ELK分别是Elasticsearch、Logstash、Kibana三个开源框架缩写。
参考文档:
https://www.cnblogs.com/yycc/p/7422628.html
https://blog.csdn.net/qq_22211217/article/details/80764568
https://www.cnblogs.com/zhaijunming5/p/6639553.html
架构:
filebeat --> redis -->logstash --> es --> kibana
关键词:多服务器、转发、汇总、展示、轻量级
-
每个客户端需要安装filebeat收集PHP日志
-
filebeat把收集到的日志传到redis
-
logstash从redis读取日志,读取一条日志就从redis里删除一条日志
-
logstash把日志发送到es
-
最后kibana可视化查询日志
官网:https://www.elastic.co/cn/blog/kibana-4-video-tutorials-part-1
四个包都可以解压即用,不用安装
Elasticsearch:
/config/elasticsearch.yml
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#network.host: 0.0.0.0???????????##服务器ip 本机
#
# Set a custom port for HTTP:
#http.port: 9200?????????????????##服务端口
#
# For more information, consult the network module documentation.启动elasticsearch
/ELK/elasticsearch/bin/elasticsearch?????#命令窗运行
/ELK/elasticsearch/bin/elasticsearch??-d????#后台线程运行
关闭elasticsearch
ctrl+c #命令窗关闭
ps -ef | grep elastic #后台线程关闭
kill -9 4442 ##pid 4442为查处线程的pid??????????
启动测试连接:
kibana:
/config/kibana.yml
server.port: 5601???????##服务端口
server.host: "0.0.0.0"??##服务器ip??本机
elasticsearch.url: "http://localhost:9200" ##elasticsearch服务地址 与elasticsearch对应启动:
/ELK/kibana/bin/kibana #命令窗启动
nohup /ELK/kibana/bin/kibana & #后台线程启动关闭kibana
ctrl+c #命令窗关闭
ps -ef | grep kibana #后台线程关闭
kill -9 4525 ##pid 4525 为查处线程的pid常见错误:
1、运行一段时间es达到了瓶颈
retrying failed action with response code: 403 ({"type"=>"cluster_block_exception", "reason"=>"index [logstash-2019.07.30] blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];”})
解决办法1
在kibana开发控制台执行下面语句即可
PUT _settings
??? {
??? "index": {
??? "blocks": {
??? "read_only_allow_delete": "false"
??? }
??? }
??? }解决方法2
如果kibana无法执行命令,可以使用下面命令解决
curl -XPUT -H "Content-Type: application/json" http://localhost:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}'Logstash:
/config/server.conf
# 配置logstash输入源
input {
????# 输出到redis
????redis {
????????host => "localhost"???# redis主机地址
????????port => 6379??????????????# redis端口号
????????data_type => "list"????# 使用发布/订阅模式
????????key => "logstash_list_0"??# 发布通道名称
????}
}
filter{
????##匹配consul healthcheck get request
????if([message]=~ "healthcheck.php"){
????????### 丢弃
????????drop{}
????}
}
# 配置输出的地方
output {
??# 控制台
??stdout { codec => rubydebug }
??# es
??elasticsearch {
????????hosts => [ "localhost:9200" ]
????}
}启动:
/ELK/logstash/bin/logstash -f? /ELK/logstash/config/server.conf ##命令窗形式
?
nohup??/ELK/logstash/bin/logstash -f
/ELK/logstash/config/server.conf &???##后台线程形式关闭:
ctrl+c #命令窗关闭
ps -ef | grep logstash #后台线程关闭
kill -9 4617 ##pid 4617 为查处线程的pidLogstash持久化到磁盘
当发生异常情况,比如logstash重启,有可能发生数据丢失,可以选择logstash持久化到磁盘,修改之前重启logstash数据丢失,修改之后重启logstash数据不丢失。以下是具体操作:
在config/logstash.yml中进行配置以下内容
queue.type: persisted
path.queue: /usr/share/logstash/data #队列存储路径;如果队列类型为persisted,则生效
queue.page_capacity: 250mb #队列为持久化,单个队列大小
queue.max_events: 0 #当启用持久化队列时,队列中未读事件的最大数量,0为不限制
queue.max_bytes: 1024mb #队列最大容量
queue.checkpoint.acks: 1024 #在启用持久队列时强制执行检查点的最大数量,0为不限制
queue.checkpoint.writes: 1024 #在启用持久队列时强制执行检查点之前的最大数量的写入事件,0为不限制
queue.checkpoint.interval: 1000 #当启用持久队列时,在头页面上强制一个检查点的时间间隔
修改完后,重启logstash
filebeat:
/filebeat.yml
output.redis:
hosts: "127.0.0.1:6379" #输出到redis的机器
timeout: 5 #连接超时时间
key: "logstash_list_0" #以default_list的keys传输到redis
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /Applications/XAMPP/xamppfiles/htdocs/ELK/filebeat/logs/input #检测log文件路径
#- c:\programdata\elasticsearch\logs\*启动:
/ELK/filebeat/filebeat??-c /ELK/filebeat/filebeat.yml
其他配置?/filebeat/modules.d/**
配置路径path
修改文件名,去掉disable