源码部署EFK - 技术栈

资源列表

基础环境

关闭防护墙

关闭内核安全机制

之前给大家分享的ELK，今天分享的是一个更加轻量级的日志收集EFK，主要就是有filebeat代替了logstash，filebeat采用go语言编写占用资源少，更加轻量级。本文中涉及到的软件包如果有需要可以评论区找我要，无偿提供。

资源列表

操作系统	配置	主机名	IP
CentOS7.3.1611	2C4G	es01	192.168.207.131
CentOS7.3.1611	2C4G	kibana	192.168.207.165
CentOS7.3.1611	2C4G	filebeat	192.168.207.166

基础环境

关闭防护墙

bash 复制代码

systemctl stop firewalld
systemctl disable firewalld

关闭内核安全机制

bash 复制代码

sed -i "s/.*SELINUX=.*/SELINUX=disabled/g" /etc/selinux/config
reboot

修改主机名

bash 复制代码

hostnamectl set-hostname es01
hostnamectl set-hostname kibana
hostnamectl set-hostname filebeat

添加hosts映射

bash 复制代码

cat >> /etc/hosts << EOF
192.168.207.131 es01
192.168.207.165 kibana
192.168.207.166 filebeat
EOF

一、部署elasticsearch

修改limit限制

bash 复制代码

cat > /etc/security/limits.d/es.conf << EOF
* soft nproc 655360
* hard nproc 655360
* soft nofile 655360
* hard nofile 655360
EOF

cat >> /etc/sysctl.conf << EOF
vm.max_map_count=655360
EOF
sysctl -p

部署elasticsearch

bash 复制代码

mkdir -p /data/elasticsearch
tar zxvf elasticsearch-7.14.0-linux-x86_64.tar.gz -C /data/elasticsearch

修改配置文件

单节点

bash 复制代码

mkdir /data/elasticsearch/{data,logs}

[root@es01 elasticsearch-7.14.0]# grep -v "^#" /data/elasticsearch/elasticsearch-7.14.0/config/elasticsearch.yml
cluster.name: my-application
node.name: es01
path.data: /data/elasticsearch/data
path.logs: /data/elasticsearch/logs
bootstrap.memory_lock: false
network.host: 0.0.0.0
http.port: 9200
cluster.initial_master_nodes: ["es01"]

集群(3台节点集群为例)

需要准备3台机器，主机名分别是es01，es02，es03

bash 复制代码

[root@es01 ~]# grep -v "^#" /data/elasticsearch/elasticsearch-7.14.0/config/elasticsearch.yml
cluster.name: es
node.name: es01
path.data: /data/elasticsearch/data
path.logs: /data/elasticsearch/logs
bootstrap.memory_lock: false
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["es01","es02","es03"]
cluster.initial_master_nodes: ["es01","es02","es03"]
node.master: true
node.data: true
http.cors.enabled: true
http.cors.allow-origin: "*"

[root@es02 ~]# grep -v "^#" /data/elasticsearch/elasticsearch-7.14.0/config/elasticsearch.yml
cluster.name: es
node.name: es02
path.data: /data/elasticsearch/data
path.logs: /data/elasticsearch/logs
bootstrap.memory_lock: false
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["es01","es02","es03"]
cluster.initial_master_nodes: ["es02", "es01", "es03"]
node.master: true
node.data: true
http.cors.enabled: true
http.cors.allow-origin: "*"


[root@es03 ~]# grep -v "^#" /data/elasticsearch/elasticsearch-7.14.0/config/elasticsearch.yml
cluster.name: es
node.name: es03
path.data: /data/elasticsearch/data
path.logs: /data/elasticsearch/logs
bootstrap.memory_lock: false
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["es01","es02","es03"]
cluster.initial_master_nodes: ["es01", "es02", "es03"]
node.master: true
node.data: true
http.cors.enabled: true
http.cors.allow-origin: "*"

启动

bash 复制代码

useradd es 
chown -R es:es /data/
su - es
/data/elasticsearch/elasticsearch-7.14.0/bin/elasticsearch -d

二、部署filebeat

部署filebeat

bash 复制代码

mkdir -p /data/filebeat
tar zxvf filebeat-7.14.0-linux-x86_64.tar.gz -C /data/filebeat/

添加配置文件

bash 复制代码

[root@filebeat filebeat-7.14.0-linux-x86_64]# cat filebeat.yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/messages
# 定义模板的相关信息
# 不允许自动生成模板
setup.template.enabled: false
# 生成index模板的名称
setup.template.name: "filebeat-test"
# 生成index模板的格式
setup.template.pattern: "filebeat-test-*"
# 7版本自定义ES的索引需要把ilm设置为false
setup.ilm.enabled: false
output.elasticsearch:
  hosts: ["192.168.207.131:9200"]
  index: "filebeat-test-%{+yyyy.MM.dd}"

bash 复制代码

[root@filebeat filebeat-7.14.0-linux-x86_64]# cat filebeat.yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/httpd/access_log
  fields:
    source: access
- type: log
  enabled: true
  paths:
    - /var/log/httpd/error_log
  fields:
    source: error
setup.template.enabled: false
setup.template.name: "httpd"
setup.template.pattern: "httpd-*"
setup.ilm.enabled: false
output.elasticsearch:
  hosts: ["192.168.207.131:9200"]
  index: "httpd-%{[fields.source]}-*"
  indices:
    - index: "httpd-access-%{+yyyy.MM.dd}"
      when.equals:
        fields.source: "access"
    - index: "httpd-error-%{+yyyy.MM.dd}"
      when.equals:
        fields.source: "error"

启动

bash 复制代码

/data/filebeat/filebeat-7.14.0-linux-x86_64/filebeat -e -c filebeat.yml

三、部署kibana

单节点kibana

部署kibana

bash 复制代码

mkdir -p /data/kibana
tar zxvf kibana-7.14.0-linux-x86_64.tar.gz -C /data/kibana/

修改配置文件

bash 复制代码

grep -v "^#" /data/kibana/kibana-7.14.0-linux-x86_64/config/kibana.yml  | grep -v "^$"
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://192.168.207.131:9200"]
kibana.index: ".kibana"

启动

bash 复制代码

useradd kibana
chown -R kibana:kibana /data 
su - kibana
/data/kibana/kibana-7.14.0-linux-x86_64/bin/kibana

多节点kibana

每个节点配置相同

bash 复制代码

[root@es01 ~]# grep -v "^#" /data/kibana/kibana-7.14.0-linux-x86_64/config/kibana.yml  | grep -v "^$"
server.port: 5601
server.host: "0.0.0.0"
server.name: "your-hostname"
elasticsearch.hosts: ["http://es01:9200", "http://es02:9200", "http://es03:9200"]
kibana.index: ".kibana"