[[日志系统使用文档地址]]

站内搜索[记录日志系统的安装->部署->配置->使用文档(3)]

服务器

es, logstash, kibana

内存: 8G
磁盘: 500G
处理器: 4/8核
带宽: 2m

1
2
3
4
5
6
7
以上配置是原来写的,在之后的线上环境很快就得到了验证, 结果就是直接崩溃

建议每天产生20g到30g的起码弄个以下的配置
内存: 16G
磁盘: 500g-1t(硬盘不值钱)
处理器: 4/8核
带宽: 5m

filebeat(被抓取服务所在机器)

1
略...

端口

1
2
elk服务器对外开放5601
elk服务器对filebeat所在服务器内网开放5044

安装(单点)

安装完filebeat之后,需要给inputs下配置文件基于root权限或者go+w权限
chown root /etc/filebeat/inputs/* 或者 chown go+w /etc/filebeat/inputs/*

filebeat(基于docker)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
version: '3'
services:
  filebeat:
    image: elastic/filebeat:7.13.2
    container_name: filebeat
    environment:
      - TZ=Asia/Shanghai
    volumes:
      - /var/run/docker.sock:/host_docker/docker.sock
      - /var/lib/docker:/host_docker/var/lib/docker
      - /opt/log-server/logs:/usr/share/filebeat/logs
      - /mydata/filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml
	  # filebeat注册表,记录上次扫描到哪里了
      - /mydata/filebeat/registry:/usr/share/filebeat/data/registry
    depends_on:
      - logstash
    user: root
    links:
      - logstash:logstash

filebeat(基于yum源-官网)

被采集服务所在服务器

  • To add the Beats repository for YUM:
    1
    sudo rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
  • Create a file with a .repo extension (for example, elastic.repo) in your /etc/yum.repos.d/ directory and add the following lines:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    cd /etc/yum.repos.d/
    vi elastic.repo


    [elastic-7.x]
    name=Elastic repository for 7.x packages
    baseurl=https://artifacts.elastic.co/packages/7.x/yum
    gpgcheck=1
    gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
    enabled=1
    autorefresh=1
    type=rpm-md
  • Your repository is ready to use. For example, you can install Filebeat by running:
    1
    sudo yum install filebeat
  • To configure Filebeat to start automatically during boot, run:
    1
    sudo systemctl enable filebeat
  • If your system does not use systemd then run:
    1
    sudo chkconfig --add filebeat
    问题: Exiting: error loading config file: config file ("/etc/filebeat/filebeat.yml") must be owned by the user identifier (uid=0) or root

解决方案见: https://www.elastic.co/guide/en/beats/libbeat/current/config-file-permissions.html

elk(基于docker)

  • docker-compose.yml
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    cd /opt/elk
    vi docker-compose.yml


    version: '3'
    services:
      elasticsearch:
        image: elasticsearch:7.14.0
        container_name: elasticsearch
        environment:
          # 建议给总内存的50%(如果是8g以下那就算了)
          - ES_JAVA_OPTS=-Xms4096m -Xmx4096m
          - TZ=Asia/Shanghai
        volumes:
          - /mydata/elasticsearch/plugins:/usr/share/elasticsearch/plugins
          - /mydata/elasticsearch/data:/usr/share/elasticsearch/data
          - /mydata/elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
        ports:
          - 9200:9200
          - 9300:9300
      kibana:
        image: kibana:7.14.0
        container_name: kibana
        links:
          - elasticsearch:es
        depends_on:
          - elasticsearch
        volumes:
          - /mydata/kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml
        environment:
          - TZ=Asia/Shanghai
        ports:
          - 5601:5601
      logstash:
        image: logstash:7.14.0
        container_name: logstash
        environment:
          - TZ=Asia/Shanghai
        volumes:
          - /mydata/logstash/conf.d:/usr/share/logstash/pipeline/conf.d
          - /mydata/logstash/logstash.yml:/usr/share/logstash/config/logstash.yml
    #      - /mydata/logstash/logstash.template.json:/usr/share/logstash/templates/logstash.template.json
        depends_on:
          - elasticsearch
        links:
          - elasticsearch:es
        ports:
          - 5044:5044

配置(配置文件已标示注释)

filebeat && logstash && elasticserach

参考:配置文件详细介绍

配置用户

1
2
3
4
5
6
7
8
9
10
11
12
docker exec -it [es-id] bash
指定密码命令:./bin/elasticsearch-setup-passwords interactive
自动生成密码命令:./bin/elasticsearch-setup-passwords auto

# 各user
Changed password for user apm_system
Changed password for user kibana_system
Changed password for user kibana
Changed password for user logstash_system
Changed password for user beats_system
Changed password for user remote_monitoring_user
Changed password for user elastic

启动

filebeat

  • Start
    1
    sudo systemctl start filebeat
  • Status
    1
    sudo systemctl status filebeat

elk(cd到docker-compose文件所在路径)

  • docker-compose up -d

  • 验证一下(查看索引)

    1
    curl -XGET -H "Authorization:Basic base64Encode(user:password)" localhost:9200/_cat/indices

    注意的几个点

1
2
3
验证filebeat成功连接logshash:INFO [publisher_pipeline_output] pipeline/output.go:151 Connection to backoff(async(tcp://logstash:5044)) established

kibana没有数据(或是es没正确存储):8成可能是你存储的数据结构和之前配置的template.json映射关系有差,比如我将createTime设置成date时候,docker logs [logstash id]时候发现400了,提示转换失败

日志系统权限/角色配置

1
2
3
管理员-all
index-management-负责建立索引模式
log-viewer-仅可查看日志

日志系统索引配置(以及开启日志流模式查看)

es日志定期自动清除策略-Kibana Index Lifecycle Policies