of the Kibana Space into which the dashboards should be loaded. By default, # the Default Space will be used. #space.id: #============================= Elastic Cloud ================================== # These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/). # The cloud.id setting overwrites the `output.elasticsearch.hosts` and # `setup.kibana.host` options. # You can find the `cloud.id` in the Elastic Cloud web UI. #cloud.id: # The cloud.auth setting overwrites the `output.elasticsearch.username` and # `output.elasticsearch.password` settings. The format is `<user>:<pass>`. #cloud.auth: #================================ Outputs ===================================== # Configure what output to use when sending the data collected by the beat. #-------------------------- Elasticsearch output ------------------------------ # output.elasticsearch: # Array of hosts to connect to. # hosts: ["localhost:9200"] # Protocol - either `http` (default) or `https`. #protocol: "https" # Authentication credentials - either API key or username/password. #api_key: "id:api_key" #username: "elastic" #password: "changeme" #----------------------------- Logstash output -------------------------------- output.logstash: # The Logstash hosts hosts: ["192.168.186.135:5044"] # Optional SSL. By default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" # Client Certificate Key #ssl.key: "/etc/pki/client/cert.key" #================================ Processors ===================================== # Configure processors to enhance or manipulate events generated by the beat. processors: - add_host_metadata: ~ - add_cloud_metadata: ~ - add_docker_metadata: ~ - add_kubernetes_metadata: ~ #================================ Logging ===================================== # Sets log level. The default log level is info. # Available log levels are: error, warning, info, debug #logging.level: debug # At debug level, you can selectively enable logging only for some components. # To enable all selectors use ["*"]. Examples of other selectors are "beat", # "publish", "service". #logging.selectors: ["*"] #============================== X-Pack Monitoring =============================== # filebeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The # reporting is disabled by default. # Set to true to enable the monitoring reporter. #monitoring.enabled: false # Sets the UUID of the Elasticsearch cluster under which monitoring data for this # Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch # is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch. #monitoring.cluster_uuid: # Uncomment to send the metrics to Elasticsearch. Most settings from the # Elasticsearch output are accepted here as well. # Note that the settings should point to your Elasticsearch *monitoring* cluster. # Any setting that is not set is automatically inherited from the Elasticsearch # output configuration, so if you have the Elasticsearch output configured such # that it is pointing to your Elasticsearch monitoring cluster, you can simply # uncomment the following line. #monitoring.elasticsearch: #================================= Migration ================================== # This allows to enable 6.7 migration aliases #migration.6_to_7.enabled: true
3.啟動filebeat
# 進入filebeat目錄 cd /usr/local/filebeat-7.6.0-linux-x86_64 # 運行filebeat nohup ./filebeat -e -c filebeat.yml > filebeat.log & # 查看運行狀態 ps -ef |grep filebeat # 關閉filebeat kill -9 pid
第三步 配置logstash
我們使用docker啟動的elk,所以得先進入elk容器然后再進行配置
# 進入容器 docker exec -it elk bash #進入logstash配置文件目錄 /etc/logstash/conf.d #編輯02-beats-input.conf文件 vim 02-beats-input.conf
1. 修改配置文件,我的文件內容如下(注意縮進)
配置文件中的 index => "app-log-%{[fields][service]}-%{+YYYY.MM.dd}"
可以改為 index => "%{[fields][service]}-%{+YYYY.MM.dd}"或者 index => "app-log-%{+YYYY.MM.dd}"
input {
beats {
port => 5044
}
}
filter {
## 時區轉換
ruby {
code => "event.set('index_time',event.timestamp.time.localtime.strftime('%Y.%m.%d'))"
}
if "app-log" in [fields][service]{
grok {
## 表達式
match => ["message", "\[%{NOTSPACE:currentDateTime}\] \[%{NOTSPACE:level}\] \[%{NOTSPACE:thread-id}\] \[%{NOTSPACE:class}\] \[%{DATA:hostName}\] \[%{DATA:ip}\] \[%{DATA:applicationName}\] \[%{DATA:location}\] \[%{DATA:messageInfo}\] ## (\'\'|%{QUOTEDSTRING:throwable})"]
}
}
if "error-log" in [fields][service]{
grok {
## 表達式
match => ["message", "\[%{NOTSPACE:currentDateTime}\] \[%{NOTSPACE:level}\] \[%{NOTSPACE:thread-id}\] \[%{NOTSPACE:class}\] \[%{DATA:hostName}\] \[%{DATA:ip}\] \[%{DATA:applicationName}\] \[%{DATA:location}\] \[%{DATA:messageInfo}\] ## (\'\'|%{QUOTEDSTRING:throwable})"]
}
}
}
# 輸出到elasticsearch
output {
if [fields][service] == "app-log" {
elasticsearch {
hosts => ["192.168.186.135:9200"]
index => "%{[fields][service]}-%{index_time}"
}
}else if [fields][service] == "error-log" {
elasticsearch {
hosts => ["192.168.186.135:9200"]
index => "error-log-%{[fields][service]}-%{+YYYY.MM.dd}"
}
}
}
2.重啟elk
docker restart elk
3. 測試日志收集,我的測試程序放到了gitee上,需要將jar包放到/home/software文件加下啟動(因為filebeat配置的收集日志的目錄是/home/software/logs)
啟動后生成logs文件夾
java -jar collector.jar
文件夾中有兩個日志文件,一個是正常的log,一個是異常log
瀏覽器訪問下面的路徑,會在日志文件中寫入相應的日志,filebeat會收集到里面的日志信息。
http://192.168.186.137:8001/index http://192.168.186.137:8001/err
打印出來的日志信息
日志可視化
瀏覽器訪問kibana,點擊management =》index Patterns=》create index pattern
http://192.168.186.135:5601/
創建index pattern,名稱要與logstash中配置文件的相匹配
輸入名稱后,點擊next
這里我選的是i don't want use the time Filter。也可以選另一個進行測試 。
選擇后點擊 Create Index Pattern。這樣index pattern就創建好了。
查看index Pattern中的日志信息,右側就是日志信息
可以進行搜索
另一個index Pattern,err-log-*在創建的時候我選擇了@timestamp
這里會多出來一個時間選擇,選擇后會查詢時間范圍之內的日志信息
也可以選擇currentDateTime
我一般情況下選擇這種,具體區別我忘記了
到此配置完成 。