所谓ELK 是指 Elasticsearch, Logstash, Kibana 这三个开源日志收集, 分析和展现工具.
ElasticSearch
Elasticsearch简称 ELS , 它是ELK 技术栈中的核心组件,它是基于 Apache Lucene 的一个高度可扩展的开源全文搜索和分析引擎。 它可以快速,近实时地存储,搜索和分析大量数据。 它通常用作底层引擎/技术,为具有复杂搜索功能和要求的应用程序提供支持, 可以用来存储, 搜索和分析海量的数据. 它的处理速度很快, 性能接近于实时的秒级.
基本概念
-
Cluster 集群
存储索引数据的节点的集合 -
Node 节点
一个 ElasticSearch 的运行实例, 根据 node 的 master 属性和 data 属性不同, 可以分为以下三种类型的节点- 主节点: node.master=true, node.data=false
- 数据节点: node.master=false, node.data=true
- 路由节点: node.master=false, node.data=false
-
Document 文档
被索引的信息的基本单位,它可表示一个 Json 文档 -
Mapping 映射
文档中字段的定义称为为映射 -
Index 索引
具有共同特征的数据集, 包含许多个映射 -
Type 类型
对索引的逻辑分区, 一个索引可以有多个类型, 在新的6.0之后的版本去除了这一概念
- Shards & Replicas 分片和副本
索引文件会分别存储在一些分片(shards) 中, 并且复制到不同节点上相应的副本(Replicas)中, 从而保证了 Elasticsearch 的高可用性
| MySQL | ElasticSearch |
|---|---|
| database | index |
| table | type |
| row | document |
| field | term |
安装
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.2.4.tar.gz
tar xvfz elasticsearch-6.2.4.tar.gz
cd elasticsearch-6.2.4
sed -i 's/#network.host: 192.168.0.1/network.host: 10.224.77.184/g' ./config/elasticsearch.yml
以后台方式启动
./bin/elasticsearch -d
curl 'http://10.224.77.184:9200/?pretty'
如果发起一个查询
curl -X GET "http://10.224.76.179:9200/_search" -H 'Content-Type: application/json' -d'
{
"query": {
"query_string" : {
"default_field" : "content",
"query" : "this AND that OR thus"
}
}
}
'
使用
ElasticSearch 提供了易于使用的 REST API
- 查询节点
$ curl -XGET 'http://10.224.77.184:9200/_cat/nodes?v'
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
10.224.76.179 32 94 12 0.47 0.26 0.23 mdi * czVTNso
- 查询集群健康状态
$ curl -XGET 'http://10.224.77.184:9200/_cluster/health?pretty=true'
{
"cluster_name" : "elasticsearch",
"status" : "yellow",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"active_primary_shards" : 51,
"active_shards" : 51,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 51,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 50.0
}
- 创建索引
curl -XPUT 'http://10.224.77.184:9200/booklib/?pretty’
- 创建索引, 类型及文档
# curl -XPUT 'http://10.224.77.184:9200/booklib/walter/1?pretty' -d '{ "title": "posa1"}'
{
"_index" : "booklib",
"_type" : "walter",
"_id" : "1",
"_version" : 1,
"result" : "created",
"_shards" : {
"total" : 2,
"successful" : 1,
"failed" : 0
},
"created" : true
}
- 获取文档
curl -XGET 'http://10.224.77.184:9200/booklib/walter/1?pretty'
- 查询文档
curl -XPOST 'http://10.224.77.184:9200/booklib/_search' -d '{ "query": {"match_all": {}}, "size": 3}'
{"took":13,"timed_out":false,"_shards”:
{"total":5,"successful":5,"skipped":0,"failed":0},
"hits":{"total":1,"max_score":1.0,
"hits":[{"_index":"booklib","_type":"walter","_id":"1","_score":1.0,"_source":{ "title": "posa1"}}]}}
7 .删除文档
curl -XDELETE 'http://10.224.77.184:9200/booklib/walter/1?pretty'
实例
{
"timestamp": "2018-02-20T01:36:30.255Z",
"version": "1.0",
"ip": "10.224.11.22",
"host": "potato01.fanyamin.com",
"service": "potato",
"feature": "create_potato",
"pool": "china_east",
"properties": {
"url": "http://potato01/api/v1.0/meetings",
"method": "post",
"potatoId": "12345",
"responseCode": 200,
"responseTimeInMs": 1000,
"isSuccess": true,
"errorCode": 0,
"errorReason": ""
}
}
- LogStash
Logstash是一个开源的服务器端数据处理管道工具,它可以同时从多个源中提取数据,对其进行转换,然后将其发送到您最喜欢的目的地, 最常见的就是 ElasticSearch, 在实际应用中, 为了避免在流量高峰对 ElasticSearch 的并发请求过多, 常用 Kafka 来过滤一下.
LogStash Agent --> Kafka --> LogStash Agent --> ElasticSearch
Logstash 的优点就是插件丰富, 可以满足你的大多数需求, 插件分为三类
- Input: 输入插件
- Output: 输出插件
- Filter: 过滤器插件
- Kibana
Kibana 是一个基于 Elastic Search 的可视化工具, 通过调用 Elastic Search 的 API , 可以方便地搜索存储在 Elastic Search 的数据, 并可以绘制各种图表和仪表盘.
在实践中常用 Kafaka 来作为日志消息队列的的聚合管道, 所以也称 ELKK
ELKK
安装这一套环境挺麻烦:
- 安装JDK1.8 先安装好
- ElasticSearch
下载, 配置,安装 - Logstash
下载, 配置,安装 - Kibana
下载, 配置,安装
这里也不想一条条写出来, 网上有教程, 照着做就行了, 我们用 docker 来安装启动一个 ELK 镜像
镜像地址 https://hub.docker.com/r/sebp/elk/
详细文档见 http://elk-docker.readthedocs.io/
源文件见 https://github.com/spujadas/elk-docker
咱们就先看看它的 dockerfile , 这里包括了详细的安装配置过程, 我加了点中文注释
# Dockerfile for ELK stack
# Elasticsearch, Logstash, Kibana 6.3.1
# Build with:
# docker build -t <repo-user>/elk .
# Run with:
# docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -it --name elk <repo-user>/elk
# phusion/baseimage 是基于Ubuntu 针对 docker 做了一些修改, 并修复了 PID 1 僵尸进程问题
FROM phusion/baseimage
MAINTAINER Sebastien Pujadas http://pujadas.net
ENV REFRESHED_AT 2017-02-28
###############################################################################
# INSTALLATION
###############################################################################
# 先安装一些依赖工具, cURL, JDK 不用说了, gosu(高手) 一门新的JVM脚本语言, tzdata 是修改时区的命令
### install prerequisites (cURL, gosu, JDK, tzdata)
ENV GOSU_VERSION 1.10
ARG DEBIAN_FRONTEND=noninteractive
RUN set -x \
&& apt-get update -qq \
&& apt-get install -qqy --no-install-recommends ca-certificates curl \
&& rm -rf /var/lib/apt/lists/* \
&& curl -L -o /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" \
&& curl -L -o /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc" \
&& export GNUPGHOME="$(mktemp -d)" \
&& gpg --keyserver hkp://ha.pool.sks-keyservers.net:80 --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
&& gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
&& rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc \
&& chmod +x /usr/local/bin/gosu \
&& gosu nobody true \
&& apt-get update -qq \
&& apt-get install -qqy openjdk-8-jdk tzdata \
&& apt-get clean \
&& set +x
# 首先都是一样, 先从官网上下载压缩包后解压缩, 添加用户及组, 创建相应目录, 并设置权限
ENV ELK_VERSION 6.3.1
### install Elasticsearch
ENV ES_VERSION ${ELK_VERSION}
ENV ES_HOME /opt/elasticsearch
ENV ES_PACKAGE elasticsearch-${ES_VERSION}.tar.gz
ENV ES_GID 991
ENV ES_UID 991
ENV ES_PATH_CONF /etc/elasticsearch
ENV ES_PATH_BACKUP /var/backups
RUN mkdir ${ES_HOME} \
&& curl -O https://artifacts.elastic.co/downloads/elasticsearch/${ES_PACKAGE} \
&& tar xzf ${ES_PACKAGE} -C ${ES_HOME} --strip-components=1 \
&& rm -f ${ES_PACKAGE} \
&& groupadd -r elasticsearch -g ${ES_GID} \
&& useradd -r -s /usr/sbin/nologin -M -c "Elasticsearch service user" -u ${ES_UID} -g elasticsearch elasticsearch \
&& mkdir -p /var/log/elasticsearch ${ES_PATH_CONF} ${ES_PATH_CONF}/scripts /var/lib/elasticsearch ${ES_PATH_BACKUP} \
&& chown -R elasticsearch:elasticsearch ${ES_HOME} /var/log/elasticsearch /var/lib/elasticsearch ${ES_PATH_CONF} ${ES_PATH_BACKUP}
# 自启动
ADD ./elasticsearch-init /etc/init.d/elasticsearch
RUN sed -i -e 's#^ES_HOME=$#ES_HOME='$ES_HOME'#' /etc/init.d/elasticsearch \
&& chmod +x /etc/init.d/elasticsearch
### install Logstash
ENV LOGSTASH_VERSION ${ELK_VERSION}
ENV LOGSTASH_HOME /opt/logstash
ENV LOGSTASH_PACKAGE logstash-${LOGSTASH_VERSION}.tar.gz
ENV LOGSTASH_GID 992
ENV LOGSTASH_UID 992
ENV LOGSTASH_PATH_CONF /etc/logstash
ENV LOGSTASH_PATH_SETTINGS ${LOGSTASH_HOME}/config
RUN mkdir ${LOGSTASH_HOME} \
&& curl -O https://artifacts.elastic.co/downloads/logstash/${LOGSTASH_PACKAGE} \
&& tar xzf ${LOGSTASH_PACKAGE} -C ${LOGSTASH_HOME} --strip-components=1 \
&& rm -f ${LOGSTASH_PACKAGE} \
&& groupadd -r logstash -g ${LOGSTASH_GID} \
&& useradd -r -s /usr/sbin/nologin -d ${LOGSTASH_HOME} -c "Logstash service user" -u ${LOGSTASH_UID} -g logstash logstash \
&& mkdir -p /var/log/logstash ${LOGSTASH_PATH_CONF}/conf.d \
&& chown -R logstash:logstash ${LOGSTASH_HOME} /var/log/logstash ${LOGSTASH_PATH_CONF}
ADD ./logstash-init /etc/init.d/logstash
RUN sed -i -e 's#^LS_HOME=$#LS_HOME='$LOGSTASH_HOME'#' /etc/init.d/logstash \
&& chmod +x /etc/init.d/logstash
### install Kibana
ENV KIBANA_VERSION ${ELK_VERSION}
ENV KIBANA_HOME /opt/kibana
ENV KIBANA_PACKAGE kibana-${KIBANA_VERSION}-linux-x86_64.tar.gz
ENV KIBANA_GID 993
ENV KIBANA_UID 993
RUN mkdir ${KIBANA_HOME} \
&& curl -O https://artifacts.elastic.co/downloads/kibana/${KIBANA_PACKAGE} \
&& tar xzf ${KIBANA_PACKAGE} -C ${KIBANA_HOME} --strip-components=1 \
&& rm -f ${KIBANA_PACKAGE} \
&& groupadd -r kibana -g ${KIBANA_GID} \
&& useradd -r -s /usr/sbin/nologin -d ${KIBANA_HOME} -c "Kibana service user" -u ${KIBANA_UID} -g kibana kibana \
&& mkdir -p /var/log/kibana \
&& chown -R kibana:kibana ${KIBANA_HOME} /var/log/kibana
ADD ./kibana-init /etc/init.d/kibana
RUN sed -i -e 's#^KIBANA_HOME=$#KIBANA_HOME='$KIBANA_HOME'#' /etc/init.d/kibana \
&& chmod +x /etc/init.d/kibana
###############################################################################
# CONFIGURATION
###############################################################################
# 配置比较麻烦, 预先在`
### configure Elasticsearch
ADD ./elasticsearch.yml ${ES_PATH_CONF}/elasticsearch.yml
ADD ./elasticsearch-default /etc/default/elasticsearch
RUN cp ${ES_HOME}/config/log4j2.properties ${ES_HOME}/config/jvm.options \
${ES_PATH_CONF} \
&& chown -R elasticsearch:elasticsearch ${ES_PATH_CONF} \
&& chmod -R +r ${ES_PATH_CONF}
### configure Logstash
# certs/keys for Beats and Lumberjack input
RUN mkdir -p /etc/pki/tls/certs && mkdir /etc/pki/tls/private
ADD ./logstash-beats.crt /etc/pki/tls/certs/logstash-beats.crt
ADD ./logstash-beats.key /etc/pki/tls/private/logstash-beats.key
# filters
ADD ./02-beats-input.conf ${LOGSTASH_PATH_CONF}/conf.d/02-beats-input.conf
ADD ./10-syslog.conf ${LOGSTASH_PATH_CONF}/conf.d/10-syslog.conf
ADD ./11-nginx.conf ${LOGSTASH_PATH_CONF}/conf.d/11-nginx.conf
ADD ./30-output.conf ${LOGSTASH_PATH_CONF}/conf.d/30-output.conf
# patterns
ADD ./nginx.pattern ${LOGSTASH_HOME}/patterns/nginx
RUN chown -R logstash:logstash ${LOGSTASH_HOME}/patterns
# Fix permissions
RUN chmod -R +r ${LOGSTASH_PATH_CONF}
### configure logrotate
ADD ./elasticsearch-logrotate /etc/logrotate.d/elasticsearch
ADD ./logstash-logrotate /etc/logrotate.d/logstash
ADD ./kibana-logrotate /etc/logrotate.d/kibana
RUN chmod 644 /etc/logrotate.d/elasticsearch \
&& chmod 644 /etc/logrotate.d/logstash \
&& chmod 644 /etc/logrotate.d/kibana
### configure Kibana
ADD ./kibana.yml ${KIBANA_HOME}/config/kibana.yml
###############################################################################
# START
###############################################################################
ADD ./start.sh /usr/local/bin/start.sh
RUN chmod +x /usr/local/bin/start.sh
EXPOSE 5601 9200 9300 5044
VOLUME /var/lib/elasticsearch
CMD [ "/usr/local/bin/start.sh" ]
用法
sudo docker pull sebp/elk
sudo docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -it --name elk sebp/elk
启动之后, 可以看到
也可以用 docker-compose 来启动
$vi docker-compose.yml
elk:
image: sebp/elk
ports:
- "5601:5601"
- "9200:9200"
- "5044:5044"
网友评论