目录
之前给大家分享的ELK,今天分享的是一个更加轻量级的日志收集EFK,主要就是有filebeat代替了logstash,filebeat采用go语言编写占用资源少,更加轻量级。本文中涉及到的软件包如果有需要可以评论区找我要,无偿提供。
资源列表
| 操作系统 | 配置 | 主机名 | IP |
|---|---|---|---|
| CentOS7.3.1611 | 2C4G | es01 | 192.168.207.131 |
| CentOS7.3.1611 | 2C4G | kibana | 192.168.207.165 |
| CentOS7.3.1611 | 2C4G | filebeat | 192.168.207.166 |
基础环境
关闭防护墙
bash
systemctl stop firewalld
systemctl disable firewalld关闭内核安全机制
bash
sed -i "s/.*SELINUX=.*/SELINUX=disabled/g" /etc/selinux/config
reboot修改主机名
bash
hostnamectl set-hostname es01
hostnamectl set-hostname kibana
hostnamectl set-hostname filebeat添加hosts映射
bash
cat >> /etc/hosts << EOF
192.168.207.131 es01
192.168.207.165 kibana
192.168.207.166 filebeat
EOF一、部署elasticsearch
修改limit限制
bash
cat > /etc/security/limits.d/es.conf << EOF
* soft nproc 655360
* hard nproc 655360
* soft nofile 655360
* hard nofile 655360
EOF
cat >> /etc/sysctl.conf << EOF
vm.max_map_count=655360
EOF
sysctl -p部署elasticsearch
bash
mkdir -p /data/elasticsearch
tar zxvf elasticsearch-7.14.0-linux-x86_64.tar.gz -C /data/elasticsearch修改配置文件
单节点
bash
mkdir /data/elasticsearch/{data,logs}
[root@es01 elasticsearch-7.14.0]# grep -v "^#" /data/elasticsearch/elasticsearch-7.14.0/config/elasticsearch.yml
cluster.name: my-application
node.name: es01
path.data: /data/elasticsearch/data
path.logs: /data/elasticsearch/logs
bootstrap.memory_lock: false
network.host: 0.0.0.0
http.port: 9200
cluster.initial_master_nodes: ["es01"]集群(3台节点集群为例)
需要准备3台机器,主机名分别是es01,es02,es03
bash
[root@es01 ~]# grep -v "^#" /data/elasticsearch/elasticsearch-7.14.0/config/elasticsearch.yml
cluster.name: es
node.name: es01
path.data: /data/elasticsearch/data
path.logs: /data/elasticsearch/logs
bootstrap.memory_lock: false
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["es01","es02","es03"]
cluster.initial_master_nodes: ["es01","es02","es03"]
node.master: true
node.data: true
http.cors.enabled: true
http.cors.allow-origin: "*"
[root@es02 ~]# grep -v "^#" /data/elasticsearch/elasticsearch-7.14.0/config/elasticsearch.yml
cluster.name: es
node.name: es02
path.data: /data/elasticsearch/data
path.logs: /data/elasticsearch/logs
bootstrap.memory_lock: false
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["es01","es02","es03"]
cluster.initial_master_nodes: ["es02", "es01", "es03"]
node.master: true
node.data: true
http.cors.enabled: true
http.cors.allow-origin: "*"
[root@es03 ~]# grep -v "^#" /data/elasticsearch/elasticsearch-7.14.0/config/elasticsearch.yml
cluster.name: es
node.name: es03
path.data: /data/elasticsearch/data
path.logs: /data/elasticsearch/logs
bootstrap.memory_lock: false
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["es01","es02","es03"]
cluster.initial_master_nodes: ["es01", "es02", "es03"]
node.master: true
node.data: true
http.cors.enabled: true
http.cors.allow-origin: "*"启动
bash
useradd es
chown -R es:es /data/
su - es
/data/elasticsearch/elasticsearch-7.14.0/bin/elasticsearch -d二、部署filebeat
部署filebeat
bash
mkdir -p /data/filebeat
tar zxvf filebeat-7.14.0-linux-x86_64.tar.gz -C /data/filebeat/添加配置文件
bash
[root@filebeat filebeat-7.14.0-linux-x86_64]# cat filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/messages
# 定义模板的相关信息
# 不允许自动生成模板
setup.template.enabled: false
# 生成index模板的名称
setup.template.name: "filebeat-test"
# 生成index模板的格式
setup.template.pattern: "filebeat-test-*"
# 7版本自定义ES的索引需要把ilm设置为false
setup.ilm.enabled: false
output.elasticsearch:
hosts: ["192.168.207.131:9200"]
index: "filebeat-test-%{+yyyy.MM.dd}"
bash
[root@filebeat filebeat-7.14.0-linux-x86_64]# cat filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/httpd/access_log
fields:
source: access
- type: log
enabled: true
paths:
- /var/log/httpd/error_log
fields:
source: error
setup.template.enabled: false
setup.template.name: "httpd"
setup.template.pattern: "httpd-*"
setup.ilm.enabled: false
output.elasticsearch:
hosts: ["192.168.207.131:9200"]
index: "httpd-%{[fields.source]}-*"
indices:
- index: "httpd-access-%{+yyyy.MM.dd}"
when.equals:
fields.source: "access"
- index: "httpd-error-%{+yyyy.MM.dd}"
when.equals:
fields.source: "error"启动
bash
/data/filebeat/filebeat-7.14.0-linux-x86_64/filebeat -e -c filebeat.yml三、部署kibana
单节点kibana
部署kibana
bash
mkdir -p /data/kibana
tar zxvf kibana-7.14.0-linux-x86_64.tar.gz -C /data/kibana/修改配置文件
bash
grep -v "^#" /data/kibana/kibana-7.14.0-linux-x86_64/config/kibana.yml | grep -v "^$"
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://192.168.207.131:9200"]
kibana.index: ".kibana"启动
bash
useradd kibana
chown -R kibana:kibana /data
su - kibana
/data/kibana/kibana-7.14.0-linux-x86_64/bin/kibana多节点kibana
每个节点配置相同
bash
[root@es01 ~]# grep -v "^#" /data/kibana/kibana-7.14.0-linux-x86_64/config/kibana.yml | grep -v "^$"
server.port: 5601
server.host: "0.0.0.0"
server.name: "your-hostname"
elasticsearch.hosts: ["http://es01:9200", "http://es02:9200", "http://es03:9200"]
kibana.index: ".kibana"