Kibana Elasticsearch和Fluentd

发表于 更新于 阅读次数: 本文字数: 6.3k 阅读时长 ≈ 6 分钟

Elasticsearch

https://www.elastic.co/cn/downloads/elasticsearch

1
2
3
4
5
6
7
8
9
10
11
12
13
14
使用非root用户
vim config/jvm.options
-Xms1g
-Xmx2g
vim config/elasticsearch.yml
xpack.security.http.ssl:
  enabled: false # 关闭
  keystore.path: certs/http.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: false # 关闭

启动后看日志,密码在里面
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
docker:
sysctl -w vm.max_map_count=262144

mkdir -p /data/es/{data,config}
chown 1000:1000 /data/es
chown 1000:1000 /data/es/* -R

docker run -d --net=host \
-e "discovery.type=single-node" \
-e "network.host=0.0.0.0" \
-e "ES_JAVA_OPTS=-Xmx1g -Xms1g" \
--name es \
elasticsearch:7.17.3

docker cp es:/usr/share/elasticsearch/config /data/es/

docker rm -f es

docker run -d --net=host \
--name es \
--restart=always \
-e "discovery.type=single-node" \
-e "network.host=0.0.0.0" \
-e "ES_JAVA_OPTS=-Xmx1g -Xms1g" \
-v /data/es/data:/usr/share/elasticsearch/data \
-v /data/es/config:/usr/share/elasticsearch/config \
elasticsearch:7.17.3

es默认配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
#cluster.name: my-application
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
#node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
#path.data: /path/to/data
#
# Path to log files:
#
#path.logs: /path/to/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
#network.host: 192.168.0.1
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
#http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
#cluster.initial_master_nodes: ["node-1", "node-2"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Allow wildcard deletion of indices:
#
#action.destructive_requires_name: false

#----------------------- BEGIN SECURITY AUTO CONFIGURATION -----------------------
#
# The following settings, TLS certificates, and keys have been automatically      
# generated to configure Elasticsearch security features on 14-09-2023 06:46:43
#
# --------------------------------------------------------------------------------

# Enable security features
xpack.security.enabled: true

xpack.security.enrollment.enabled: true

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: false
  keystore.path: certs/http.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: false
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
cluster.initial_master_nodes: ["centos7.8"]

# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0

# Allow other nodes to join the cluster from anywhere
# Connections are encrypted and mutually authenticated
#transport.host: 0.0.0.0

#----------------------- END SECURITY AUTO CONFIGURATION -------------------------

Kibana

https://www.elastic.co/cn/downloads/kibana

1
2
3
4
5
6
7
使用非root用户
vim config/kibana.yml
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://localhost:9200"]
elasticsearch.username: "test"
elasticsearch.password: "123456"
elasticsearch.ssl.verificationMode: none

Fluentd

1
2
3
4
5
6
7
# fluent-package 5 (LTS)
curl -fsSL https://toolbelt.treasuredata.com/sh/install-redhat-fluent-package5-lts.sh | sh

查看fluetd配置文件是否正确:fluentd --dry-run -c fluent.conf

systemctl start fluentd.service
# 修改 /usr/lib/systemd/system/fluentd.service 改为root运行

编辑配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
vim /etc/fluent/fluentd.conf
<source>
  @type    tail
  format   /^(?<all>.*)$/
  path     /var/log/nginx/access.log*
  #pos_file /home/fluentd/nginx-access.pos
  tag      nginx.access
</source>


<match nginx.access>
  @type elasticsearch
  host 127.0.0.1
  port 9200
  flush_interval 5s
  logstash_format true
  logstash_prefix nginx-access
  scheme http
  user test
  password 123456
</match>


# 访问 http://172.12.1.150:5601/app/management/kibana/dataViews
# 这样能在kibana 创建数据视图时搜到nginx 的数据集了

多行匹配

1
2
3
4
5
6
7
8
9
10
11
12
<source>
  @type tail
  path /path/to/java.log
  pos_file /var/log/fluentd/java.log.pos
  tag java.logs
  <parse>
    @type multiline
    format_firstline /^\d{4}-\d{2}-\d{2}/
    format1 /^(?<timestamp>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})\s+(?<message>.*)$/
    multiline_start_regexp /^\d{4}-\d{2}-\d{2}/
  </parse>
</source>