ELK+filebeat安装部署监控springboot日志
ELK服务器端部署
1. 安装dockercompose,略
2. 配置docker-compose.yml
cd /root/elk
vi docker-compose.yml
version: "3"
services:
es-master:
container_name: es-master
hostname: es-master
image: elasticsearch:7.5.1
restart: always
ports:
- 9200:9200
- 9300:9300
volumes:
- ./elasticsearch/master/conf/es-master.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./elasticsearch/master/data:/usr/share/elasticsearch/data
- ./elasticsearch/master/logs:/usr/share/elasticsearch/logs
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
es-slave1:
container_name: es-slave1
image: elasticsearch:7.5.1
restart: always
ports:
- 9201:9200
- 9301:9300
volumes:
- ./elasticsearch/slave1/conf/es-slave1.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./elasticsearch/slave1/data:/usr/share/elasticsearch/data
- ./elasticsearch/slave1/logs:/usr/share/elasticsearch/logs
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
es-slave2:
container_name: es-slave2
image: elasticsearch:7.5.1
restart: always
ports:
- 9202:9200
- 9302:9300
volumes:
- ./elasticsearch/slave2/conf/es-slave2.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./elasticsearch/slave2/data:/usr/share/elasticsearch/data
- ./elasticsearch/slave2/logs:/usr/share/elasticsearch/logs
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
kibana:
container_name: kibana
hostname: kibana
image: kibana:7.5.1
restart: always
ports:
- 5601:5601
volumes:
- ./kibana/conf/kibana.yml:/usr/share/kibana/config/kibana.yml
environment:
- elasticsearch.hosts=http://es-master:9200
depends_on:
- es-master
- es-slave1
- es-slave2
logstash:
container_name: logstash
hostname: logstash
image: logstash:7.5.1
command: logstash -f ./conf/logstash-filebeat.conf
restart: always
volumes:
# 映射到容器中
- ./logstash/conf/logstash-filebeat.conf:/usr/share/logstash/conf/logstash-filebeat.conf
- ./logstash/ssl:/usr/share/logstash/ssl
environment:
- elasticsearch.hosts=http://es-master:9200
# 解决logstash监控连接报错
- xpack.monitoring.elasticsearch.hosts=http://es-master:9200
ports:
- 5044:5044
depends_on:
- es-master
- es-slave1
- es-slave2
3. 配置Elasticsearch
mkdir elasticsearch
mkdir master
mkdir slave1
mkdir slave2
添加配置文件 master>conf>es-master.yml
# 集群名称
cluster.name: es-cluster
# 节点名称
node.name: es-master
# 是否可以成为master节点
node.master: true
# 是否允许该节点存储数据,默认开启
node.data: false
# 网络绑定
network.host: 0.0.0.0
# 设置对外服务的http端口
http.port: 9200
# 设置节点间交互的tcp端口
transport.port: 9300
# 集群发现
discovery.seed_hosts:
- es-master
- es-slave1
- es-slave2
# 手动指定可以成为 mater 的所有节点的 name 或者 ip,这些配置将会在第一次选举中进行计算
cluster.initial_master_nodes:
- es-master
# 支持跨域访问
http.cors.enabled: true
http.cors.allow-origin: "*"
# 安全认证
xpack.security.enabled: false
#http.cors.allow-headers: "Authorization"
添加配置文件 slave1>conf>es-slave1.yml
# 集群名称
cluster.name: es-cluster
# 节点名称
node.name: es-slave1
# 是否可以成为master节点
node.master: true
# 是否允许该节点存储数据,默认开启
node.data: true
# 网络绑定
network.host: 0.0.0.0
# 设置对外服务的http端口
http.port: 9201
# 设置节点间交互的tcp端口
#transport.port: 9301
# 集群发现
discovery.seed_hosts:
- es-master
- es-slave1
- es-slave2
# 手动指定可以成为 mater 的所有节点的 name 或者 ip,这些配置将会在第一次选举中进行计算
cluster.initial_master_nodes:
- es-master
# 支持跨域访问
http.cors.enabled: true
http.cors.allow-origin: "*"
# 安全认证
xpack.security.enabled: false
#http.cors.allow-headers: "Authorization"
添加配置文件 slave2>conf>es-slave2.yml
# 集群名称
cluster.name: es-cluster
# 节点名称
node.name: es-slave2
# 是否可以成为master节点
node.master: true
# 是否允许该节点存储数据,默认开启
node.data: true
# 网络绑定
network.host: 0.0.0.0
# 设置对外服务的http端口
http.port: 9202
# 设置节点间交互的tcp端口
#transport.port: 9302
# 集群发现
discovery.seed_hosts:
- es-master
- es-slave1
- es-slave2
# 手动指定可以成为 mater 的所有节点的 name 或者 ip,这些配置将会在第一次选举中进行计算
cluster.initial_master_nodes:
- es-master
# 支持跨域访问
http.cors.enabled: true
http.cors.allow-origin: "*"
# 安全认证
xpack.security.enabled: false
#http.cors.allow-headers: "Authorization"
解决 elasticsearch 报错max virtual memory areas vm.max_map_count [65530] is too low
vi /etc/sysctl.conf
添加 一行 vm.max_map_count=655360
加载参数
sysctl -p
3. 配置kibana
cd /root/elk
mkdir kibana
添加配置文件kibana>conf>kibana.yml
# Default Kibana configuration for docker target
server.name: kibana
server.host: "0"
elasticsearch.hosts: [ "http://****:9200" ]
xpack.monitoring.ui.container.elasticsearch.enabled: true
4. 配置logstash
cd /root/elk
mkdir logstash
添加配置文件logstash>conf>logstash-filebeat.conf
input {
# 来源beats
beats {
# 端口
port => "5044"
#ssl_certificate_authorities => ["/usr/share/logstash/ssl/ca.crt"]
#ssl_certificate => "/usr/share/logstash/ssl/server.crt"
#ssl_key => "/usr/share/logstash/ssl/server.key"
#ssl_verify_mode => "force_peer"
}
}
# 分析、过滤插件,可以多个
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}"}
}
geoip {
source => "clientip"
}
}
output {
# 选择elasticsearch
elasticsearch {
hosts => ["http://****:9200"]
index => "%{[fields][service]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
stdout {
codec => rubydebug
}
}
5. 启动ELK
cd /root/elk
docker-compose up --build -d
Filebeat安装
1. 下载filebeat
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.9.1-linux-x86_64.tar.gz
tar -xf filebeat-7.9.1-linux-x86_64.tar.gz -C /usr/local/
cd /usr/local/
mv filebeat-7.9.1-linux-x86_64 filebeat
2. 配置filebeat.yml
vim /usr/local/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /home/api.aftersalesservices/logs/*.log
fields:
service: "205-api.aftersalesservices"
log_source: "springboot"
multiline.pattern: ^[0-9]{4}-[0-9]{2}-[0-9]{2}
multiline.negate: true
multiline.match: after
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.ilm.enabled: false
output.logstash:
hosts: ["****:5044"]
检查配置 cd /usr/local/filebeat/ && ./filebeat test config
3. 配置成系统服务
vim /usr/lib/systemd/system/filebeat.service
[Unit]
Description=Filebeat is a lightweight shipper for metrics.
Documentation=https://www.elastic.co/products/beats/filebeat
Wants=network-online.target
After=network-online.target
[Service]
Environment="LOG_OPTS=-e"
Environment="CONFIG_OPTS=-c /usr/local/filebeat/filebeat.yml"
Environment="PATH_OPTS=-path.home /usr/local/filebeat -path.config /usr/local/filebeat -path.data /usr/local/filebeat/data -path.logs /usr/local/filebeat/logs"
ExecStart=/usr/local/filebeat/filebeat $LOG_OPTS $CONFIG_OPTS $PATH_OPTS
Restart=always
[Install]
WantedBy=multi-user.target
4. 启动服务
systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat
5. 查看运行状态
systemctl status filebeat.service
Kibana配置
1. 在浏览器打开[Host-IP]:5601,是Kibana日志查看平台
2. 进入至系统菜单【管理】中的【index-pattern】
3. 创建创建index-pattern
4. 在logs查看日志
5. 首页查看日志
