一 背景
在现代软件系统中,日志是非常重要的组成部分。它们记录了系统的运行状态、错误消息、用户活动等信息。然而,当系统规模变大并且涉及多个组件时,日志管理变得非常复杂。传统的日志管理方法可能会面临一些挑战,包括集中化存储、检索和分析日志数据的困难。
ELK是一套流行的开源工具集,用于解决这些日志管理挑战。它由以下三个主要组件组成:
ELFK(Elasticsearch、Logstash、Filebeat、Kibana)是一套用于实时日志分析和监控的解决方案。它由一系列开源工具组成,各自担当不同的角色。Elasticsearch用于存储和索引日志数据,Logstash用于日志的收集、过滤和转发,Filebeat用于轻量级的日志收集,而Kibana用于可视化和分析日志数据。
二 相关概念
三 前提条件
四 安装部署
4.2 Linux系统配置
- 调整进程最大打开文件数数量
vim /etc/security/limits.conf
# 直接末尾添加限制
es soft nofile 65536
es hard nofile 65536
es soft nproc 65535
es hard nproc 65535
- 调整进程最大虚拟内存区域数量
echo vm.max_map_count=262144>> /etc/sysctl.conf
echo "fs.file-max = 1000000" >> /etc/sysctl.conf
sysctl -p
4.3 ELK安装部署
在此安装ELK版本 8.10
4.3.1 ElasticSearch安装
Elasticsearch包含来自JDK维护者(GPLv2+CE)的捆绑版本的OpenJDK。因此可以不用提前自己安装JDK。
- 下载并安装公共签名密钥:
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
下载es rpm包并安装
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.10.0-x86_64.rpm
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.10.0-x86_64.rpm.sha512
shasum -a 512 -c elasticsearch-8.10.0-x86_64.rpm.sha512
sudo rpm --install elasticsearch-8.10.0-x86_64.rpm
# 安装完成输出
Creating elasticsearch group... OK
Creating elasticsearch user... OK
--------------------------- Security autoconfiguration information ------------------------------
Authentication and authorization are enabled.
TLS for the transport and HTTP layers is enabled and configured.
The generated password for the elastic built-in superuser is : 6R-hxNMSxxxxxtxwW
If this node should join an existing cluster, you can reconfigure this with
'/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token '
after creating an enrollment token on your existing cluster.
You can complete the following actions at any time:
Reset the password of the elastic built-in superuser with
'/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'.
Generate an enrollment token for Kibana instances with
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'.
Generate an enrollment token for Elasticsearch nodes with
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'.
-------------------------------------------------------------------------------------------------
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
sudo systemctl start elasticsearch.service
[/usr/lib/tmpfiles.d/elasticsearch.conf:1] Line references path below legacy directory /var/run/, updating /var/run/elasticsearch → /run/elasticsearch; please update the tmpfiles.d/ drop-in file accordingly.
- 启动
安装Elasticsearch时,默认开启并配置了安全特性。安装Elasticsearch时,会自动进行如下安全配置:
启用认证授权,并为弹性内置超级用户生成密码。
TLS的证书和密钥是为传输层和HTTP层生成的,TLS是用这些密钥和证书启用和配置的。
将密码、证书和密钥输出到您的终端。
我们建议将弹性密码存储为shell中的环境变量。例子:
export ELASTIC_PASSWORD="your_password"
加入以有集群
/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node
/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token
- 配置ES服务自启动
配置Elasticsearch在系统启动时自动启动,使用如下命令:
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable elasticsearch.service
# 但节点ES配置 /etc/elasticsearch/elasticsearch.yml
注释 cluster.initial_master_nodes: ["localhost"]
并添加 discovery.type: single-node
sudo systemctl start elasticsearch.service
- 重制elastic密码
[root@VM-48-14-centos ~]# /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
This tool will reset the password of the [elastic] user to an autogenerated value.
The password will be printed in the console.
Please confirm that you would like to continue [y/N]y
Password for the [elastic] user successfully reset.
New value: 6MhAxxxxxxxxxtW
如果您的Elasticsearch密钥存储库有密码保护,则需要使用本地文件和systemd环境变量向systemd提供密钥存储库密码。这个本地文件应该在它存在的时候受到保护,并且可以在Elasticsearch启动并运行后安全地删除。
echo "keystore_password" > /path/to/my_pwd_file.tmp
chmod 600 /path/to/my_pwd_file.tmp
sudo systemctl set-environment ES_KEYSTORE_PASSPHRASE_FILE=/path/to/my_pwd_file.tmp
sudo systemctl start elasticsearch.service
查看日志
sudo journalctl --unit elasticsearch
- 检查服务状态
[root@VM-48-14-centos ~]# curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic:6MhAuNxxxxxxdtW https://localhost:9200
{
"name" : "elk-host",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "cLLsiBX1ToirQuBKwyA-1g",
"version" : {
"number" : "8.10.0",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "e338da74c79465dfdc204971e600342b0aa87b6b",
"build_date" : "2023-09-07T08:16:21.960703010Z",
"build_snapshot" : false,
"lucene_version" : "9.7.0",
"minimum_wire_compatibility_version" : "7.17.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "You Know, for Search"
}
- 查看ES配置
[root@VM-48-14-centos ~]# egrep -v "^#|^$" /etc/elasticsearch/elasticsearch.yml
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
discovery.type: single-node
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
keystore.path: certs/http.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
http.host: 0.0.0.0
配置自动索引
PUT _cluster/settings
{
"persistent": {
"action.auto_create_index": "true"
}
}
GET _cluster/settings
4.3.2 Kibana安装
rpm安装kibana,版本为:8.10
wget https://artifacts.elastic.co/downloads/kibana/kibana-8.10.2-x86_64.rpm
wget https://artifacts.elastic.co/downloads/kibana/kibana-8.10.2-x86_64.rpm.sha512
shasum -a 512 -c kibana-8.10.2-x86_64.rpm.sha512
sudo rpm --install kibana-8.10.2-x86_64.rpm
# 设置kibana开机自启动
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable kibana.service
- 为kibana生成token
[root@elk-host ~]# /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
eyJ2ZXIiOiI4LjEwLjAiLCJhZHIiOlsiMTcyLjE3LjQ4LjE0OjkyMDAiXSwiZmdyIjoiMTk0MTM0MzQ4NTg5M2Y2Y2Y3xxxxxxxcyYmU4ZTM5NDNmMzg5Mzc0MjA2ZTE4MSIsImtleSI6Ikt5cTlEb3NCR20tYS1uXzNkQ0JEOmlMODEtNWNqU25Da0dkV0o3LXB2VkEifQ==
- 启动kibana
# 修改kibana 监听0.0.0.0
server.host: 0.0.0.0
输入token
配置完成后,通过es的用户名密码登陆
elastic:6MhAuNxxxxxxxxkdtW
4.3.3 Logstash安装
Logstash版本为8.10
使用yum安装
- 配置yum源并安装
sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
# 写入es yum仓库源
cat > /etc/yum.repos.d/logstash.repo "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
index => "logstash-%{+YYYY.MM.dd}"
ssl_certificate_verification => false
user => "elastic"
password => "6MxxxxxxxxdtW"
}
}
EOF
- 启动服务
systemctl start logstash
4.3.3 Filebeat安装
安装8.10 rpm包安装方式
- 安装
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.10.2-x86_64.rpm
sudo rpm -vi filebeat-8.10.2-x86_64.rpm
# 开机自启动
systemctl enable filebeat
- 配置filebeat
先简单配置本地日志文件,输出到logstash
filebeat.inputs:
- type: filestream
# Unique ID among all inputs, an ID is required.
id: my-filestream-id
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/*.log
output.logstash:
# The Logstash hosts
hosts: ["localhost:5044"]
查看filebeat日志
journalctl -fu filebeat
五 测试
六 注意事项
- kibana如果报错,可以进入es容器内执行reset kibana_system用户密码:
elasticsearch-reset-password -i -u kibana_system
参考链接
- www.elastic.co/guide/en/el…
- www.elastic.co/guide/en/lo…
- www.elastic.co/guide/en/ki…