[[日志系统使用文档地址]]

站内搜索[记录日志系统的安装->部署->配置->使用文档(3)]

服务器

es, logstash, kibana

内存: 8G
磁盘: 500G
处理器: 4/8核
带宽: 2m

1
2
3
4
5
6
7
以上配置是原来写的,在之后的线上环境很快就得到了验证, 结果就是直接崩溃

建议每天产生20g到30g的起码弄个以下的配置
内存: 16G
磁盘: 500g-1t(硬盘不值钱)
处理器: 4/8核
带宽: 5m

filebeat(被抓取服务所在机器)

1
略...

端口

1
2
elk服务器对外开放5601
elk服务器对filebeat所在服务器内网开放5044

安装(单点)

安装完filebeat之后,需要给inputs下配置文件基于root权限或者go+w权限
chown root /etc/filebeat/inputs/* 或者 chown go+w /etc/filebeat/inputs/*

filebeat(基于docker)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
version: '3'
services:
  filebeat:
    image: elastic/filebeat:7.13.2
    container_name: filebeat
    environment:
      - TZ=Asia/Shanghai
    volumes:
      - /var/run/docker.sock:/host_docker/docker.sock
      - /var/lib/docker:/host_docker/var/lib/docker
      - /opt/log-server/logs:/usr/share/filebeat/logs
      - /mydata/filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml
	  # filebeat注册表,记录上次扫描到哪里了
      - /mydata/filebeat/registry:/usr/share/filebeat/data/registry
    depends_on:
      - logstash
    user: root
    links:
      - logstash:logstash

filebeat(基于yum源-官网)

被采集服务所在服务器

  • To add the Beats repository for YUM:
1
sudo rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
  • Create a file with a .repo extension (for example, elastic.repo) in your /etc/yum.repos.d/ directory and add the following lines:
1
2
3
4
5
6
7
8
9
10
11
12
cd /etc/yum.repos.d/
vi elastic.repo


[elastic-7.x]
name=Elastic repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
  • Your repository is ready to use. For example, you can install Filebeat by running:
1
sudo yum install filebeat
  • To configure Filebeat to start automatically during boot, run:
1
sudo systemctl enable filebeat
  • If your system does not use systemd then run:
1
sudo chkconfig --add filebeat
问题: Exiting: error loading config file: config file ("/etc/filebeat/filebeat.yml") must be owned by the user identifier (uid=0) or root

解决方案见: https://www.elastic.co/guide/en/beats/libbeat/current/config-file-permissions.html

elk(基于docker)

  • docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
cd /opt/elk
vi docker-compose.yml


version: '3'
services:
  elasticsearch:
    image: elasticsearch:7.14.0
    container_name: elasticsearch
    environment:
      # 建议给总内存的50%(如果是8g以下那就算了)
      - ES_JAVA_OPTS=-Xms4096m -Xmx4096m
      - TZ=Asia/Shanghai
    volumes:
      - /mydata/elasticsearch/plugins:/usr/share/elasticsearch/plugins
      - /mydata/elasticsearch/data:/usr/share/elasticsearch/data
      - /mydata/elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
    ports:
      - 9200:9200
      - 9300:9300
  kibana:
    image: kibana:7.14.0
    container_name: kibana
    links:
      - elasticsearch:es
    depends_on:
      - elasticsearch
    volumes:
      - /mydata/kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml
    environment:
      - TZ=Asia/Shanghai
    ports:
      - 5601:5601
  logstash:
    image: logstash:7.14.0
    container_name: logstash
    environment:
      - TZ=Asia/Shanghai
    volumes:
      - /mydata/logstash/conf.d:/usr/share/logstash/pipeline/conf.d
      - /mydata/logstash/logstash.yml:/usr/share/logstash/config/logstash.yml
#      - /mydata/logstash/logstash.template.json:/usr/share/logstash/templates/logstash.template.json
    depends_on:
      - elasticsearch
    links:
      - elasticsearch:es
    ports:
      - 5044:5044

配置(配置文件已标示注释)

filebeat && logstash && elasticserach

参考:配置文件详细介绍

配置用户

1
2
3
4
5
6
7
8
9
10
11
12
docker exec -it [es-id] bash
指定密码命令:./bin/elasticsearch-setup-passwords interactive
自动生成密码命令:./bin/elasticsearch-setup-passwords auto

# 各user
Changed password for user apm_system
Changed password for user kibana_system
Changed password for user kibana
Changed password for user logstash_system
Changed password for user beats_system
Changed password for user remote_monitoring_user
Changed password for user elastic

启动

filebeat

  • Start
1
sudo systemctl start filebeat
  • Status
1
sudo systemctl status filebeat

elk(cd到docker-compose文件所在路径)

  • docker-compose up -d

  • 验证一下(查看索引)

1
curl -XGET -H "Authorization:Basic base64Encode(user:password)" localhost:9200/_cat/indices

注意的几个点

1
2
3
验证filebeat成功连接logshash:INFO [publisher_pipeline_output] pipeline/output.go:151 Connection to backoff(async(tcp://logstash:5044)) established

kibana没有数据(或是es没正确存储):8成可能是你存储的数据结构和之前配置的template.json映射关系有差,比如我将createTime设置成date时候,docker logs [logstash id]时候发现400了,提示转换失败

日志系统权限/角色配置

1
2
3
管理员-all
index-management-负责建立索引模式
log-viewer-仅可查看日志

日志系统索引配置(以及开启日志流模式查看)

es日志定期自动清除策略-Kibana Index Lifecycle Policies