filebeat收集日志+ELK架构、ELK监控_普罗米修斯日志收集

filebeat

轻量级日志收集组件，基本不消耗内存

主要工作：在每一台机器内收集日志，将日志同步到 > redis > logstash > Elasticsearch

​ 所以每台机器都要装filebeat，选择对应所需组件进入下载，这里选择filebeat > 选择版本下载

1.下载安装

[root@es-01 ~]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.12.1-x86_64.rpm
[root@es-01 ~]# yum localinstall -y filebeat-7.12.1-x86_64.rpm
1
2

2.修改配置模式

1）备份配置文件

[root@es-01 ~]# rpm -qc  filebeat | grep filebeat.yml
/etc/filebeat/filebeat.yml

# 查看除注释外的内容
[root@es-01 filebeat]# egrep -v '#' /etc/filebeat/filebeat.yml | egrep '[^\ ]'
filebeat.inputs:
- type: log
  enabled: false
  paths:
    - /var/log/*.log
- type: filestream
  enabled: false
  paths:
    - /var/log/*.log
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
output.elasticsearch:
  hosts: ["localhost:9200"]
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~
  
 # 备份后再编辑
 [root@es-01 filebeat]# cp /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.bak
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

2）收集文件日志，输出到文件中

• 不同输入类型格式参考：https://www.elastic.co/guide/en/beats/filebeat/7.12/configuration-filebeat-options.html
• https://www.elastic.co/guide/en/beats/filebeat/current/configuring-output.html
• file格式：
• output.file: # filebeat输出
  path: “/tmp/filebeat”
  filename: filebeat.log

 [root@es-01 ~]# vim /etc/filebeat/filebeat.yml <<EOF
filebeat.inputs:   # filebeat输入
- type: log		   # 可随便定义
  paths:
    - /var/log/messages
    - /var/log/*.log
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
output.file:		# filebeat输出
  path: "/tmp/filebeat"
  filename: filebeat.log
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

[root@es-01 filebeat]# /usr/bin/filebeat -c /etc/filebeat/filebeat.yml
重启filebeat
[root@es-01 filebeat]# systemctl restart filebeat.service
[root@es-01 ~]# tailf /tmp/filebeat/filebeat.log
5,\"5\":0.03,\"norm\":{\"1\":0.01,\"15\":0.025,\"5\":0.015}}}}}}","input":{"type":"log"},"ecs":01","type":"filebeat","version":"7.12.1"}}
	···
1
2
3
4
5
6

可以使用json.cn查看log文件：
json官网

3）收集日志输出到redis

• https://www.elastic.co/guide/en/beats/filebeat/current/redis-output.html
• redis格式：
• output.redis:
  hosts: [“localhost”]
  password: “my_password”
  key: “filebeat”
  db: 0
  timeout: 5

1> 配置

[root@es-01 ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
  paths:
    - /var/log/messages
    - /var/log/*.log
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
output.redis:
  hosts: ["10.0.0.40"]
  password: ""	# 对端redis的密码，若没有则为空
  key: "filebeat"
  db: 0		# 第0个数据库，redis默认有16个数据库
  timeout: 5
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

# 添加此段，注意修改
output.redis:
  hosts: ["localhost"]
  password: "my_password"
  key: "filebeat"
  db: 0
  timeout: 5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

2> 重启

[root@es-01 filebeat]# systemctl restart filebeat.service
1

3> 对端查看

# 安装redis，并修改bind监听地址为0.0.0.0
# 启动redis
# 进入查看
[root@es-02 ~]# redis-cli
127.0.0.1:6379> KEYS *   #通过filebeat自定义的key
1) "filebeat"
127.0.0.1:6379> lrange filebeat 0 -1
415) "{\"@timestamp\":\"2021-05-12T09:05:08.661Z\",\"@metadata\":{\\\"1\\\":0.03,\\\"15\\\":0.025,\\\"5\\\":0.025}}}}}}\"}"
	···
1
2
3
4
5
6
7
8
9

4>使用logstash读取redis输出到elasticsearch中

redis 参考文档
https://www.elastic.co/guide/en/logstash/current/plugins-inputs-redis.html

使用logstash读取redis输出到elasticsearch中
# 配置文件放在哪无所谓，运行时指定好路径即可~
[root@es-02 ~]# vim /etc/logstash/conf.d/redis-system.conf
input {
  redis {
    data_type => 'list'
    host => "10.0.0.40"
    key => "filebeat"
    port => 6379
  }
}

output {
    elasticsearch {
    hosts => ["172.16.1.30:9200"]
    index => "filebeat-systemlog-%{+YYYY.MM.dd}"
  }
}

# 运行logstash
[root@es-02 ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/redis-system.conf 
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

5> 查看elasticsearch索引以及kibana

3. 通过 nginx 代理 kibana 并 实现登录认证：

• 使用Nginx反向代理，配置域名访问kibana

 wget http://nginx.org/download/nginx-1.16.1.tar.gz
 tar xf nginx-1.16.1.tar.gz
 groupadd www -g 666
 useradd www -u 666 -g 666 -s /sbin/nologin -M
 cd nginx-1.16.1
 ./configure --prefix=/usr/local/nginx-1.16.1 --user=www --group=www --without-http_gzip_module
 make && make install
 ln -s /usr/local/nginx-1.16.1 /usr/local/nginx
 vim /etc/profile.d/nginx.sh
export PATH=$PATH:/usr/local/nginx/sbin
 source /etc/profile
 
system管理nginx
 [root@web03 ~]# vim /etc/systemd/system/nginx.service 
[Unit]
Description=nginx - high performance web server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s stop
[Install]
WantedBy=multi-user.target


systemctl start nginx


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

配置kibana域名访问

配置kibana域名访问
 mkdir /usr/local/nginx/conf/conf.d/
[root@linux-host2 conf]# vim /usr/local/nginx/conf/nginx.conf
#添加一行
include /usr/local/nginx/conf/conf.d/*.conf;

[root@linux-host2 conf]# vim /usr/local/nginx/conf/conf.d/kibana5612.conf
upstream kibana_server {
server 127.0.0.1:5601 weight=1 max_fails=3 fail_timeout=60;
}

server {
    listen 80;
    server_name www.kibana5612.com;
    location / {
        proxy_pass http://kibana_server;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
}
}



[root@linux-host2 conf]# chown www.www /usr/local/nginx/ -R
[root@linux-host2 conf]# systemctl restart nginx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

# 启动Nginx
[root@es-01 ~]# systemctl start --now nginx

# 配置hosts解析
10.0.0.30 linux.kibana.com

# 访问测试
10.0.0.30:80
linux.kibana.com
1
2
3
4
5
6
7
8
9

实现登录认证：

yum install httpd-tools –y

[root@linux-host2 conf]# yum install httpd-tools –y
[root@linux-host2 conf]# htpasswd -bc
/usr/local/nginx/conf/htpasswd.users kibana kibana

[root@linux-host2 conf]# cat /usr/local/nginx/conf/htpasswd.users
zhangjie:$apr1$x7K2F2rr$xq8tIKg3JcOUyOzSVuBpz1

修改kibana配置文件===不允许外网访问
[root@es-02 ~]# grep -E '^[^#]' /etc/kibana/kibana.yml 
server.port: 5601
server.host: "172.16.1.30"
elasticsearch.hosts: ["http://172.16.1.40:9200"]

编写nginx配置文件
[root@linux-host2 conf]# vim /usr/local/nginx/conf/conf.d/kibana5612.conf
upstream kibana_server {
server 172.16.1.30:5601 weight=1 max_fails=3 fail_timeout=60;
}
server {
    listen 80;
    server_name www.kibana5612.com;
    auth_basic "Restricted Access";
    auth_basic_user_file /usr/local/nginx/conf/htpasswd.users;
    location / {
        proxy_pass http://kibana_server;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
}
}


[root@linux-host2 conf]# chown www.www /usr/local/nginx/ -R
[root@linux-host2 conf]# systemctl reload nginx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

验证登录：

如果不输入 密码 无法登录：

除非点击取消之后提示需要认证

4.ELK架构

# 安装filebeat
[root@es-02 ~]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.12.1-x86_64.rpm
[root@es-02 ~]# yum install filebeat-7.12.1-x86_64.rpm
[root@es-02 ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
  paths:
    - /var/log/messages
    - /var/log/*.log
output.redis:
  hosts: ["10.0.0.40"]
  password: ""
  key: "filebeat"
  db: 0
  timeout: 5
[root@es-02 ~]# systemctl start filebeat

# 安装redis
[root@es-02 ~]# yum install redis -y
[root@es-02 ~]# systemctl start redis

# 安装logstash
[root@es-02 ~]# wget https://artifacts.elastic.co/downloads/logstash/logstash-7.12.1-x86_64.rpm
[root@es-02 ~]# yum install logstash-7.12.1-x86_64.rpm -y
[root@es-01 ~]# cat redis-system.conf
input {
  redis {

	data_type => 'list'
	host => "10.0.0.40"
	key => "filebeat"
	port => 6379
  }
}

output {

	elasticsearch {

		hosts => ["10.0.0.30:9200"] 
		index => "filebeat-systemlog-%{+YYYY.MM.dd}" 

	}

}
[root@es-01 ~]# /usr/share/logstash/bin/logstash -f redis-system.conf

# elasticsearch
[root@es-01 ~]# grep -E '^[^#]' /etc/elasticsearch/elasticsearch.yml 
cluster.name: chenyang-by-es
node.name: chenyang-node-01
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true
network.host: 0.0.0.0
http.port: 9200
http.cors.enabled: true
http.cors.allow-origin: "*"
cluster.initial_master_nodes: node-01
discovery.zen.minimum_master_nodes: 2
discovery.zen.ping.unicast.hosts: ["172.16.1.30","172.16.1.40"]


# 安装kibana
[root@es-02 ~]# grep -E '^[^#]' /etc/kibana/kibana.yml 
server.port: 5601
server.host: "172.16.1.40"
elasticsearch.hosts: ["http://172.16.1.40:9200"]

# 优化
[root@es-01 ~]# yum install nginx -y
[root@es-01 ~]# vim /etc/nginx/conf.d/kibana.conf
server {
	listen 80;
	server_name kibana.default.cluster.local.com;

	auth_basic "User Authentication";
    auth_basic_user_file /etc/nginx/auth;

	location / {
		proxy_pass http://10.0.0.30:5601;
	}

}

不允许IP访问
server {
	listen 80 default_server;
	server_name localhost;
	return 500;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

5.# 监控ELK

本次使用普罗米修斯监控ELK

1、安装普罗米修斯

# 部署普罗米修斯
[root@es-01 /opt]# wget https://github.com/prometheus/prometheus/releases/download/v2.26.0/prometheus-2.26.0.linux-amd64.tar.gz
[root@es-01 /opt]# tar -xf prometheus-2.26.0.linux-amd64.tar.gz -C /usr/local/
[root@es-01 /opt]# vim /usr/local/prometheus/prometheus.yml
  - job_name: "ELK"
    static_configs:
      - targets: ["192.168.15.71:9114"]

# 部署elasticsearch export
[root@es-01 /opt]# docker run --rm -p 9114:9114 -e "--es.uri=http://172.16.1.70:9200/" justwatch/elasticsearch_exporter:1.1.0


[root@es-01 /opt]# wget https://dl.grafana.com/oss/release/grafana-7.5.6-1.x86_64.rpm
[root@es-01 /opt]# yum install grafana-7.5.6-1.x86_64.rpm
[root@es-01 /opt]# systemctl start grafana-server.service
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

参考