ELK是什么?
ELK是一套针对日志数据做解决方案的框架,分别代表了三款产品:
-
- E: ElasticSearch(ES),负责日志的存储和检索;
-
- L:Logstash,负责日志的收集,过滤和格式化;
-
- K:Kibana,负责日志的展示统计和数据可视化。
ELK能做什么?
日志可以记录一个服务的所有行为的数据。ELK对服务行为数据进行分析,可以快速、准确查询和分析日志。
搭建ELK
一、搭建ElasticSearch
1、拉取镜像
docker pull elasticsearch:7.17.7
2、配置文件
/usr/local/software/elk/elasticsearch/conf
/usr/local/software/elk/elasticsearch/data
/usr/local/software/elk/elasticsearch/plugins
[root@localhost elasticsearch]# mkdir conf
[root@localhost elasticsearch]# mkdir data
[root@localhost elasticsearch]# mkdir plugins
[root@localhost elasticsearch]# tree
.
├── conf
├── data
└── plugins
3 directories, 0 files
[root@localhost elasticsearch]# pwd
/usr/local/software/elk/elasticsearch在conf下创建elasticsearch.yml,修改权限777
[root@localhost elasticsearch]# cd conf/
[root@localhost conf]# touch elasticsearch.yml
[root@localhost conf]# chmod 777 elasticsearch.yml
[root@localhost conf]# ll
总用量 0
-rwxrwxrwx. 1 root root 0 12月 5 11:03 elasticsearch.yml
http:
host: 0.0.0.0
cors:
enabled: true
allow-origin: "*"
xpack:
security:
enabled: false修改linux的vm.max_map_count
[root@localhost conf]# sysctl -w vm.max_map_count=262144
vm.max_map_count = 262144
[root@localhost conf]# sysctl -a|grep vm.max_map_count
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.br-77cea35f59fa.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.docker0.stable_secret"
sysctl: reading key "net.ipv6.conf.enp4s0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
sysctl: reading key "net.ipv6.conf.veth15fadfa.stable_secret"
sysctl: reading key "net.ipv6.conf.virbr0.stable_secret"
sysctl: reading key "net.ipv6.conf.virbr0-nic.stable_secret"
vm.max_map_count = 2621443、创建运行容器
docker run -itd \
--name es \
--privileged \
--network wn_docker_net \
--ip 172.18.12.70 \
-p 9200:9200 \
-p 9300:9300 \
-e "discovery.type=single-node" \
-e ES_JAVA_OPTS="-Xms4g -Xmx4g" \
-v /usr/local/software/elk/elasticsearch/conf/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml \
-v /usr/local/software/elk/elasticsearch/data:/usr/share/elasticsearch/data \
-v /usr/local/software/elk/elasticsearch/plugins:/usr/share/elasticsearch/plugins \
elasticsearch:7.17.7启动后查看控制台并访问端口。
搭建Kibana
1、拉取kibana
docker pull kibana:7.17.7
2、安装
docker run -it \
--name kibana \
--privileged \
--network wn_docker_net \
--ip 172.18.12.71 \
-e "ELASTICSEARCH_HOSTS=http://192.168.201.61:9200" \
-p 5601:5601 \
-d kibana:7.17.7搭建Logstash
1、拉取Logstash
[root@localhost ~]# docker pull logstash:7.17.7
7.17.7: Pulling from library/logstash
fb0b3276a519: Already exists
4a9a59914a22: Pull complete
5b31ddf2ac4e: Pull complete
162661d00d08: Pull complete
706a1bf2d5e3: Pull complete
741874f127b9: Pull complete
d03492354dd2: Pull complete
2、创建容器
docker run -it \
--name logstash \
--privileged \
-p 5044:5044 \
-p 9600:9600 \
--network wn_docker_net \
--ip 172.18.12.72 \
-v /etc/localtime:/etc/localtime \
-d logstash:7.17.73、容器配置
5、编辑文件
logstash.yml
path.logs: /usr/share/logstash/logs
config.test_and_exit: false
config.reload.automatic: false
http.host: "0.0.0.0"
xpack.monitoring.elasticsearch.hosts: [ "http://192.168.201.61:9200" ]piplelines.xml
- pipeline.id: main
path.config: "/usr/share/logstash/pipeline/logstash.conf"logstash.conf
bash
input {
tcp {
mode => "server"
host => "0.0.0.0"
port => 5044
codec => json_lines
}
}
filter{
}
output {
elasticsearch {
hosts => ["192.168.201.61:9200"] #elasticsearch的ip地址
index => "ssc-logs" #索引名称
}
stdout { codec => rubydebug }
}6、重启容器
docker restart logstash7、释放端口
bash
firewall-cmd --add-port=9600/tcp --permanent
firewall-cmd --add-port=5044/tcp --permanent
firewall-cmd --reloadspringboot中使用logstash
1、引入框架
java
<dependency>
<groupId>net.logstash.logback</groupId>
<artifactId>logstash-logback-encoder</artifactId>
<version>7.3</version>
</dependency>2、创建logback-spring.xml
bash
<?xml version="1.0" encoding="UTF-8"?>
<!-- 日志级别从低到高分为TRACE < DEBUG < INFO < WARN < ERROR < FATAL,如果设置为WARN,则低于WARN的信息都不会输出 -->
<!-- scan:当此属性设置为true时,配置文档如果发生改变,将会被重新加载,默认值为true -->
<!-- scanPeriod:设置监测配置文档是否有修改的时间间隔,如果没有给出时间单位,默认单位是毫秒。
当scan为true时,此属性生效。默认的时间间隔为1分钟。 -->
<!-- debug:当此属性设置为true时,将打印出logback内部日志信息,实时查看logback运行状态。默认值为false。 -->
<configuration scan="true" scanPeriod="10 seconds">
<!--1. 输出到控制台-->
<appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
<!--此日志appender是为开发使用,只配置最低级别,控制台输出的日志级别是大于或等于此级别的日志信息-->
<filter class="ch.qos.logback.classic.filter.ThresholdFilter">
<level>DEBUG</level>
</filter>
<encoder>
<pattern>%d{yyyy-MM-dd HH:mm:ss.SSS} -%5level ---[%15.15thread] %-40.40logger{39} : %msg%n</pattern>
<!-- 设置字符集 -->
<charset>UTF-8</charset>
</encoder>
</appender>
<!-- 2. 输出到文件 -->
<appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
<!--日志文档输出格式-->
<append>true</append>
<encoder>
<pattern>%d{yyyy-MM-dd HH:mm:ss.SSS} -%5level ---[%15.15thread] %-40.40logger{39} : %msg%n</pattern>
<charset>UTF-8</charset> <!-- 此处设置字符集 -->
</encoder>
</appender>
<!--3. LOGSTASH config -->
<appender name="LOGSTASH" class="net.logstash.logback.appender.LogstashTcpSocketAppender">
<destination>192.168.201.61:5044</destination>
<encoder charset="UTF-8" class="net.logstash.logback.encoder.LogstashEncoder">
<!--自定义时间戳格式, 默认是yyyy-MM-dd'T'HH:mm:ss.SSS<-->
<timestampPattern>yyyy-MM-dd HH:mm:ss</timestampPattern>
<customFields>{"appname":"QueryApp"}</customFields>
</encoder>
</appender>
<root level="DEBUG">
<appender-ref ref="CONSOLE"/>
<appender-ref ref="FILE"/>
<appender-ref ref="LOGSTASH"/>
</root>
</configuration>
这里修改为自己的ip地址即可。
测试代码:
java
@Slf4j
@RestController
@RequestMapping("/api/query")
public class QueryController {
@Autowired
private IBookDocService ibs;
@GetMapping("/helloLog")
public HttpResp helloLog(){
List<BookDoc> all = ibs.findAll();
log.debug("从es查询到的数据:{}",all);
log.debug("我是来测试logstash是否工作的");
return HttpResp.success(all.subList(0,100));
}
}配置Kibana
1、创建一个索引
java
put ssc-logs
2、创建索引模式
3、检索日志
注意:
ELK中的各个组件版本要保持一致,否则可能会出现匹配错误。