看日志是很麻烦的事情,作为一个运维工程师,就要是把繁琐的事情简单化,标准化,慢慢的取代繁琐的命定操作,连系统都不用登录了。这个elk日志服务器主要是为了更好的分析日志。而实施的手段和原理请看图
它的原理主要是用logstash软件在shipper上收集input函数里的日志并发送给indexer,但是我们用broker来充当缓存区(用redis实现),然后用elasticsearch来提供搜索,而kibana是把内容用web形式显示。
为了公司信息的保密,我就用个其他的ip来代替外网ip:
shipper:1.1.1.1(nginx服务器ip)
内网网关:2.2.2.2(做DNAT用于内网收集服务器ip)
broker:192.168.1.2(用redis做缓存)
indexer:192.168.1.2(从Broker中提取数据,可以执行相关的分析和处理(Filter))
search&storage:192.168.1.2(用elasticsearch来存储最终日志和提供搜索功能)
web interface:192.168.1.2 (logstash自带的kibana提供web页面)
shiper上操作:
安装java,logstash
由于我们外网nginx服务器是debian系统(不熟),于是我用tar包来安装
从oracle官网上下载jdk,我的系统是64位,所以下载jdk-7u79-linux-x64.gz
一.jdk安装
安装
mkdir /usr/java
将jdk-7u79-linux-x64.gz移动到 /usr/java:
mv jdk-7u79-linux-x64.gz /usr/java
解压:
tar xvf jdk-7u79-linux-x64.gz
2. 配置环境变量
tomcat 运行的时候需要通过java环境变量找到java程序
编辑/etc/profile,在文件末尾添加如下内容:
export JAVA_HOME=/usr/java/jdk1.7.0_79
exportJRE_HOME=/usr/java/jdk1.7.0_79/jre
exportCLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar:$JRE_HOME/lib
exportPATH=$PATH:$JAVA_HOME/bin
3.让配置生效:
source /etc/profile
验证:
[root@mailjava]# java -version
java version"1.7.0_79"
Java(TM) SERuntime Environment (build 1.7.0_79-b15)
Java HotSpot(TM)64-Bit Server VM (build 24.79-b02, mixed mode)
nice jdk安装完成
二.logstash安装
1.wget https://download.elasticsearch.org/logstash/logstash/logstash-1.4.2.tar.gz
tar xzvf logstash-1.4.2.tar.gz -C /app/ && mv /app/logstash-1.4.2 /app/logstash
mkdir -p /app/logstash/conf
2.
root@:/app/logstash/conf# pwd
/app/logstash/conf
root@:/app/logstash/conf# vi nginx_access.conf
input {
file {
type => "nginx_access"
path => "/var/log/nginx/www.1.com.access.log"
}
}
output {
stdout { codec => rubydebug }
redis {
host => '2.2.2.2‘
data_type => 'list'
key => 'logstash:redis'
}
}
基本上上安装是成功了,等下面192.168.1.2上都搭好后,输入命定root@l:/app/logstash/conf# /app/logstash/bin/logstash agent -f /app/logstash/conf/nginx_access.conf & 就可以把数据传到2.2.2.2了
网关服务器上的操作:
1.1.1.1上的数据到了2.2.2.2了,那么我们要把它转到192.168.1.2上去,自然使用DNAT
[root@gw ~]# iptables -t nat -A PREROUTING -p tcp --dport 6379 -d 2.2.2.2 -s 1.1.1.1 -i eth2 -j DNAT --to-destination 192.168.1.2:6379 根据上面output可知接受文件的端口是redis开启的端口6379,我相信你们服务器路由功能是开启的。
broker上的操作:
安装redis
wget http://download.redis.io/releases/redis-2.8.17.tar.gz
tar -zxvf redis-2.8.17.tar.gz
cd /redis-2.8.17.tar.gz
先安装tcl,否则下面会报错
yum install tcl -y
make MALLOC=libc
make test
make install
# pwd
/soft/redis-2.8.17/utils
./install_server.sh
Welcome to the redis service installer
This script will help you easily set up a runningredis server
Please select the redis port for this instance: [6379]
Selecting default: 6379
Please select the redis config file name[/etc/redis/6379.conf]
Selected default - /etc/redis/6379.conf
Please select the redis log file name[/var/log/redis_6379.log]
Selected default - /var/log/redis_6379.log
Please select the data directory for this instance[/var/lib/redis/6379]
Selected default - /var/lib/redis/6379
Please select the redis executable path[/usr/local/bin/redis-server]
Selected config:
Port :6379
Config file :/etc/redis/6379.conf
Log file :/var/log/redis_6379.log
Data dir :/var/lib/redis/6379
Executable :/usr/local/bin/redis-server
Cli Executable : /usr/local/bin/redis-cli
Is this ok? Then press ENTER to go on or Ctrl-C to abort.
Copied /tmp/6379.cOnf=> /etc/init.d/redis_6379
Installing service...
Successfully added to chkconfig!
Successfully added to runlevels 345!
Starting Redis server...
Installation successful!
# pwd
/soft/redis-2.8.17/src
[root@logserver src]# ./redis-cli -h 127.0.0.1 -p 6379
127.0.0.1:6379> ping
PONG
127.0.0.1:6379> set name foo
OK
127.0.0.1:6379> get name
"foo"
127.0.0.1:6379> bye
(error) ERR unknown command 'bye'
127.0.0.1:6379> quit
indexer上的操作:
和上面shipper操作差不多,只是
[root@log css]# cd /app/logstash/conf/
[root@log conf]# vi nginx_acces.conf
input {
redis {
host => "192.168.1.21"
data_type => "list"
port => "6379"
codec => "json"
type => "nginx_logs"
key => "logstash:redis"
}
}
output {
elasticsearch {
host => "192.168.1.21"
codec => "json"
}
}
等下面都部署好,输入命定root@l:/app/logstash/conf# /app/logstash/bin/logstash agent -f /app/logstash/conf/nginx_access.conf &就可以把redis上的数据交给elasticsearch来存储和搜索。
search&storage上的操作:
安装elasticsearch
#tar zxvf elasticsearch-1.5.2.tar.gz
#mv elasticsearch-1.5.2 /usr/local/
#cd /usr/local/
#ln -s elasticsearch-1.5.2 elasticsearch
在最下面文件增加如下内容(权限管理和防跨站攻击):
#vi config/elasticsearch.yml
http.cors.allow-origin: "/.*/"
http.cors.enabled: true
script.disable_dynamic: true
保存后,我们可以用以下命令启动
#/usr/local/elasticsearch/bin/elasticsearch -f
ctrl+c退出
以后台方式运行
#/usr/local/elasticsearch/bin/elasticsearch -d
web interface上操作:
安装httpd和kibana3
yum -y install httpd
wget
https://download.elasticsearch.org/kibana/kibana/kibana-3.1.1.tar.gz
tar kibana-3.1.1.tar.gz CC/var/www/html
mv /var/www/html/kibana-3.1.1 /var/www/html/kibana
修改默认面板为logstash.json
grep default_route/var/www/html/kibana/config.js
default_route :'/dashboard/file/logstash.json',
启动httpd服务器,在web浏览器上访问
http://192.168.1.2/kibana/#/dashboard/file/default.json
elasticsearch还有很多插件,比如bigdesk可以2秒更新一次啊页面,便于更好的监控,大家可以去尝试。多谢以下博客的帮助:
http://xiangcun168.blog.51cto.com/4788340/1680441
http://jerrymin.blog.51cto.com/3002256/1565819
http://welcomeweb.blog.51cto.com/10487763/1684696
本文出自 “创新分享驰骋里外” 博客,请务必保留此出处http://10554846.blog.51cto.com/10544846/1687320