ELKBR部署檢測項目日誌

• 2019 年 10 月 3 日
• 筆記

ELK

• filebeat：具有日誌收集功能，相比logstash，+filebeat更輕量，佔用資源更少，適合客戶端使用。
• redis消息隊列選型：Redis 伺服器通常都是用作 NoSQL 資料庫，不過這裡的 redis 只是用來做消息隊列，海量日誌建議使用kafka。
• logstash：主要是用來日誌的搜集、分析、過濾日誌的工具，支援大量的數據獲取方式。一般工作方式為c/s架構，client端安裝在需要收集日誌的主機上，server端負責將收到的各節點日誌進行過濾、修改等操作在一併發往elasticsearch上去。
• elasticsearch：Elasticsearch是個開源分散式搜索引擎，提供搜集、分析、存儲數據三大功能。它的特點有：分散式，零配置，自動發現，索引自動分片，索引副本機制，restful風格介面，多數據源，自動搜索負載等。
• kibana：Kibana可以為 Logstash 和 ElasticSearch 提供的日誌分析友好的 Web 介面，可以幫助匯總、分析和搜索重要數據日誌。

ES激活白金版：https://www.jianshu.com/p/1ff67bb363dd

1 redis部署

• 上傳部署包至/usr/local/src/redis/，依賴安裝及環境配置

• mkdir -p /usr/local/src/redis/  yum -y install gcc-c++ make tcl  service iptables stop && chkconfig iptables off  echo 511 > /proc/sys/net/core/somaxconn  echo never > /sys/kernel/mm/transparent_hugepage/enabled  echo "echo 511 > /proc/sys/net/core/somaxconn" >> /etc/rc.local  echo "echo never > /sys/kernel/mm/transparent_hugepage/enabled" >> /etc/rc.local  echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf && modprobe bridge && sysctl -p

• 編譯安裝redis server

• mkdir -p /usr/local/src/redis/{data,log}  cd /usr/local/src/redis && tar -zxvf redis-stable.tar.gz -C . && cd redis-stable && make && make install  (此處可一路回車選擇默認配置,配置文件在cat /etc/redis/6379.conf)  ./utils/install_server.sh

• 啟動redis

• chkconfig redis_6379 on  service redis_6379 start

• 檢查啟動後服務是否正常

• redis-cli -h 本機IP

  localhost:6379> keys *
  (empty list or set)
  localhost:6379> set test abc
  OK
  localhost:6379> get test
  "abc"
  localhost:6379> del test
  (integer) 1

  localhost:6379> quit

2 filebeat

• 上傳filebeat包，解壓修改配置

• mkdir /usr/local/src/filebeat  #上傳壓縮包  tar -zxvf filebeat-7.3.1-linux-x86_64.tar.gz  cd filebeat-7.3.1-linux-x86_64  vim filebeat.yml

(paths:對應日誌位置)

enabled: true

paths:

• /tomcat/apache-tomcat-7.0.72/logs/*.out

multiline.pattern: ^[

multiline.negate: false

multiline.match: after

(tags:變數TEMPLATE_TAG用於部署到對應伺服器後批量替換為對應實例名稱)

tags: ["192.168.192.10"]

注釋掉Elasticsearch相關的配置

—————————– Redis output ——————————–

(key變數為保存到redis中的鍵名，用於部署到對應伺服器後批量替換為對應應用名)

output.redis:
hosts: ["localhost:6379"]
db: 0
timeout: 5
key: "project-name"

================================ Global =====================================

filebeat.global:
filebeat.spool_size: 64
filebeat.idle_timeout: 5s

• 啟動

• ./filebeat -e -c filebeat.yml

• 查看redis是否已有日誌記錄

• redis-cli -h 本機IP  #查看所有KEY  keys *  #查看日誌長度  LLEN project-name  #查看某一行日誌  INDEX project-name 1  

3 ElasticSearch

• 下載解壓

• mkdir /usr/local/src/elasticsearch  #上傳壓縮包  tar -zxvf elasticsearch-7.3.1-linux-x86_64.tar.gz

• 在es下創建數據和日誌文件夾，修改配置文件

• #對應配置里的數據和日誌文件目錄  mkdir /usr/local/src/elasticsearch/elasticsearch-7.3.1/data  #mkdir /usr/local/src/elasticsearch/elasticsearch-7.3.1/logs  vim config/elasticsearch.yml

  cluster.name: my-application

  node.name: node-10

  path.data: /usr/local/src/elasticsearch/elasticsearch-7.3.1/data

  path.logs: /usr/local/src/elasticsearch/elasticsearch-7.3.1/logs

  network.host: 本機IP
  http.port: 9200
  discovery.seed_hosts: ["本機IP"]
  cluster.initial_master_nodes: ["node-10"]

  因為Centos6不支援SecComp加入下面兩句

  bootstrap.memory_lock: false
  bootstrap.system_call_filter: false

  驗證開啟(不想要密碼就忽略)

  xpack.security.enabled: true
  xpack.ml.enabled: true
  xpack.license.self_generated.type: trial

• 新建elkuser用戶(注意不能使用root用戶啟動es)

• #創建用戶  useradd elkuser  #修改用戶組和用戶  cd /usr/local/src/elasticsearch  chown -R elkuser:elkuser elasticsearch-7.3.1  #切換用戶  su elkuser

• 啟動

• ./bin/elasticsearch

• 設置啟動密碼

• ./bin/elasticsearch-setup-passwords interactive --verbose

• Trying user password change call http://192.168.192.10:9200/_security/user/apm_system/_password?pretty
  { }

  Changed password for user [apm_system]

  Trying user password change call http://192.168.192.10:9200/_security/user/kibana/_password?pretty
  { }

  Changed password for user [kibana]

  Trying user password change call http://192.168.192.10:9200/_security/user/logstash_system/_password?pretty
  { }

  Changed password for user [logstash_system]

  Trying user password change call http://192.168.192.10:9200/_security/user/beats_system/_password?pretty
  { }

  Changed password for user [beats_system]

  Trying user password change call http://192.168.192.10:9200/_security/user/remote_monitoring_user/_password?pretty
  { }

  Changed password for user [remote_monitoring_user]

  Trying user password change call http://192.168.192.10:9200/_security/user/elastic/_password?pretty
  { }

  Changed password for user [elastic]

  • 登陸 http://192.168.192.10:9200/ 用戶名:elastic 密碼(剛剛設置的): elkuser
  • 

ElasticSearch啟動問題:

[1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536]
切換到root用戶，編輯limits.conf添加如下內容(需要重啟生效)
vi /etc/security/limits.conf
* soft nofile 65536
* hard nofile 65536

[2]: max number of threads [3818] for user [es] is too low, increase to at least [4096]
最大執行緒個數太低。修改配置文件etc/security/limits.conf，增加配置
* soft nproc 4096
* hard nproc 4096

[3]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
修改/etc/sysctl.conf文件，增加配置vm.max_map_count=262144
vi /etc/sysctl.conf
sysctl -p
執行命令sysctl -p生效

問題原因：因為Centos6不支援SecComp，而ES5.2.1默認bootstrap.system_call_filter為true進行檢測，所以導致檢測失敗，失敗後直接導致ES不能啟動
解決方法：在elasticsearch.yml中配置bootstrap.system_call_filter為false，注意要在Memory下面:
bootstrap.memory_lock: false
bootstrap.system_call_filter: false

4 Logstash

• 下載解壓

• mkdir /usr/local/src/logstash  #上傳壓縮包  tar -zxvf logstash-7.3.1.tar.gz

• 創建一個配置文件

• vim logstash.conf

  input {

  ​ redis {
  ​ host => "redis所在機器"
  ​ data_type => "list"
  ​ port => "6379"
  ​ key => "project-name"
  ​ type => "project-name"
  ​ }

  }

  output {

  ​ if[type == "project-name"]{

  ​ elasticsearch {
  ​ hosts => "es所在機器:9200"
  ​ user => "elastic"
  ​ password => "剛剛es環境設置的密碼"
  ​ codec => "json"
  ​ index => "project-name-%{+YYYY.MM.dd}"
  ​ }

  ​ }

  }

• 啟動

• bin/logstash -f logstash.conf

5 kibana

• 下載解壓

• mkdir /usr/local/src/kibana  #上傳壓縮包  tar -zxvf kibana-7.3.1-linux-x86_64.tar.gz    cd kibana-7.3.1-linux-x86_64  mkdir logs  #進入kibana配置下  cd config  #修改配置文件  vim kibana.yml 

server.port: 5601
server.host: "本機IP"
elasticsearch.hosts: ["http://ES伺服器IP:9200"]
kibana.index: ".kibana"
elasticsearch.username: "kibana"
elasticsearch.password: "es環境設置的kibana密碼"
pid.file: /var/run/kibana.pid
logging.dest: /usr/local/src/kibana/kibana-7.3.1-linux-x86_64/logs/kibana.log

• 啟動(kibana不建議以root用戶啟動，如果用root啟動，需要加–allow-root)

• bin/kibana  #bin/kibana  --allow-root  (觀察配置的日誌)

• 訪問5601埠(使用es用戶)(以下沒有更新，參考使用)

• 

• 創建日誌索引

• 

• 

• 

• 查看日誌量等資訊

•