Centos7搭建ELK（Elasticsearch、Logstash、Kibana）教程及注意事项

1、下载安装包

使用华为镜像站下载速度很快&＃xff0c;华为镜像站&＃xff1a;https://mirrors.huaweicloud.com/home&＃xff0c;下载时需要保证版本一致

2、安装elasticsearch

解压到当前目录

[root&＃64;localhost elk]# tar zxvf elasticsearch-7.4.2-linux-x86_64.tar.gz


安装&＃xff0c;将Elasticsearch移动到/opt目录之中

[root&＃64;localhost elk]# mv elasticsearch-7.4.2 /opt


创建Elasticsearch用户

es 规定 root 用户不能启动 es&＃xff0c;所以需要新建一个其他用户来启动 es修改配置文件

添加用户

[root&＃64;localhost elk]# adduser es


设定密码

[root&＃64;localhost elk]# passwd es


添加权限

[root&＃64;localhost elk]# chown -R es /opt/elasticsearch-7.4.2


修改配置文件
进入 /opt/elasticsearch-7.4.2/config/&＃xff0c;修改elasticsearch.yml文件
[root&＃64;localhost ~]# cd /opt/elasticsearch-7.4.2/config/
取消如下注释&＃xff0c;并修改为当前主机地址&＃xff1a;

cluster.name: my-application
node.name: node-1
bootstrap.memory_lock: false
network.host: 192.168.75.143
http.port: 9200
discovery.zen.ping.unicast.hosts: ["192.168.75.143"]
discovery.zen.minimum_master_nodes: 1 #注意&＃xff0c;因为本人目前是单节点&＃xff0c;这里必须为1


新增如下配置:

transport.tcp.port: 9300
transport.tcp.compress: true
bootstrap.system_call_filter: false


使用vi编辑器&＃xff0c;修改/etc/sysctl.conf文件&＃xff0c;添加如下代码(若无将会出现下面常见问题2)&＃xff1a;

vm.max_map_count&＃61;262144


退出保存后执行如下命令:

sysctl -p


修改/etc/security/limits.conf文件&＃xff0c;在文件末尾添加如下代码(若无将会出现下面常见问题3):

# es为登录服务器的用户名
essoft nofile 65536
eshard nofile 65536
essoft nproc 4096
eshard nproc 4096


3、启动Elasticsearch

切换用户

su solin


查看当前用户

who am i


启动服务

[es&＃64;localhost ~]$ /opt/elasticsearch-7.4.2/bin/elasticsearch


后台启动

[es&＃64;localhost ~]$ /opt/elasticsearch-7.4.2/bin/elasticsearch -d


测试是否启动成功

[root&＃64;localhost ~]# curl 192.168.75.143:9200

报错&＃xff1a;需要按照JAVA11

future versions of Elasticsearch will require Java 11; your Java version from [/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.362.b08-1.el7_9.x86_64/jre] does not meet this requirement


选择11版本

[es&＃64;localhost ~]$ yum search java| grep jdk
[root&＃64;localhost elk]# yum install java-11-openjdk-devel.x86_64


java环境配置参考&＃xff1a;https://www.voidking.com/dev-install-jdk-on-all-platforms/

export JAVA_HOME&＃61;/usr/lib/jvm/java-11-openjdk-11.0.12.0.7-0.el7_9.x86_64
export CLASSPATH&＃61;$JAVA_HOME/lib:$CLASSPATH
export PATH&＃61;$JAVA_HOME/bin:$PATH


报错2&＃xff1a;

could not find java in JAVA_HOME or bundled at /usr/lib/jvm/java-1.8.0/bin/java


解决办法&＃xff1a;

切换到普通用户es下&＃xff0c;执行source /etc/profile刷新配置

报错3&＃xff1a;

OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.


警告信息不影响es的启动&＃xff0c;如果要去掉警告&＃xff0c;则需要修改es config下面的jvm.options文件中的属性定义字段&＃xff0c;把-XX:&＃43;UseConcMarkSweepGC修改成&＃xff1a;

[root&＃64;localhost config]# vim jvm.options
-XX:&＃43;UseG1GC


设置允许其他机器访问

当前只能响应本机的请求&＃xff0c;想要其他机器也能访问的话&＃xff0c;那么需要修改elasticsearch的配置。

[root&＃64;localhost ~]# vim /opt/elasticsearch-7.4.2/config/elasticsearch.yml


# line 17, uncomment
cluster.name: my-application
# line 22, uncomment and change
node.name: master
# line 55, uncomment and change
network.host: 0.0.0.0
# line 59, uncomment
ttp.port: 9200
# line 72, uncomment and change
cluster.initial_master_nodes: ["master", "node-2"]


重启Elasticsearch

如果可以看到:::9200&＃xff0c;就可以通过外部浏览器访问Elasticsearch服务了&＃xff0c;至此Elasticsearch安装配置完成。

4、Logstash安装

Logstash 工作原理

Logstash使用管道方式进行日志的搜集处理和输出。

有点类似Linux系统的管道命令 aaa| bbb | ccc&＃xff0c;aaa执行完了会执行bbb&＃xff0c;然后执行ccc。

在logstash中&＃xff0c;包括了三个阶段:

输入input --> 处理filter&＃xff08;不是必须的&＃xff09; --> 输出output

配置文件也是按这个顺序进行配置的。

解压安装包到当前目录

[root&＃64;localhost elk]# tar zxvf logstash-7.4.2.tar.gz


移动安装目录到opt目录下

[root&＃64;localhost elk]# mv logstash-7.4.2 /opt


拷贝 config 目录下的 logstash-sample.conf&＃xff0c;改名为 logstash.conf&＃xff0c;修改其配置&＃xff0c;内容如下&＃xff1a;

简单解释一下这段配置&＃xff1a;

1、input 块是 logstash 接收日志时的一些配置&＃xff0c;output 是 logstash 往 elasticsearch 输送日志的配置&＃xff1b;

2、input.host 是运行 logstash 的服务器的 ip&＃xff1b;input.port 是 logstash 的运行端口&＃xff0c;可以自己定义&＃xff1b;

3、output.hosts 的 elasticsearch 的 ip 和端口&＃xff0c;这是个数组&＃xff0c;多个用逗号隔开&＃xff0c;由于我们没有修改 elasticsearch 的配置&＃xff0c;它默认就是 9200 端口&＃xff1b;output.index 是索引&＃xff1b;

4、修改完配置&＃xff0c;进入 bin 目录指定配置文件启动即可&＃xff0c;例如&＃xff1a;./logstash -f ../config/logstash.conf&＃xff0c;如果是 windows 版本&＃xff0c;执行logstash.bat -f …/config/logstash.conf即可。

[root&＃64;localhost bin]# ./logstash -f ../config/logstash.conf


5、kibana安装

下载后解压&＃xff0c;然后拷贝一份 config 目录下的 kibana.yml&＃xff0c;根据自己的需要可以修改配置&＃xff0c;比如端口&＃xff08;默认5601&＃xff09;、host、elasticsearch.hosts&＃xff08;默认localhost:9200&＃xff09;等。我这里都用默认的&＃xff0c;没有修改。

到 bin 目录下执行 ./kibana就可以启动了&＃xff0c;windows 执行 kibana.bat即可。

启动完访问 localhost:5601&＃xff0c;看到如下界面就启动成功了。

报错1&＃xff1a;

FATAL [master_not_discovered_exception] null :: {"path":"/.kibana_task_manager","query":{},"statusCode":503,"response":"{\"error\":{\"root_cause\":[{\"type\":\"master_not_discovered_exception\",\"reason\":null}],\"type\":\"master_not_discovered_exception\",\"reason\":null},\"status\":503}"}


原因&＃xff1a;未修改elasticsearch.yml的cluster.initial_master_nodes配置&＃xff0c;修改配置之后重启elasticsearch

node.name: node-1
cluster.initial_master_nodes: [“node-1”]


报错2&＃xff1a;Request Timeout after 30000ms

解决办法 &＃xff1a;

方法1、修改elastisearch的内存

方法2、修改kibana的超时时间
如果机器的内存不是那么的充足的话&＃xff0c;我们可以改改后端弹性搜索的阈值。修改配置文件/etc/kibana/kibana.yml的第66行&＃xff0c;将#去掉&＃xff0c;然后将30000毫秒&＃xff08;也就是30s&＃xff09;

更改成40000(40秒)&＃xff0c;这个根据实际情况进行修改。

在kibana中查询日志

访问localhost:5601&＃xff0c;点击左侧最下方图标【Management】–> 【Index Patterns】–> 【Create index pattern】

6、logstash深入收集Nginx日志

安装nginx

[root&＃64;localhost nginx]# yum -y install nginx
echo "192.168.75.143" > /usr/share/nginx/html/index.html


住nginx.conf配置

[root&＃64;localhost nginx]# cat nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
# log_format main &＃39;$remote_addr - $remote_user [$time_local] "$request" &＃39;
# &＃39;$status $body_bytes_sent "$http_referer" &＃39;
# &＃39;"$http_user_agent" "$http_x_forwarded_for"&＃39;;
log_format access_json &＃39;{"&＃64;timestamp":"$time_iso8601",&＃39;
&＃39;"host":"$server_addr",&＃39;
&＃39;"clientip":"$remote_addr",&＃39;
&＃39;"size":$body_bytes_sent,&＃39;
&＃39;"responsetime":$request_time,&＃39;
&＃39;"upstreamtime":"$upstream_response_time",&＃39;
&＃39;"upstreamhost":"$upstream_addr",&＃39;
&＃39;"http_host":"$host",&＃39;
&＃39;"url":"$uri",&＃39;
&＃39;"domain":"$host",&＃39;
&＃39;"xff":"$http_x_forwarded_for",&＃39;
&＃39;"referer":"$http_referer",&＃39;
&＃39;"status":"$status"}&＃39;;
#access_log /var/log/nginx/access.log main;
access_log /var/log/nginx/access.log access_json;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
listen [::]:80;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location &＃61; /404.html {
}
error_page 500 502 503 504 /50x.html;
location &＃61; /50x.html {
}
}


将Nginx日志转换成json格式

log_format access_json &＃39;{"&＃64;timestamp":"$time_iso8601",&＃39;
&＃39;"host":"$server_addr",&＃39;
&＃39;"clientip":"$remote_addr",&＃39;
&＃39;"size":$body_bytes_sent,&＃39;
&＃39;"responsetime":$request_time,&＃39;
&＃39;"upstreamtime":"$upstream_response_time",&＃39;
&＃39;"upstreamhost":"$upstream_addr",&＃39;
&＃39;"http_host":"$host",&＃39;
&＃39;"url":"$uri",&＃39;
&＃39;"domain":"$host",&＃39;
&＃39;"xff":"$http_x_forwarded_for",&＃39;
&＃39;"referer":"$http_referer",&＃39;
&＃39;"status":"$status"}&＃39;;
access_log /var/log/nginx/access.log access_json;


重启nginx&＃xff0c;查看访问日志

刷新页面会在日志看到访问日志信息为json格式即可&＃xff0c;配置logstash收集Nginx日志

[root&＃64;localhost config]# cat nginx-log-es.conf
input{
file{
path &＃61;> "/var/log/nginx/access.log"
start_position &＃61;> "beginning"
stat_interval &＃61;> 3
type &＃61;> "nginx-accesslog"
codec &＃61;> "json"
}
}
output{
if [type] &＃61;&＃61; "nginx-accesslog"{
elasticsearch {
hosts &＃61;> ["192.168.75.143:9200"]
index &＃61;> "long-nginx-accesslog-%{&＃43;YYYY.MM.dd}"
}}
}


检查语法

/opt/logstash-7.4.2/bin/logstash -f /opt/logstash-7.4.2/config/nginx-log-es.conf -t


启动

/opt/logstash-7.4.2/bin/logstash -f /opt/logstash-7.4.2/config/nginx-log-es.conf


查看kabana

把nginx的访问日志和错误日志一起收集&＃xff0c;配置文件

[root&＃64;localhost config]# cat nginx-log-es.conf
input{
file{
path &＃61;> "/var/log/nginx/access.log"
start_position &＃61;> "beginning"
stat_interval &＃61;> 3
type &＃61;> "nginx-accesslog"
codec &＃61;> "json"
}
file{
path &＃61;> "/var/log/nginx/error.log"
start_position &＃61;> "beginning"
stat_interval &＃61;> 3
type &＃61;> "nginx-errorlog"
#codec &＃61;> "json"
}
}
output{
if [type] &＃61;&＃61; "nginx-accesslog"{
elasticsearch {
hosts &＃61;> ["192.168.75.143:9200"]
index &＃61;> "long-nginx-accesslog-%{&＃43;YYYY.MM.dd}"
}}
if [type] &＃61;&＃61; "nginx-errorlog"{
elasticsearch {
hosts &＃61;> ["192.168.75.143:9200"]
index &＃61;> "long-nginx-errorlog-%{&＃43;YYYY.MM.dd}"
}}
}


检查语法

/opt/logstash-7.4.2/bin/logstash -f /opt/logstash-7.4.2/config/nginx-log-es.conf -t


启动

/opt/logstash-7.4.2/bin/logstash -f /opt/logstash-7.4.2/config/nginx-log-es.conf


查看错误日志