1. 實(shí)驗(yàn)環(huán)境

目的：使用ELK采集服務(wù)器的系統(tǒng)日志，并將數(shù)據(jù)可視化展示。
介于之前沒(méi)有這方面的經(jīng)驗(yàn)，先從簡(jiǎn)單的開(kāi)始。

1.1. 準(zhǔn)備工作

準(zhǔn)備4臺(tái)虛擬機(jī)，分別用于以下功能：

• 客戶(hù)端。也就是要被采集的服務(wù)器，需要配置rsyslog服務(wù)。
  • IP: 192.167.17.11
  • 主機(jī)名: client.localdomain
  • CPU: 1核
  • 內(nèi)存: 1G
  • 硬盤(pán): 40G
• 緩存服務(wù)。需要部署logstash服務(wù)和redis服務(wù)。配置盡量高一些，logstash服務(wù)依賴(lài)java環(huán)境，比較耗內(nèi)存。
  • IP: 192.167.17.12
  • 主機(jī)名: redis.localdomain
  • CPU: 4核
  • 內(nèi)存: 4G
  • 硬盤(pán): 40G
• 存儲(chǔ)服務(wù)。需要部署logstash服務(wù)和elasticsearch服務(wù)。配置也盡量高一些。
  • IP: 192.167.17.13
  • 主機(jī)名: elasticsearch.localdomain
  • CPU: 4核
  • 內(nèi)存: 4G
  • 硬盤(pán): 40G
• 展示服務(wù)。需要部署kibana服務(wù)。
  • IP: 192.167.17.14
  • 主機(jī)名: kibana.localdomain
  • CPU: 2核
  • 內(nèi)存: 2G
  • 硬盤(pán): 40G

2. 客戶(hù)端服務(wù)部署

配置非常簡(jiǎn)單。只需要改一個(gè)參數(shù)即可。

2.1. 修改rsyslog配置

文件路徑：/etc/rsyslog.conf。一般在倒數(shù)第二行。

*.* @@192.168.17.12:514

2.2. 重啟rsyslog服務(wù)

[root@client ~]# systemctl restart rsyslog.service

3. logstash服務(wù)和redis服務(wù)部署

3.1. 部署java環(huán)境

1. 配置好yum源

[root@redis ~]# mv /etc/yum.repos.d/* /tmp/
[root@redis ~]# wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
[root@redis ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

2. 安裝java

[root@redis ~]# yum install java-11

配置java環(huán)境變量，文件路徑：/etc/profile
在最后面加上：

JAVA_HOME=/usr/lib/jvm/java-11-openjdk-11.0.7.10-4.el7_8.x86_64
JRE_HOME=$JAVA_HOME
CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/lib
PATH=${JAVA_HOME}/bin:$PATH
export JAVA_HOME JRE_HOME CLASSPATH PATH

環(huán)境變量生效：重啟機(jī)器或是source /etc/profile。

[root@redis ~]# echo $JAVA_HOME
/usr/lib/jvm/java-11-openjdk-11.0.7.10-4.el7_8.x86_64

3.2. 部署redis

由于官網(wǎng)的網(wǎng)速比較慢，我是用華為云鏡像。

1. 部署redis

[root@redis ~]# yum install redis

2. 配置redis
   文件路徑：/etc/redis.conf。添加如下配置：

# 使redis后臺(tái)運(yùn)行，守護(hù)進(jìn)程
daemonize yes
# 配置監(jiān)聽(tīng)ip
bind 192.168.17.12

3. 啟動(dòng)redis

[root@redis ~]# systemctl enable redis.service 
[root@redis ~]# systemctl start redis.service

3.3. 部署logstash

1. 安裝logstash

[root@redis ~]# yum install https://mirrors.huaweicloud.com/logstash/7.7.1/logstash-7.7.1.rpm

沒(méi)有報(bào)錯(cuò)就說(shuō)明安裝成功了。
其中有一條警告 OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was...
從網(wǎng)上查到，這是一種內(nèi)存回收機(jī)制，比較耗內(nèi)存，我們改一下內(nèi)存回收機(jī)制，修改文件/etc/logstash/jvm.options。
將 -XX:+UseConcMarkSweepGC 替換成 -XX:+UseG1GC

2. 配置logstash
   文件路徑：/etc/logstash/conf.d/rsyslog2redis.conf

input {
  syslog {
    type => "rsyslog"
    host => "192.168.17.12"
    port => "514"
  }
}

output {
  redis {
    host => "192.168.17.12"
    port => "6379"
    db => "10"
    data_type => "list"
    key => "rsyslog"
  }
}

3. 啟動(dòng)logstash服務(wù)
   文件路徑：/etc/sysconfig/logstash

LS_USER=root

簡(jiǎn)單的測(cè)試

[root@redis ~]# /usr/share/logstash/bin/logstash -e 'input { stdin { } } output { stdout {} }'
...省略WARN和INFO信息...
hello, world!!!
{
          "host" => "redis.localdomain",
    "@timestamp" => 2020-06-26T16:38:15.075Z,
      "@version" => "1",
       "message" => "hello, world!!!"
}

[root@redis ~]# systemctl enable logstash.service 
[root@redis ~]# systemctl start logstash.service

啟動(dòng)比較慢，大概需要2分鐘。查看是否啟動(dòng)成功的方法。

[root@redis ~]# systemctl status logstash.service 
● logstash.service - logstash
   Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-06-27 00:20:52 CST; 1min 24s ago
 Main PID: 1473 (java)
   CGroup: /system.slice/logstash.service
           └─1473 /bin/java -Xms1g -Xmx1g -XX:+UseG1GC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccu...

Jun 27 00:20:52 redis.localdomain systemd[1]: Started logstash.
Jun 27 00:20:52 redis.localdomain systemd[1]: Starting logstash...
Jun 27 00:21:18 redis.localdomain logstash[1473]: WARNING: An illegal reflective access operation has occurred
Jun 27 00:21:18 redis.localdomain logstash[1473]: WARNING: Illegal reflective access by com.headius.backport9.mod...long)
Jun 27 00:21:18 redis.localdomain logstash[1473]: WARNING: Please consider reporting this to the maintainers of c...dules
Jun 27 00:21:18 redis.localdomain logstash[1473]: WARNING: Use --illegal-access=warn to enable warnings of furthe...tions
Jun 27 00:21:18 redis.localdomain logstash[1473]: WARNING: All illegal access operations will be denied in a futu...lease
Jun 27 00:21:55 redis.localdomain logstash[1473]: Sending Logstash logs to /var/log/logstash which is now configu...rties
Hint: Some lines were ellipsized, use -l to show in full.

3.4. 驗(yàn)證

驗(yàn)證client的日志是否存到了redis里面。
在客戶(hù)端執(zhí)行生成日志的命令：

[root@client ~]# logger "test"

在redis里面查看是否存儲(chǔ)了日志：

[root@redis ~]# redis-cli -h 192.168.17.12
192.168.17.12:6379> ping
PONG
192.168.17.12:6379> info Keyspace
# Keyspace
db10:keys=1,expires=0,avg_ttl=0
192.168.17.12:6379> select 10
OK
192.168.17.12:6379[10]> keys *
1) "rsyslog"
192.168.17.12:6379[10]> llen rsyslog
(integer) 6
192.168.17.12:6379[10]> lindex rsyslog -1
"{\"severity\":6,\"timestamp\":\"Jun 27 00:50:01\",\"logsource\":\"client\",\"@timestamp\":\"2020-06-26T16:50:01.000Z\",\"@version\":\"1\",\"pid\":\"27036\",\"host\":\"192.168.17.11\",\"severity_label\":\"Informational\",\"type\":\"rsyslog\",\"facility\":9,\"facility_label\":\"clock\",\"priority\":78,\"program\":\"CROND\",\"message\":\"(root) CMD (/usr/lib64/sa/sa1 1 1)\\n\"}"
192.168.17.12:6379[10]> exit
[root@redis ~]#

4. logstash服務(wù)和elasticsearch服務(wù)部署

4.1. 部署java環(huán)境

略。與3.1相同

4.2. 部署elasticsearch

1. 安裝elasticsearch

[root@elasticsearch ~]# yum install https://mirrors.huaweicloud.com/elasticsearch/7.7.1/elasticsearch-7.7.1-x86_64.rpm

2. 配置elasticsearch
   配置文件：/etc/elasticsearch/elasticsearch.yml

[root@elasticsearch ~]# cat /etc/elasticsearch/elasticsearch.yml |grep ^[a-z]
cluster.name: es
node.name: es-node01
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: false
network.host: 192.168.17.13
http.port: 9200
discovery.seed_hosts: ["192.168.17.13"]
cluster.initial_master_nodes: ["es-node01"]
http.cors.enabled: true
http.cors.allow-origin: "*"

配置文件：/usr/lib/systemd/system/elasticsearch.service
添加如下參數(shù)，將啟動(dòng)時(shí)間延長(zhǎng)，不然會(huì)導(dǎo)致因啟動(dòng)時(shí)間長(zhǎng)，而無(wú)法啟動(dòng)。

TimeoutStartSec=900

3. 啟動(dòng)elasticsearch

[root@elasticsearch ~]# systemctl daemon-reload
[root@elasticsearch ~]# systemctl enable elasticsearch.service
[root@elasticsearch ~]# systemctl start elasticsearch.service

啟動(dòng)成功后，測(cè)試訪問(wèn)http://192.168.17.13:9200/

[root@elasticsearch ~]# curl http://192.168.17.13:9200/
{
  "name" : "es-node01",
  "cluster_name" : "es",
  "cluster_uuid" : "UiO2khJYSMychDOkLPxM4g",
  "version" : {
    "number" : "7.7.1",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "ad56dce891c901a492bb1ee393f12dfff473a423",
    "build_date" : "2020-05-28T16:30:01.040088Z",
    "build_snapshot" : false,
    "lucene_version" : "8.5.1",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

4. 安裝插件

[root@elasticsearch ~]# yum install git npm
[root@elasticsearch ~]# git clone git://github.com/mobz/elasticsearch-head.git
[root@elasticsearch ~]# vim elasticsearch-head/_site/app.js
# 將localhost改為192.168.17.13
[root@elasticsearch ~]# cd elasticsearch-head
[root@elasticsearch elasticsearch-head]# npm install
[root@elasticsearch elasticsearch-head]# npm run start

> elasticsearch-head@0.0.0 start /root/elasticsearch-head
> grunt server

Running "connect:server" (connect) task
Waiting forever...
Started connect web server on http://localhost:9100

最后訪問(wèn)http://192.168.17.13:9100/

4.3. 部署logstash

略。參照3.3。唯一不同的是配置文件。
文件路徑：/etc/logstash/conf.d/redis2elasticsearch.conf

input {
  redis {
    host => "192.168.17.12"
    port => "6379"
    db => "10"
    data_type => "list"
    key => "rsyslog"
  }
}
output {
  elasticsearch {
    hosts => ["192.168.17.13:9200"]
    index => "rsyslog-%{+YYYY.MM.dd}"
  }
}

4.4. 驗(yàn)證數(shù)據(jù)

訪問(wèn)http://192.168.17.13:9100/

5. 總結(jié)

至此，已經(jīng)將系統(tǒng)日志存儲(chǔ)到了elasticsearch。后續(xù)可以使用kibana進(jìn)行數(shù)據(jù)展示。