ElasticSearch实战:Linux日志对接Kibana
本文由云+社区发表
ElasticSearch是一个基于Lucene的搜索服务器。它提供了一个分布式多用户能力的全文搜索引擎,基于RESTFul web接口。ElasticSearch是用Java开发的,并作为Apache许可条款下的开放源码发布,是当前流行的企业级搜索引擎。ElasticSearch常用于全文检索,结构化检索,数据分析等。
下面,我们以ElasticSearch接管Linux日志(/var/log/xxx.log)为例,详细介绍如何进行配置与部署。
总体架构图
一,准备工作
1,CVM及ElasticSearch
在腾讯云帐号下,申请一台CVM(Linux操作系统)、一个ElasticSearch集群(后面简称ES),使用最简配置即可;申请的CVM和ES,必须在同一个VPC的同一个子网下。
CVM详情信息
ElasticSearch详情信息
2,Filebeat工具
为了将Linux日志提取到ES中,我们需要使用Filebeat工具。Filebeat是一个日志文件托运工具,在你的服务器上安装客户端后,Filebeat会监控日志目录或者指定的日志文件,追踪读取这些文件(追踪文件的变化,不停的读),并且转发这些信息到ElasticSearch或者logstarsh中存放。当你开启Filebeat程序的时候,它会启动一个或多个探测器(prospectors)去检测你指定的日志目录或文件,对于探测器找出的每一个日志文件,Filebeat启动收割进程(harvester),每一个收割进程读取一个日志文件的新内容,并发送这些新的日志数据到处理程序(spooler),处理程序会集合这些事件,最后Filebeat会发送集合的数据到你指定的地点。
官网简介:https://www.elastic.co/products/beats/filebeat
二,操作步骤
1,Filebeat下载与安装
首先,登录待接管日志的CVM,在CVM上下载Filebeat工具:
[root@VM_3_7_centos ~]# cd /opt/
[root@VM_3_7_centos opt]# ll
total 4
drwxr-xr-x. 2 root root 4096 Sep 7 2017 rh
[root@VM_3_7_centos opt]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.2.2-x86_64.rpm
--2018-12-10 20:24:26-- https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.2.2-x86_64.rpm
Resolving artifacts.elastic.co (artifacts.elastic.co)... 107.21.202.15, 107.21.127.184, 54.225.214.74, ...
Connecting to artifacts.elastic.co (artifacts.elastic.co)|107.21.202.15|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12697788 (12M) [binary/octet-stream]
Saving to: ‘filebeat-6.2.2-x86_64.rpm’
100%[=================================================================================================>] 12,697,788 160KB/s in 1m 41s
2018-12-10 20:26:08 (123 KB/s) - ‘filebeat-6.2.2-x86_64.rpm’ saved [12697788/12697788]
然后,进行安装filebeat:
[root@VM_3_7_centos opt]# rpm -vi filebeat-6.2.2-x86_64.rpm
warning: filebeat-6.2.2-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing packages...
filebeat-6.2.2-1.x86_64
[root@VM_3_7_centos opt]#
至此,Filebeat安装完成。
2,Filebeat配置
进入Filebeat配置文件目录:/etc/filebeat/
[root@VM_3_7_centos opt]# cd /etc/filebeat/
[root@VM_3_7_centos filebeat]# ll
total 108
-rw-r--r-- 1 root root 44384 Feb 17 2018 fields.yml
-rw-r----- 1 root root 52193 Feb 17 2018 filebeat.reference.yml
-rw------- 1 root root 7264 Feb 17 2018 filebeat.yml
drwxr-xr-x 2 root root 4096 Dec 10 20:35 modules.d
[root@VM_3_7_centos filebeat]#
其中,filebeat.yml就是我们需要修改的配置文件。建议修改配置前,先备份此文件。
然后,确认需要对接ElasticSearch的Linux的日志目录,我们以下图(/var/log/secure)为例。
/var/log/secure日志文件
使用vim打开/etc/filebeat/filebeat.yml文件,修改其中的:
1)Filebeat prospectors类目中,enable默认为false,我们要改为true
2)paths,默认为/var/log/*.log,我们要改为待接管的日志路径:/var/log/secure
3)Outputs类目中,有ElasticSearchoutput配置,其中hosts默认为"localhost:9200",需要我们手工修改为上面申请的ES子网地址和端口,即"10.0.3.8:9200"。
修改好上述内容后,保存退出。
修改好的配置文件全文如下:
[root@VM_3_7_centos /]# vim /etc/filebeat/filebeat.yml
[root@VM_3_7_centos /]# cat /etc/filebeat/filebeat.yml
###################### Filebeat Configuration Example #########################
# This file is an example configuration file highlighting only the most common
# options. The filebeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/filebeat/index.html
# For more available modules and options, please see the filebeat.reference.yml sample
# configuration file.
#=========================== Filebeat prospectors =============================
filebeat.prospectors:
# Each - is a prospector. Most options can be set at the prospector level, so
# you can use different prospectors for various configurations.
# Below are the prospector specific configurations.
- type: log
# Change to true to enable this prospector configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/secure
#- c:\programdata\elasticsearch\logs\*
# Exclude lines. A list of regular expressions to match. It drops the lines that are
# matching any regular expression from the list.
#exclude_lines: ['^DBG']
# Include lines. A list of regular expressions to match. It exports the lines that are
# matching any regular expression from the list.
#include_lines: ['^ERR', '^WARN']
# Exclude files. A list of regular expressions to match. Filebeat drops the files that
# are matching any regular expression from the list. By default, no files are dropped.
#exclude_files: ['.gz$']
# Optional additional fields. These fields can be freely picked
# to add additional information to the crawled log files for filtering
#fields:
# level: debug
# review: 1
### Multiline options
# Mutiline can be used for log messages spanning multiple lines. This is common
# for Java Stack Traces or C-Line Continuation
# The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
#multiline.pattern: ^\[
# Defines if the pattern set under pattern should be negated or not. Default is false.
#multiline.negate: false
# Match can be set to "after" or "before". It is used to define if lines should be append to a pattern
# that was (not) matched before or after or as long as a pattern is not matched based on negate.
# Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
#multiline.match: after
#============================= Filebeat modules ===============================
filebeat.config.modules:
# Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
# Set to true to enable config reloading
reload.enabled: false
# Period on which files under path should be checked for changes
#reload.period: 10s
#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 3
#index.codec: best_compression
#_source.enabled: false
#================================ General =====================================
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:
# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]
# Optional fields that you can specify to add additional information to the
# output.
#fields:
# env: staging
#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here, or by using the `-setup` CLI flag or the `setup` command.
#setup.dashboards.enabled: false
# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:
#============================== Kibana =====================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
#host: "localhost:5601"
#============================= Elastic Cloud ==================================
# These settings simplify using filebeat with the Elastic Cloud (https://cloud.elastic.co/).
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:
# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:
#================================ Outputs =====================================
# Configure what output to use when sending the data collected by the beat.
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["10.0.3.8:9200"]
# Optional protocol and basic auth credentials.
#protocol: "https"
#username: "elastic"
#password: "changeme"
#----------------------------- Logstash output --------------------------------
#output.logstash:
# The Logstash hosts
#hosts: ["localhost:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
#================================ Logging =====================================
# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]
#============================== Xpack Monitoring ===============================
# filebeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default.
# Set to true to enable the monitoring reporter.
#xpack.monitoring.enabled: false
# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well. Any setting that is not set is
# automatically inherited from the Elasticsearch output configuration, so if you
# have the Elasticsearch output configured, you can simply uncomment the
# following line.
#xpack.monitoring.elasticsearch:
[root@VM_3_7_centos /]#
执行下列命令启动filebeat
[root@VM_3_7_centos /]# sudo /etc/init.d/filebeat start
Starting filebeat (via systemctl): [ OK ]
[root@VM_3_7_centos /]#
3,Kibana配置
进入ElasticSearch对应的Kibana管理页,如下图。
首次访问Kibana默认会显示管理页
首次登陆,会默认进入Management页面,我们需要将Index pattern内容修改为:filebeat-*,然后页面会自动填充Time Filter field name,不需手动设置,直接点击Create即可。点击Create后,页面需要一定时间来加载配置和数据,请稍等。如下图:
将Index pattern内容修改为:filebeat-*,然后点击Create
至此,CVM上,/var/log/secure日志文件,已对接到ElasticSearch中,历史日志可以通过Kibana进行查询,最新产生的日志也会实时同步到Kibana中。
三,实战效果
日志接管已完成配置,如何使用呢?
如下图:
在Index Patterns中可以看到我们配置过的filebeat-*
点击Discover,即可看到secure中的所有日志,页面上方的搜索框中输入关键字,即可完成日志的检索。如下图(点击图片,可查看高清大图):
使用Kibana进行日志检索
实际上,检索只是Kibana提供的诸多功能之一,还有其他功能如可视化、分词检索等,还有待后续研究。
此文已由作者授权腾讯云+社区发布
搜索关注公众号「云加社区」,第一时间获取技术干货,关注后回复1024 送你一份技术课程大礼包!
ElasticSearch实战:Linux日志对接Kibana的更多相关文章
- ElasticSearch实战-日志监控平台
1.概述 在项目业务倍增的情况下,查询效率受到影响,这里我们经过讨论,引进了分布式搜索套件——ElasticSearch,通过分布式搜索来解决当下业务上存在的问题.下面给大家列出今天分析的目录: El ...
- ElasticSearch实战-入门
http://www.cnblogs.com/smartloli/ 1.概述 今天接着<ElasticSearch实战-日志监控平台>一文来给大家分享后续的学习,在<ElasticS ...
- ElasticSearch实战
ElasticSearch实战-入门 1.概述 今天接着<ElasticSearch实战-日志监控平台>一文来给大家分享后续的学习,在<ElasticSearch实战-日志监控平台& ...
- ElasticSearch实战系列九: ELK日志系统介绍和安装
前言 本文主要介绍的是ELK日志系统入门和使用教程. ELK介绍 ELK是三个开源软件的缩写,分别表示:Elasticsearch , Logstash, Kibana , 它们都是开源软件.新增了一 ...
- Linux日志分析的实战专题
来自 日志也是用户应该注意的地方之一.不要低估日志文件对网络安全的重要作用,因为日志文件能够详细记录系统每天发生的各种各样的事件.用户可以通过日志文件 检查错误产生的原因,或者在受到攻击和黑客入侵 ...
- ElasticSearch实战系列六: Logstash快速入门和实战
前言 本文主要介绍的是ELK日志系统中的Logstash快速入门和实战 ELK介绍 ELK是三个开源软件的缩写,分别表示:Elasticsearch , Logstash, Kibana , 它们都是 ...
- ElasticSearch实战系列八: Filebeat快速入门和使用---图文详解
前言 本文主要介绍的是ELK日志系统中的Filebeat快速入门教程. ELK介绍 ELK是三个开源软件的缩写,分别表示:Elasticsearch , Logstash, Kibana , 它们都是 ...
- Elasticsearch系列(2):安装Elasticsearch(Linux环境)
系统环境 操作系统:CentOS 6.9 Elasticsearch:6.2.2 Filebeat:6.2.2(收集IIS日志) Kibana:6.2.2 Java:Java 8 注意:elk最好选择 ...
- ElasticSearch实战系列一: ElasticSearch集群+Kinaba安装教程
前言 本文主要介绍的是ElasticSearch集群和kinaba的安装教程. ElasticSearch介绍 ElasticSearch是一个基于Lucene的搜索服务器,其实就是对Lucene进行 ...
随机推荐
- PyCharm 安装教程(Windows)
python教程 http://www.runoob.com/python3/python3-basic-syntax.html PyCharm 是一款功能强大的 Python 编辑器,具有跨平台性, ...
- OpenGL ES中MRT应用
Demo涵盖了OpenGL ES 3.0 的一系列新特性: 1.VAO和VBO 2.帧缓冲对象 3.MRT 效果: 代码: //yf's version #define STB_IMAGE_IMPLE ...
- MVC+EF 多条件查询
根据以前的做法是拼接sql语句,这会增加维护成本,因为sql语句里的内容不会报错,所以在使用ef的时候必须要抛弃拼接sql语句的习惯. 构建实例 List<vyw_user> list = ...
- index.php入口文件至根目录
登录|注册 咖啡如同生活的专栏 从不羡慕别人的优秀,因为相信自己也可以优秀. 闲下来时看看书,书本里的故事,总有你学到的人生. 目录视图 摘要视图 订阅 异步赠书:9月重磅 ...
- jasperreports实现pdf文档的生成
1.导入jar包(pom.xml构建) <dependencies> <dependency> <groupId>com.lowagie</groupId&g ...
- linux_批量关闭进程
以下环境是 fedora24 linux 系统中的情况: 仿真中遇到意外弹出上百个图片,无法一下全部关闭. 可以使用: ps -ef|grep LOCAL=NO|grep -v grep|cut -c ...
- .NET简单学习
.NET是一个平台,对用户来说,只要下载了.NET Framework就可以运行.NET程序,获得需要的服务:对开发人员来说,平台对开发有着强有力的支持,方便创作各种应用软件. .NET Framew ...
- 剑指offer面试题25:二叉树中和为某一值的路径
题目:输入一棵二叉树和一个整数,打印出二叉树中结点值的和为输入整数的所有路径.从根节点开始往下一直到叶节点所经过的节点形成一条路径. 解题思路:当使用前序遍历的方式访问某一节点时,把该节点添加到路径上 ...
- kaldi的TIMIT实例三
============================================================================ MMI + SGMM2 Training &a ...
- 脑残式网络编程入门(一):跟着动画来学TCP三次握手和四次挥手
.引言 网络编程中TCP协议的三次握手和四次挥手的问题,在面试中是最为常见的知识点之一.很多读者都知道“三次”和“四次”,但是如果问深入一点,他们往往都无法作出准确回答. 本篇文章尝试使用动画图片的方 ...