本文由云+社区发表

ElasticSearch是一个基于Lucene的搜索服务器。它提供了一个分布式多用户能力的全文搜索引擎,基于RESTFul web接口。ElasticSearch是用Java开发的,并作为Apache许可条款下的开放源码发布,是当前流行的企业级搜索引擎。ElasticSearch常用于全文检索,结构化检索,数据分析等。

下面,我们以ElasticSearch接管Linux日志(/var/log/xxx.log)为例,详细介绍如何进行配置与部署。

总体架构图

一,准备工作

1,CVM及ElasticSearch

在腾讯云帐号下,申请一台CVM(Linux操作系统)、一个ElasticSearch集群(后面简称ES),使用最简配置即可;申请的CVM和ES,必须在同一个VPC的同一个子网下。

CVM详情信息

ElasticSearch详情信息

2,Filebeat工具

为了将Linux日志提取到ES中,我们需要使用Filebeat工具。Filebeat是一个日志文件托运工具,在你的服务器上安装客户端后,Filebeat会监控日志目录或者指定的日志文件,追踪读取这些文件(追踪文件的变化,不停的读),并且转发这些信息到ElasticSearch或者logstarsh中存放。当你开启Filebeat程序的时候,它会启动一个或多个探测器(prospectors)去检测你指定的日志目录或文件,对于探测器找出的每一个日志文件,Filebeat启动收割进程(harvester),每一个收割进程读取一个日志文件的新内容,并发送这些新的日志数据到处理程序(spooler),处理程序会集合这些事件,最后Filebeat会发送集合的数据到你指定的地点。

官网简介:https://www.elastic.co/products/beats/filebeat

二,操作步骤

1,Filebeat下载与安装

首先,登录待接管日志的CVM,在CVM上下载Filebeat工具:

[root@VM_3_7_centos ~]# cd /opt/

[root@VM_3_7_centos opt]# ll

total 4

drwxr-xr-x. 2 root root 4096 Sep  7  2017 rh

[root@VM_3_7_centos opt]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.2.2-x86_64.rpm

--2018-12-10 20:24:26--  https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.2.2-x86_64.rpm

Resolving artifacts.elastic.co (artifacts.elastic.co)... 107.21.202.15, 107.21.127.184, 54.225.214.74, ...

Connecting to artifacts.elastic.co (artifacts.elastic.co)|107.21.202.15|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 12697788 (12M) [binary/octet-stream]

Saving to: ‘filebeat-6.2.2-x86_64.rpm’

100%[=================================================================================================>] 12,697,788   160KB/s   in 1m 41s 

2018-12-10 20:26:08 (123 KB/s) - ‘filebeat-6.2.2-x86_64.rpm’ saved [12697788/12697788]

然后,进行安装filebeat:

[root@VM_3_7_centos opt]# rpm -vi filebeat-6.2.2-x86_64.rpm

warning: filebeat-6.2.2-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY

Preparing packages...

filebeat-6.2.2-1.x86_64

[root@VM_3_7_centos opt]#

至此,Filebeat安装完成。

2,Filebeat配置

进入Filebeat配置文件目录:/etc/filebeat/

[root@VM_3_7_centos opt]# cd /etc/filebeat/

[root@VM_3_7_centos filebeat]# ll

total 108

-rw-r--r-- 1 root root 44384 Feb 17  2018 fields.yml

-rw-r----- 1 root root 52193 Feb 17  2018 filebeat.reference.yml

-rw------- 1 root root  7264 Feb 17  2018 filebeat.yml

drwxr-xr-x 2 root root  4096 Dec 10 20:35 modules.d

[root@VM_3_7_centos filebeat]#

其中,filebeat.yml就是我们需要修改的配置文件。建议修改配置前,先备份此文件。

然后,确认需要对接ElasticSearch的Linux的日志目录,我们以下图(/var/log/secure)为例。

/var/log/secure日志文件

使用vim打开/etc/filebeat/filebeat.yml文件,修改其中的:

1)Filebeat prospectors类目中,enable默认为false,我们要改为true

2)paths,默认为/var/log/*.log,我们要改为待接管的日志路径:/var/log/secure

3)Outputs类目中,有ElasticSearchoutput配置,其中hosts默认为"localhost:9200",需要我们手工修改为上面申请的ES子网地址和端口,即"10.0.3.8:9200"

修改好上述内容后,保存退出。

修改好的配置文件全文如下:

[root@VM_3_7_centos /]# vim /etc/filebeat/filebeat.yml

[root@VM_3_7_centos /]# cat /etc/filebeat/filebeat.yml

###################### Filebeat Configuration Example #########################

# This file is an example configuration file highlighting only the most common

# options. The filebeat.reference.yml file from the same directory contains all the

# supported options with more comments. You can use it as a reference.

#

# You can find the full configuration reference here:

# https://www.elastic.co/guide/en/beats/filebeat/index.html

# For more available modules and options, please see the filebeat.reference.yml sample

# configuration file.

#=========================== Filebeat prospectors =============================

filebeat.prospectors:

# Each - is a prospector. Most options can be set at the prospector level, so

# you can use different prospectors for various configurations.

# Below are the prospector specific configurations.

- type: log

  # Change to true to enable this prospector configuration.

  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.

  paths:

    - /var/log/secure

    #- c:\programdata\elasticsearch\logs\*

  # Exclude lines. A list of regular expressions to match. It drops the lines that are

  # matching any regular expression from the list.

  #exclude_lines: ['^DBG']

  # Include lines. A list of regular expressions to match. It exports the lines that are

  # matching any regular expression from the list.

  #include_lines: ['^ERR', '^WARN']

  # Exclude files. A list of regular expressions to match. Filebeat drops the files that

  # are matching any regular expression from the list. By default, no files are dropped.

  #exclude_files: ['.gz$']

  # Optional additional fields. These fields can be freely picked

  # to add additional information to the crawled log files for filtering

  #fields:

  #  level: debug

  #  review: 1

  ### Multiline options

  # Mutiline can be used for log messages spanning multiple lines. This is common

  # for Java Stack Traces or C-Line Continuation

  # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [

  #multiline.pattern: ^\[

  # Defines if the pattern set under pattern should be negated or not. Default is false.

  #multiline.negate: false

  # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern

  # that was (not) matched before or after or as long as a pattern is not matched based on negate.

  # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash

  #multiline.match: after

#============================= Filebeat modules ===============================

filebeat.config.modules:

  # Glob pattern for configuration loading

  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading

  reload.enabled: false

  # Period on which files under path should be checked for changes

  #reload.period: 10s

#==================== Elasticsearch template setting ==========================

setup.template.settings:

  index.number_of_shards: 3

  #index.codec: best_compression

  #_source.enabled: false

#================================ General =====================================

# The name of the shipper that publishes the network data. It can be used to group

# all the transactions sent by a single shipper in the web interface.

#name:

# The tags of the shipper are included in their own field with each

# transaction published.

#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the

# output.

#fields:

#  env: staging

#============================== Dashboards =====================================

# These settings control loading the sample dashboards to the Kibana index. Loading

# the dashboards is disabled by default and can be enabled either by setting the

# options here, or by using the `-setup` CLI flag or the `setup` command.

#setup.dashboards.enabled: false

# The URL from where to download the dashboards archive. By default this URL

# has a value which is computed based on the Beat name and version. For released

# versions, this URL points to the dashboard archive on the artifacts.elastic.co

# website.

#setup.dashboards.url:

#============================== Kibana =====================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.

# This requires a Kibana endpoint configuration.

setup.kibana:

  # Kibana Host

  # Scheme and port can be left out and will be set to the default (http and 5601)

  # In case you specify and additional path, the scheme is required: http://localhost:5601/path

  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601

  #host: "localhost:5601"

#============================= Elastic Cloud ==================================

# These settings simplify using filebeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and

# `setup.kibana.host` options.

# You can find the `cloud.id` in the Elastic Cloud web UI.

#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and

# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.

#cloud.auth:

#================================ Outputs =====================================

# Configure what output to use when sending the data collected by the beat.

#-------------------------- Elasticsearch output ------------------------------

output.elasticsearch:

  # Array of hosts to connect to.

  hosts: ["10.0.3.8:9200"]

  # Optional protocol and basic auth credentials.

  #protocol: "https"

  #username: "elastic"

  #password: "changeme"

#----------------------------- Logstash output --------------------------------

#output.logstash:

  # The Logstash hosts

  #hosts: ["localhost:5044"]

  # Optional SSL. By default is off.

  # List of root certificates for HTTPS server verifications

  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication

  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key

  #ssl.key: "/etc/pki/client/cert.key"

#================================ Logging =====================================

# Sets log level. The default log level is info.

# Available log levels are: error, warning, info, debug

#logging.level: debug

# At debug level, you can selectively enable logging only for some components.

# To enable all selectors use ["*"]. Examples of other selectors are "beat",

# "publish", "service".

#logging.selectors: ["*"]

#============================== Xpack Monitoring ===============================

# filebeat can export internal metrics to a central Elasticsearch monitoring

# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The

# reporting is disabled by default.

# Set to true to enable the monitoring reporter.

#xpack.monitoring.enabled: false

# Uncomment to send the metrics to Elasticsearch. Most settings from the

# Elasticsearch output are accepted here as well. Any setting that is not set is

# automatically inherited from the Elasticsearch output configuration, so if you

# have the Elasticsearch output configured, you can simply uncomment the

# following line.

#xpack.monitoring.elasticsearch:

[root@VM_3_7_centos /]#

执行下列命令启动filebeat

[root@VM_3_7_centos /]# sudo /etc/init.d/filebeat start

Starting filebeat (via systemctl):                         [  OK  ]

[root@VM_3_7_centos /]#

3,Kibana配置

进入ElasticSearch对应的Kibana管理页,如下图。

首次访问Kibana默认会显示管理页

首次登陆,会默认进入Management页面,我们需要将Index pattern内容修改为:filebeat-*,然后页面会自动填充Time Filter field name,不需手动设置,直接点击Create即可。点击Create后,页面需要一定时间来加载配置和数据,请稍等。如下图:

将Index pattern内容修改为:filebeat-*,然后点击Create

至此,CVM上,/var/log/secure日志文件,已对接到ElasticSearch中,历史日志可以通过Kibana进行查询,最新产生的日志也会实时同步到Kibana中。

三,实战效果

日志接管已完成配置,如何使用呢?

如下图:

在Index Patterns中可以看到我们配置过的filebeat-*

点击Discover,即可看到secure中的所有日志,页面上方的搜索框中输入关键字,即可完成日志的检索。如下图(点击图片,可查看高清大图):

使用Kibana进行日志检索

实际上,检索只是Kibana提供的诸多功能之一,还有其他功能如可视化、分词检索等,还有待后续研究。

此文已由作者授权腾讯云+社区发布

搜索关注公众号「云加社区」,第一时间获取技术干货,关注后回复1024 送你一份技术课程大礼包!

ElasticSearch实战:Linux日志对接Kibana的更多相关文章

  1. ElasticSearch实战-日志监控平台

    1.概述 在项目业务倍增的情况下,查询效率受到影响,这里我们经过讨论,引进了分布式搜索套件——ElasticSearch,通过分布式搜索来解决当下业务上存在的问题.下面给大家列出今天分析的目录: El ...

  2. ElasticSearch实战-入门

    http://www.cnblogs.com/smartloli/ 1.概述 今天接着<ElasticSearch实战-日志监控平台>一文来给大家分享后续的学习,在<ElasticS ...

  3. ElasticSearch实战

    ElasticSearch实战-入门 1.概述 今天接着<ElasticSearch实战-日志监控平台>一文来给大家分享后续的学习,在<ElasticSearch实战-日志监控平台& ...

  4. ElasticSearch实战系列九: ELK日志系统介绍和安装

    前言 本文主要介绍的是ELK日志系统入门和使用教程. ELK介绍 ELK是三个开源软件的缩写,分别表示:Elasticsearch , Logstash, Kibana , 它们都是开源软件.新增了一 ...

  5. Linux日志分析的实战专题

      来自 日志也是用户应该注意的地方之一.不要低估日志文件对网络安全的重要作用,因为日志文件能够详细记录系统每天发生的各种各样的事件.用户可以通过日志文件 检查错误产生的原因,或者在受到攻击和黑客入侵 ...

  6. ElasticSearch实战系列六: Logstash快速入门和实战

    前言 本文主要介绍的是ELK日志系统中的Logstash快速入门和实战 ELK介绍 ELK是三个开源软件的缩写,分别表示:Elasticsearch , Logstash, Kibana , 它们都是 ...

  7. ElasticSearch实战系列八: Filebeat快速入门和使用---图文详解

    前言 本文主要介绍的是ELK日志系统中的Filebeat快速入门教程. ELK介绍 ELK是三个开源软件的缩写,分别表示:Elasticsearch , Logstash, Kibana , 它们都是 ...

  8. Elasticsearch系列(2):安装Elasticsearch(Linux环境)

    系统环境 操作系统:CentOS 6.9 Elasticsearch:6.2.2 Filebeat:6.2.2(收集IIS日志) Kibana:6.2.2 Java:Java 8 注意:elk最好选择 ...

  9. ElasticSearch实战系列一: ElasticSearch集群+Kinaba安装教程

    前言 本文主要介绍的是ElasticSearch集群和kinaba的安装教程. ElasticSearch介绍 ElasticSearch是一个基于Lucene的搜索服务器,其实就是对Lucene进行 ...

随机推荐

  1. jquery购物车计算总价

    //计算总价 function cartTotal(){ var total = 0; //循环计算的列,选中计算的数量和价格 //accAdd为精BigDecimal准计算方法 $.each($(& ...

  2. 【js jQuery】map集合 循环迭代取值---以及 map、json对象、list、array循环迭代的方法和区别

    后台给前台传来一个map @ResponseBody @RequestMapping(value = "getSys") public Map<Long,String> ...

  3. Linux环境下Redis集群实践

    环境:centos 7 一.编译及安装redis源码 源码地址:redis版本发布列表 cd redis-3.2.8 sudo make && make install 二.创建节点 ...

  4. [转]构建高性能MySQL体系

    来源:http://www.yunweipai.com/archives/21232.html 构建高性能MySQL系统涵盖从单机.硬件.OS.文件系统.内存到MySQL 本身的配置,以及schema ...

  5. 京东Alpha平台开发笔记系列(一)

    2018京东Alpha开发者大赛是由京东智能面向广大开发者举办的大型语音技能开发比赛,参赛者将通过Skill开放平台开发技能,在实现开发者自身价值的同时,为京东智能活跃用户提供更优质.更便捷.更智能的 ...

  6. python3--迭代

    判断一个对象是否能够进行迭代的方法 Iterable from collections import Iterable dict = {'name':'Joe','age':17} print (is ...

  7. Django 执行单独脚本及SyntaxError缩进报错解决

    有时候会碰到这样的场景,对于一些业务升级,我需要把数据库数据做些处理,同时又想以 Django 项目的环境变量执行脚本,这个时候使用 python 脚本是再适合不过的手段了. 注意:在pycharm里 ...

  8. 管道/FIFO

    管道: #include<stdio.h> #include<unistd.h> #include<stdlib.h> #include<string.h&g ...

  9. MySQL9:索引实战

    索引 无论是面试,还是实际工作中,对于一个Java程序员来说,数据库优化是避不开的一个技术点,关于数据库的优化,在性能达不到要求的情况下,我大致给出以下几个方向: (1)优化表结构,对常用字段和非常用 ...

  10. Java编程实现多线程TCP服务器完整实例

    Socket ·功能:TCP客户端套接字 ·构造方法:   Socket(InetAddress address, int port)   创建一个流套接字并将其连接到指定 IP 地址的指定端口号 · ...