30-elk.html

<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
  <meta charset="utf-8">
  
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  
  <title>3. elk日志系统 &mdash; watchmen 1.0 documentation</title>
  

  
  
  
  

  

  
  
    

  

  <link rel="stylesheet" href="_static/css/theme.css" type="text/css" />
  <link rel="stylesheet" href="_static/pygments.css" type="text/css" />
    <link rel="index" title="Index" href="genindex.html" />
    <link rel="search" title="Search" href="search.html" />
    <link rel="next" title="4. zabbix监测系统" href="40-zabbix.html" />
    <link rel="prev" title="2. ansible集群管理工具" href="20-ansible.html" /> 

  
  <script src="_static/js/modernizr.min.js"></script>

</head>

<body class="wy-body-for-nav">

   
  <div class="wy-grid-for-nav">

    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search">
          

          
            <a href="index.html" class="icon icon-home"> watchmen
          

          
          </a>

          
            
            
              <div class="version">
                1.0
              </div>
            
          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="search.html" method="get">
    <input type="text" name="q" placeholder="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <p class="caption"><span class="caption-text">Contents:</span></p>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="10-summary.html">1. 概述</a></li>
<li class="toctree-l1"><a class="reference internal" href="20-ansible.html">2. ansible集群管理工具</a></li>
<li class="toctree-l1 current"><a class="current reference internal" href="#">3. elk日志系统</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#id1">3.1. 安装</a></li>
<li class="toctree-l2"><a class="reference internal" href="#id2">3.2. 配置</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#elasticsearch-6-4-0">3.2.1. elasticsearch-6.4.0配置</a></li>
<li class="toctree-l3"><a class="reference internal" href="#kibana-6-4-0-linux-x86-64">3.2.2. kibana-6.4.0-linux-x86_64配置</a></li>
<li class="toctree-l3"><a class="reference internal" href="#filebeat">3.2.3. filebeat配置</a></li>
<li class="toctree-l3"><a class="reference internal" href="#haproxy">3.2.4. haproxy配置</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#id3">3.3. 使用</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#quick-start">3.3.1. quick start</a></li>
<li class="toctree-l3"><a class="reference internal" href="#kibana">3.3.2. kibana页面上的日志搜索技巧</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="40-zabbix.html">4. zabbix监测系统</a></li>
<li class="toctree-l1"><a class="reference internal" href="80-starnet-dev.html">5. watchmen在繁星的应用与开发</a></li>
<li class="toctree-l1"><a class="reference internal" href="99-history.html">6. 修订历史</a></li>
</ul>

            
          
        </div>
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="index.html">watchmen</a>
        
      </nav>


      <div class="wy-nav-content">
        
        <div class="rst-content">
        
          















<div role="navigation" aria-label="breadcrumbs navigation">

  <ul class="wy-breadcrumbs">
    
      <li><a href="index.html">Docs</a> &raquo;</li>
        
      <li>3. elk日志系统</li>
    
    
      <li class="wy-breadcrumbs-aside">
        
            
            <a href="_sources/30-elk.rst.txt" rel="nofollow"> View page source</a>
          
        
      </li>
    
  </ul>

  
  <hr/>
</div>
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
  <div class="section" id="elk">
<h1>3. elk日志系统<a class="headerlink" href="#elk" title="Permalink to this headline">¶</a></h1>
<p>ELK组合是日志系统的经典组合。但是Logstash是java程序，占用内存资源比较大，前端将其换成轻量级的filebeat。haproxy放在主节点上做代理转发。</p>
<p>filebeat（日志收集）+ elasticsearch（日志存储搜索）+kibana（ui展示）+haproxy(代理转发)</p>
<div class="section" id="id1">
<h2>3.1. 安装<a class="headerlink" href="#id1" title="Permalink to this headline">¶</a></h2>
<p>离线安装包:  <a class="reference external" href="smb://192.168.9.1">smb://192.168.9.1</a>/公共模块/繁星/繁星二代/自检系统/(elk_tx1、elk_server、haproxy_tx1)</p>
<p>filebeat使用源码放在主机上编译。 elk三个工程使用官方下载的tar.gz的包。都是java程序，直接就能运行。</p>
<p>繁星2代已编译好filebeat，其他平台需按照下面步骤编译：</p>
<p>filebeat编译安装参考：</p>
<p><a class="reference external" href="https://blog.csdn.net/lk142500/article/details/79535849">https://blog.csdn.net/lk142500/article/details/79535849</a></p>
<p>ubuntu14安装golang1.10：</p>
<p><a class="reference external" href="https://www.cnblogs.com/senlinyang/p/8777384.html">https://www.cnblogs.com/senlinyang/p/8777384.html</a></p>
</div>
<div class="section" id="id2">
<h2>3.2. 配置<a class="headerlink" href="#id2" title="Permalink to this headline">¶</a></h2>
<div class="section" id="elasticsearch-6-4-0">
<h3>3.2.1. elasticsearch-6.4.0配置<a class="headerlink" href="#elasticsearch-6-4-0" title="Permalink to this headline">¶</a></h3>
<div class="highlight-shell notranslate"><div class="highlight"><pre><span></span><span class="c1"># 修改 elasticsearch-6.4.0/config/elasticsearch.yml</span>
<span class="c1"># 开放所有ip访问</span>
network.host: <span class="m">0</span>.0.0.0

<span class="c1"># 修改系统参数，否则运行会报错</span>
vi /etc/sysctl.conf
vm.max_map_count<span class="o">=</span><span class="m">655360</span>
sysctl -p
</pre></div>
</div>
</div>
<div class="section" id="kibana-6-4-0-linux-x86-64">
<h3>3.2.2. kibana-6.4.0-linux-x86_64配置<a class="headerlink" href="#kibana-6-4-0-linux-x86-64" title="Permalink to this headline">¶</a></h3>
<div class="highlight-shell notranslate"><div class="highlight"><pre><span></span><span class="c1"># 修改 kibana-6.4.0-linux-x86_64/config/kibana.yml</span>
<span class="c1"># 开放所有ip访问</span>
server.host: <span class="s2">&quot;0.0.0.0&quot;</span>
<span class="c1"># 配置elasticsearch的访问地址</span>
elasticsearch.url: <span class="s2">&quot;http://127.0.0.1:9200&quot;</span>
</pre></div>
</div>
</div>
<div class="section" id="filebeat">
<h3>3.2.3. filebeat配置<a class="headerlink" href="#filebeat" title="Permalink to this headline">¶</a></h3>
<div class="highlight-shell notranslate"><div class="highlight"><pre><span></span>- type: log

  <span class="c1"># 改成true</span>
  enabled: <span class="nb">true</span>

  <span class="c1"># 配置日志路径，可配置多个，支持通配符但层级格式必须相符</span>
  paths:
    - /root/Log/Ops/*/*.log
    - /root/Log/VASvr/*/*.log

  <span class="c1"># 日志编码格式。如果不一致，配置两个《- type: log》块。</span>
  encoding: gbk

  <span class="c1"># 本机标签，在kibana搜索时可以以beat.name为过滤条件</span>
  name: <span class="s2">&quot;myname-192.168.5.99&quot;</span>
</pre></div>
</div>
</div>
<div class="section" id="haproxy">
<h3>3.2.4. haproxy配置<a class="headerlink" href="#haproxy" title="Permalink to this headline">¶</a></h3>
<div class="highlight-shell notranslate"><div class="highlight"><pre><span></span><span class="c1"># 编辑/etc/haproxy/haproxy.cfg 在末尾增加下面配置</span>
<span class="c1"># 将本机所有9200端口数据转发至服务器9200端口</span>

listen elastic_proxy
      <span class="nb">bind</span> <span class="m">0</span>.0.0.0:9200
      mode tcp
      server s1 <span class="m">192</span>.168.9.133:9200
</pre></div>
</div>
</div>
</div>
<div class="section" id="id3">
<h2>3.3. 使用<a class="headerlink" href="#id3" title="Permalink to this headline">¶</a></h2>
<p>kibana访问地址： <a class="reference external" href="http://ip:5601">http://ip:5601</a></p>
<div class="section" id="quick-start">
<h3>3.3.1. quick start<a class="headerlink" href="#quick-start" title="Permalink to this headline">¶</a></h3>
<p>Discover是查看、搜索日志的主要页面。如果有filebeat上报日志，第一次进入Discover会自动跳转，创建Index Patterns。</p>
<img alt="_images/elk-01.png" src="_images/elk-01.png" />
<img alt="_images/elk-02.png" src="_images/elk-02.png" />
<p>创建完毕后，在Discover中可以看到日志内容了，鼠标移到message，点add添加到“selected fields”中，日志内容看起来会清晰些。</p>
<img alt="_images/elk-03.png" src="_images/elk-03.png" />
<p>Management-&gt;Elasticsearch-&gt;Index Management中会自动生成类似“filebeat-7.0.0-alpha1-2018.09.29”的行。</p>
<p>进入Management-&gt;Kibana-&gt;Index Patterns可查看、删除、重新创建Index Patterns</p>
<p>仅以上配置，利用搜索栏和Add a filter， 以主机、文件名、时间、关键字等等组合条件，就能满足绝大多数需求。</p>
<p>其他使用技巧在下面补充</p>
</div>
<div class="section" id="kibana">
<h3>3.3.2. kibana页面上的日志搜索技巧<a class="headerlink" href="#kibana" title="Permalink to this headline">¶</a></h3>
<p>kikana Discover页面的搜索栏支持的查询语法名叫Lucene query。elasticsearch底层使用Lucene，api和kibana都支持Lucene语法。</p>
<p>lucene query语法参考：<a class="reference external" href="https://blog.csdn.net/feifantiyan/article/details/54411183">https://blog.csdn.net/feifantiyan/article/details/54411183</a></p>
<p>下面列出几个使用实例：</p>
<ul class="simple">
<li>查找beat.name为8.133的设备上日志文件路径中包含”Ops/2018-9-30”的日志</li>
</ul>
<div class="highlight-shell notranslate"><div class="highlight"><pre><span></span>source:?*<span class="se">\/</span>Ops<span class="se">\/</span><span class="m">2018</span>-09-30?* AND beat.name:8.133
</pre></div>
</div>
</div>
</div>
</div>


           </div>
           
          </div>
          <footer>
  
    <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
      
        <a href="40-zabbix.html" class="btn btn-neutral float-right" title="4. zabbix监测系统" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right"></span></a>
      
      
        <a href="20-ansible.html" class="btn btn-neutral" title="2. ansible集群管理工具" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left"></span> Previous</a>
      
    </div>
  

  <hr/>

  <div role="contentinfo">
    <p>
        &copy; Copyright 2018, liuhang.

    </p>
  </div>
  Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/rtfd/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>. 

</footer>

        </div>
      </div>

    </section>

  </div>
  


  

    <script type="text/javascript">
        var DOCUMENTATION_OPTIONS = {
            URL_ROOT:'./',
            VERSION:'1.0',
            LANGUAGE:'None',
            COLLAPSE_INDEX:false,
            FILE_SUFFIX:'.html',
            HAS_SOURCE:  true,
            SOURCELINK_SUFFIX: '.txt'
        };
    </script>
      <script type="text/javascript" src="_static/jquery.js"></script>
      <script type="text/javascript" src="_static/underscore.js"></script>
      <script type="text/javascript" src="_static/doctools.js"></script>

  

  <script type="text/javascript" src="_static/js/theme.js"></script>

  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script> 

</body>
</html>