3-ELK架构优化篇

Filebeat二进制安装与启动

Logstash收集日志

1. 依赖于Java环境，用来收集日志比较重，占用内存和CPU
2. Filebeat相对轻量，占用服务器资源小
3. 一般选用Filebeat来进行日志收集

Filebeat的安装

1. 下载二进制文件
2. 解压移到对应的目录完成安装/usr/local/

Filebeat的二进制安装

cd /usr/local/src/

tar -zxf filebeat-6.6.0-linux-x86_64.tar.gz

mv filebeat-6.6.0-linux-x86_64 /usr/local/filebeat-6.6.0

部署服务介绍

1. 192.168.1.10: Kibana、ES
2. 192.168.1.11: Filebeat

Filebeat直接发送日志到ES配置/usr/local/filebeat-6.6.0/filebeat.yml

filebeat.inputs:
- type: log
  tail_files: true
  backoff: "1s"
  paths:
      - /usr/local/nginx/logs/access.log

output:
  elasticsearch:
    hosts: ["192.168.1.10:9200"]

启动Filebeat

1. 前台启动： /usr/local/filebeat-6.6.0/filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml
2. 后台启动：nohup /usr/local/filebeat-6.6.0/filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml >/tmp/filebeat.log 2>&1 &

Kibana上查看日志数据

1. GET /xxx/_search?q=*
2. 创建索引观察

创建索引：

Filebeat -> ES -> Kibana 结构特点

1. 适合查看日志
2. 不适合具体日志的分析

Filebeat+Logstash新架构

Filebeat和Logstash说明

1. Filebeat：轻量级，但不支持正则、不能移除字段等
2. Logstash：比较重，但支持正则、支持移除字段等

搭建架构演示

1. Logstash -> Elasticsearch -> Kibana
2. Filebeat -> Elasticsearch -> Kibana
3. Filebeat -> Logstash -> Elasticsearch -> Kibana

部署服务介绍

1. 192.168.1.10: Kibana、ES
2. 192.168.1.11: Logstash、Filebeat

Filebeat配置发往Logstash：/usr/local/filebeat-6.6.0/filebeat.yml

filebeat.inputs:
- type: log
  tail_files: true
  backoff: "1s"
  paths:
      - /usr/local/nginx/logs/access.log

output:
  logstash:
    hosts: ["192.168.1.11:5044"]

此时端口还不通

Logstash配置监听在5044端口，接收Filebeat发送过来的日志 /usr/local/logstash-6.6.0/config/logstash.conf

input {
  beats {
    host => '0.0.0.0'
    port => 5044
  }
}

kill进程重载配置：nohup /usr/local/logstash-6.6.0/bin/logstash -f /usr/local/logstash-6.6.0/config/logstash.conf >/tmp/logstash.log 2>/tmp/logstash.log &

删除之前所有的索引数据，在Kibana上查看数据

访问nginx页面

filebeat日志查看

1. GET /xxx/_search?q=*

自动生成新索引

1. 创建索引查看数据

Logstash上移除不必要的字段

1. Filebeat发过来的无用字段比较多
2. remove_field => ["message","@version","path","beat","input","log","offset","prospector","source","tags"]

删除相应字段后的展示结果：

Filebeat批量部署比Logstash要方便得多

1. Logstash监听在内网
2. Filebeat发送给内网的Logstash

新架构

Filebeat(多台)

Filebeat(多台) -> Logstash(正则) -> Elasticsearch(入库) -> Kibana展现

Filebeat(多台)

Json格式日志的采集

Json的好处

1. 原生日志需要做正则匹配，比较麻烦
2. Json格式的日志不需要正则能直接分段采集

Nginx使用Json格式日志 /usr/local/nginx/conf/nginx.conf

log_format json '{"@timestamp":"$time_iso8601",'
                 '"clientip":"$remote_addr",'
                 '"status":$status,'
                 '"bodysize":$body_bytes_sent,'
                 '"referer":"$http_referer",'
                 '"ua":"$http_user_agent",'
                 '"handletime":$request_time,'
                 '"url":"$uri"}';
access_log  logs/access.log;
access_log  logs/access.json.log  json;

/usr/local/nginx/sbin/nginx -s reload

部署服务介绍

1. 192.168.1.10: Kibana、ES
2. 192.168.1.11: Logstash、Filebeat

Filebeat采集Json格式的日志 /usr/local/filebeat-6.6.0/filebeat.yml

filebeat.inputs:
- type: log
  tail_files: true
  backoff: "1s"
  paths:
      - /usr/local/nginx/logs/access.json.log
output:
  logstash:
hosts: ["192.168.1.11:5044"]

重启：

nohup /usr/local/filebeat-6.6.0/filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml >/tmp/filebeat.log 2>&1 &

Logstash正则提取的配置备份 /usr/local/logstash-6.6.0/config/logstash.conf

filter {
    grok {
        match => {
            "message" => '(?<clientip>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) - - \[(?<requesttime>[^ ]+ \+[0-9]+)\] "(?<requesttype>[A-Z]+) (?<requesturl>[^ ]+) HTTP/\d.\d" (?<status>[0-9]+) (?<bodysize>[0-9]+) "[^"]+" "(?<ua>[^"]+)"'
        }
        remove_field => ["message","@version","path","beat","input","log","offset","prospector","source","tags"]
    }
    date {
        match => ["requesttime", "dd/MMM/yyyy:HH:mm:ss Z"]
        target => "@timestamp"
    }
}

Logstash解析Json日志 json source 字段可以自动覆盖timestamp

input {
  beats {
    host => '0.0.0.0'
    port => 5044
  }
}
filter {
  json {     source => "message"     remove_field => ["message","@version","path","beat","input","log","offset","prospector","source","tags"]   }
}
output {
  elasticsearch {
    hosts => ["http://192.168.1.10:9200"]
  }
}

采集多个日志

1. 收集单个Nginx日志
2. 如果有采集多个日志的需求

Filebeat采集多个日志

Filebeat采集多个日志配置 /usr/local/filebeat-6.6.0/filebeat.yml

filebeat.inputs:
- type: log
  tail_files: true
  backoff: "1s"
  paths:
      - /usr/local/nginx/logs/access.json.log
  fields:
    type: access
  fields_under_root: true
- type: log
  tail_files: true
  backoff: "1s"
  paths:
      - /var/log/secure
  fields:
    type: secure
  fields_under_root: true
output:
  logstash:
    hosts: ["192.168.1.11:5044"]

Logstash如何判断两个日志

1. Filebeat加入一字段用来区别
2. Logstash使用区别字段来区分

Logstash通过type字段进行判断，并自定义索引进行区分 /usr/local/logstash-6.6.0/config/logstash.conf

input {
        beats {
                host => '0.0.0.0'
                port => 5044 
        }
}

filter {
  if [type] == "access" {
    json {
      source => "message"
      remove_field => ["message","@version","path","beat","input","log","offset","prospector","source","tags"]
    }
  }
}

output{
  if [type] == "access" {
    elasticsearch {
      hosts => ["http://192.168.1.10:9200"]
      index => "access-%{+YYYY.MM.dd}"
    }
  }
  else if [type] == "secure" {
    elasticsearch {
      hosts => ["http://192.168.1.10:9200"]
      index => "secure-%{+YYYY.MM.dd}"
    }
  }
}

网页上建立索引

1. access索引
2. secure索引

索引查看

access日志

secure日志

Redis服务器的编译安装

之前架构

Filebeat(多台)

Filebeat(多台) -> Logstash(正则) -> Elasticsearch(入库) -> Kibana展现

Filebeat(多台)

架构存在的问题

1. Logstash性能不足的时候
2. 扩容Logstash，Filebeat的配置可能会不一致

我们使用消息队列，通过异步处理请求，从而缓解系统的压力。消息队列常应用于异步处理，流量削峰，应用解耦，消息通讯等场景

架构优化

Filebeat(多台) Logstash

Filebeat(多台) -> Redis、Kafka -> Logstash(正则) -> Elasticsearch(入库) -> Kibana展现

Filebeat(多台) Logstash

部署服务介绍

1. 192.168.1.10: Kibana、ES
2. 192.168.1.11: Logstash、Filebeat、Redis

Redis服务器搭建

yum install -y wget net-tools gcc gcc-c++ make tar openssl openssl-devel cmake

cd /usr/local/src

wget 'http://download.redis.io/releases/redis-4.0.9.tar.gz'

tar -zxf redis-4.0.9.tar.gz

cd redis-4.0.9

make

mkdir -pv /usr/local/redis/conf /usr/local/redis/bin

cp src/redis* /usr/local/redis/bin/

cp redis.conf /usr/local/redis/conf

验证Redis服务器

1. 更改Redis配置（daemon yes、dir /tmp/、requirepass ljh 、bind 0.0.0.0）
2. 密码设置为ljh
3. 验证set、get操作

Redis的启动命令

/usr/local/redis/bin/redis-server /usr/local/redis/conf/redis.conf

Redis的简单操作

/usr/local/redis/bin/redis-cli

auth 'ljh'

set name ljh

get name

Filebeat和Logstash间引入Redis

部署服务介绍

1. 192.168.1.10: Kibana、ES
2. 192.168.1.11: Logstash、Filebeat、Redis

Filebeat配置写入到Redis

filebeat.inputs:
- type: log
  tail_files: true
  backoff: "1s"
  paths:
      - /usr/local/nginx/logs/access.json.log
  fields:
    type: access
  fields_under_root: true
output:
  redis:
      hosts: ["192.168.1.11"]
      port: 6379
      password: 'ljh'
      key: 'access'

redis日志：

进入redis查看缓存数据

Logstash从Redis中读取数据 /usr/local/logstash-6.6.0/config/logstash.conf

input {
  redis {
    host => '192.168.1.11'
    port => 6379
    key => "access"
    data_type => "list"
    password => 'ljh'
  }
}

kill $(ps aux | grep logstash | grep -v grep | awk '{print $2}' | head -1)

nohup /usr/local/logstash-6.6.0/bin/logstash -f /usr/local/logstash-6.6.0/config/logstash.conf >/tmp/logstash.log 2>/tmp/logstash.log &

架构优化

Filebeat(多台) Logstash

Filebeat(多台) -> Redis、Kafka -> Logstash(正则) -> Elasticsearch(入库) -> Kibana展现

Filebeat(多台) Logstash

Kafka服务器二进制安装

实战环境

192.168.1.11: Logstash、Kafka、Filebeat

Kafka

1. Kafka依赖于Zookeeper
2. 两个都依赖于Java

Kafka依赖于Zookeeper

1. 官方网站：https://zookeeper.apache.org/
2. 下载ZK的二进制包
3. 解压到对应目录完成安装

ZK的安装命令

cd /usr/local/src

tar -zxf zookeeper-3.4.13.tar.gz

mv zookeeper-3.4.13 /usr/local/

cp /usr/local/zookeeper-3.4.13/conf/zoo_sample.cfg /usr/local/zookeeper-3.4.13/conf/zoo.cfg

ZK的启动

1. 更改配置 /usr/local/zookeeper-3.4.13/conf/zoo.cfg：clientPortAddress=0.0.0.0
2. 启动：/usr/local/zookeeper-3.4.13/bin/zkServer.sh start

Kafka下载地址

1. Kafka官网：http://kafka.apache.org/
2. 下载Kafka的二进制包
3. 解压到对应目录完成安装

Kafka的安装命令

cd /usr/local/src/

tar -zxf kafka_2.11-2.1.1.tgz

mv kafka_2.11-2.1.1 /usr/local/kafka_2.11

Kafka的启动

更改kafka的配置：更改监听地址、更改连接zk的地址

vim /usr/local/kafka_2.11/config/server.properties

前台启动：/usr/local/kafka_2.11/bin/kafka-server-start.sh /usr/local/kafka_2.11/config/server.properties

启动kafka：nohup /usr/local/kafka_2.11/bin/kafka-server-start.sh /usr/local/kafka_2.11/config/server.properties >/tmp/kafka.log 2>&1 &

Filebeat和Logstash间引入Kafka

Filebeat日志发送到Kafka：/usr/local/filebeat-6.6.0/filebeat.yml

filebeat.inputs:
- type: log
  tail_files: true
  backoff: "1s"
  paths:
      - /usr/local/nginx/logs/access.json.log
  fields:
    type: access
  fields_under_root: true

output:
  kafka:
    hosts: ["192.168.1.11:9092"]
    topic: ljh

Logstash读取Kafka：/usr/local/logstash-6.6.0/config/logstash.conf

input {
  kafka {
    bootstrap_servers => "192.168.1.11:9092"
    topics => ["ljh"]
    group_id => "ljh"
    codec => "json"
  }
}

filter {
  if [type] == "access" {
    json {
      source => "message"
      remove_field => ["message","@version","path","beat","input","log","offset","prospector","source","tags"]
    }
  }
}

output{
  if [type] == "access" {
    elasticsearch {
      hosts => ["http://192.168.1.10:9200"]
      index => "access-%{+YYYY.MM.dd}"
    }
  }
}

kibana观测结果：

也可以选择output可以先检测标准化输出

output {
  stdout {
    codec=>rubydebug
  }
}

logstash日志

Kafka查看队列信息

1. 查看Group： ./kafka-consumer-groups.sh --bootstrap-server 192.168.1.11:9092 --list
2. 查看队列：./kafka-consumer-groups.sh --bootstrap-server 192.168.1.11:9092 --group ljh --describe

当出现访问消息堆积时候，lag数量上升