日志收集===》EFK部署+supervisor管理

一、es集群部署（三台）

#1.下载cd /optwget https://github.com/elastic/elasticsearch/archive/refs/tags/v6.8.12.tar.gz#2.解压缩tar xf elasticsearch-6.8.12.tar.gz -C /data/ota_soft/mkdir -p /data/ota_soft/elasticsearch-6.8.12/datamkdir -p /data/ota_soft/elasticsearch-6.8.12/logs#3.创建配置文件vim /data/ota_soft/elasticsearch-6.8.12/config/elasticsearch.ymlcluster.name: ota-es-clusterpath.data: /data/ota_soft/elasticsearch/datapath.logs: /data/ota_soft/elasticsearch/logsbootstrap.memory_lock: truenetwork.host: 192.168.100.128 #修改自己对应IPhttp.port: 9200transport.tcp.port: 9300discovery.zen.ping.unicast.hosts: [ "master1","slave1","slave2"] #注意此处利用别名需要设置discovery.zen.minimum_master_nodes: 2bootstrap.system_call_filter : false xpack.security.enabled: truexpack.security.transport.ssl.enabled: truexpack.security.transport.ssl.verification_mode: certificatexpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12 配置文件详解：#如果 Es 用到了 swap 作为内存,性能将会变得极差,所以建议关闭. #sysctl vm.swappiness=1 注意:这只是让 kenerl 在正常情况下不会使用 swap 交换内存,紧急情况下仍然会使用. #设置bootstrap.memory_lock: true，使用linux的mlockall进行进行内存锁定,防止使用 swap #除了上述 es 配置,通常需要在/etc/security/limits.conf写入如下配置:#hard memlock unlimited#soft memlock unlimited #这是在因为Centos6不支持SecComp，而ES5.2.0默认bootstrap.system_call_filter为true进行检测，所以导致检测失败，失败后直接导致ES不能启动j解决：在elasticsearch.yml中配置bootstrap.system_call_filter为false#4./etc/hosts创建配置文件中的别名（注意修改自己对应IP）vim /etc/hosts192.168.100.128 master1192.168.100.129 slave1192.168.100.131 slave2#5.集群安全认证（一台执行）创建keystore（会在config目录下创建一个elasticsearch.keystore）/data/ota_soft/elasticsearch-6.8.12/bin/elasticsearch-keystore create#6.创建ca证书（中间会让输入路径跟密码，都可以不输直接回车）cd /data/ota_soft/elasticsearch-6.8.12/bin//data/ota_soft/elasticsearch-6.8.12/bin/elasticsearch-certutil ca完成后会生成一个elastic-stack-ca.p12 （如果没指定位置的话，就在bin下）#7.创建秘钥/data/ota_soft/elasticsearch-6.8.12/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12中间需要输入刚才设置的密码就直接输入，需要输入路径的地方就直接回车建议不输直接回车，然后会生成一个文件：elastic-certificates.p12#9.验证创建的证书理论上来说 此刻bin目录下应该有两个p12文件ls |grep 'p12'elastic-certificates.p12elastic-stack-ca.p12#10.创建存放密钥的文件夹，与配置文件匹配mkdir /data/ota_soft/elasticsearch-6.8.12/config/certs#11.复制证书（所有节点）#本机拷贝cp elastic-certificates.p12 /data/ota_soft/elasticsearch-6.8.12/config/certs/#其他两节点mkdir -p /data/ota_soft/elasticsearch-6.8.12/config/certs#在本机上scpscp elastic-certificates.p12 root@192.168.100.131:/data/ota_soft/elasticsearch-6.8.12/config/certs/ #注意修改自己对应IP#推送后，得注意此时接收推送的证书权限，（接收的两台检查授权）chown -R ota:wheel /data/ota_soft/elasticsearch/#11.所有节点添加证书密码（创建证书时候没设置密码则跳过）bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_passwordbin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password#12.创建普通用户启动服务#新增什么用户都可以，只要有启动es权限即可useradd ota -g wheelln -s /data/ota_soft/elasticsearch-6.8.12/ /data/ota_soft/elasticsearchchown -R ota.wheel /data/ota_soft/elasticsearch-6.8.12/#13.调整系统参数（三台机器）cat << 'EOF' >> /etc/security/limits.confota soft memlock unlimitedota hard memlock unlimitedota soft nofile 165535ota hard nofile 165535ota soft nproc 4096ota hard nproc 4096EOF #追加最大值cat << 'EOF' >> /etc/sysctl.confvm.max_map_count = 262155vm.swappiness = 1EOF #设置内存锁定，锁定内存大小vim /data/ota_soft/elasticsearch/config/jvm.options-Xms256m #最大锁定内存-Xmx256m #最小锁定内存 sysctl -p 生效#安装Javayum install java-1.8.0* -yJava -version（tar xf jdk-8u191-linux-x64.tar.gz && mv jdk1.8.0_191 jdk && cp -R jdk /data/ota_soft/）添加环境变量（yum下载不用，自己安装需要）vim /etc/profileJAVA_HOME=/data/ota_soft/jdkPATH=$JAVA_HOME/bin:$PATHCLASSPATH=$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jarexport JAVA_HOMEexport PATHexport CLASSPATH source /etc/profile#14.启动su ota -c "/data/ota_soft/elasticsearch/bin/elasticsearch -d "#15.设置elastic栈各种软件的密码（与下方kibana配置文件中password一致【123】）su ota -c "/data/ota_soft/elasticsearch/bin/elasticsearch-setup-passwords interactive"（温馨提示）要输入好多遍好多遍，最好别设置太复杂

二、supervisor管理es

#1.下载supervisor安装Linux的epel的yum源的命令，某些yum源会提示无supervisor源码包，此时可以使用此命令yum install epel-release yum install -y supervisor#2.修改配置文件vim /etc/supervisord.conf 修改最后一行[include]files = supervisord.d/*.conf#3.把elastic search加入supervisord中监控cat << 'EOF' > /etc/supervisord.d/elasticsearch.conf[program:elasticsearch]command=/data/ota_soft/elasticsearch/bin/elasticsearchuser=otanumprocs=1priority=1autostart=truestartretries=3autorestart=truestopasgroup=truekillasgroup=trueredirect_stderr=trueminfds=65535minprocs=4096EOF#4.启动supervisorsystemctl start supervisordsystemctl enable supervisord#5.如果配置文件有改动都需要重载supervsupervisord update/reload#6.启动essupervisorctl start elasticsearch

三、filebeat部署

每台有日志的都要部署，做日志收集

#1.下载#2.解压mkdir -p /data/ota_soft/tar xf filebeat-6.8.12-linux-x86_64.tar.gz -C /data/ota_soft/ln -sf /data/ota_soft/filebeat-6.8.12-linux-x86_64 /data/ota_soft/filebeat#3.修改配置文件（收集多个日志）#需要注意修改配置文件中的hosts并修改相应的日志文件路径vim /data/ota_soft/filebeat/filebeat.ymlfilebeat.inputs:- type: log enabled: true paths: - /data/logs/api1/*.log fields: log_type: api1-info fields_under_root: true- type: log enabled: true paths: - /data/logs/api2/*.log fields: log_type: api2-info fields_under_root: true- type: log enabled: true paths: - /data/logs/api3/*.log fields: log_type: api3-info fields_under_root: true - type: log enabled: true paths: - /data/logs/api1/error/*.log fields: log_type: api1_error fields_under_root: true multiline.pattern: '^d+-d+-d+sd+:d+:d+.*' multiline.negate: true multiline.match: after - type: log enabled: true paths: - /data/logs/api2/error/*.log fields: log_type: api2_error fields_under_root: true multiline.pattern: '^d+-d+-d+sd+:d+:d+.*' multiline.negate: true multiline.match: after- type: log enabled: true paths: - /data/logs/api3/error/*.log fields: log_type: api3_error fields_under_root: true multiline.pattern: '^d+-d+-d+sd+:d+:d+.*' multiline.negate: true multiline.match: after setup.template.settings: index.number_of_shards: 3 index.number_of_replicas: 1 output.elasticsearch: hosts: ["master1:9200","salve1:9200","salve2:9200"] username: "elastic" password: "123" indices: - index: "api1info-%{+yyyy.MM.dd}" when.contains: log_type: "api1-info" - index: "api2-info-%{+yyyy.MM.dd}" when.contains: log_type: "api2-info" - index: "api3-info-%{+yyyy.MM.dd}" when.contains: log_type: "api3-info" - index: "api1-error-%{+yyyy.MM.dd}" when.contains: log_type: "api1-error" - index: "api2-error-%{+yyyy.MM.dd}" when.contains: log_type: "api2-error" - index: "api3-error-%{+yyyy.MM.dd}" when.contains: log_type: "api3-error"#参数解释#为收集的日志设置字段#fields: log_type: ota-iov-open-api-info#收集字段的日志 传到索引并按天划分#- index: "ota-iov-open-api-info-%{+yyyy.MM.dd}"#when.contains:#log_type: "ota-iov-open-api-info"

四、supervisor管理filebeat

#1.配置文件vim /etc/supervisord.d/filebeat.conf[program:filebeat]command=/data/ota_soft/filebeat/filebeat -e -c /data/ota_soft/filebeat/filebeat.ymlautostart=trueautorestart=trueuser=ota#修改权限chown -R ota.wheel /data/ota_soft/filebeatchown -R ota.wheel /data/ota_soft/filebeat-6.8.12chown -R ota.wheel /data/logs#启动supervisorctl start filebeat

五、kibana部署（一台单节点）

#1.下载#2.解压mkdir -p /data/ota_soft/mkdir -p /data/logs/kibanatar xf kibana-6.8.12-linux-x86_64.tar.gz -C /data/ota_soft/ln -sf /data/ota_soft/kibana-6.8.12-linux-x86_64 /data/ota_soft/kibanachown -R ota.wheel /data/ota_soft/kibana-6.8.12-linux-x86_64/#3.修改配置文件vim /data/ota_soft/kibana/config/kibana.ymlserver.host: "0.0.0.0"elasticsearch.hosts: ["master1:9200","salve1:9200","salve2:9200"]elasticsearch.username: "elastic"elasticsearch.password: "123"server.basePath: "/kibana"解释：server.basePath: "/kibana"这个是为了nginx，得加上这个配置，如果没有nginx，注释掉#启动nohup /data/ota_soft/kibana/bin/kibana &#验证netstat -nlpt|grep 5601

六、supervisor管理kibana

#1.配置文件vim /etc/supervisord.d/kibana.conf[program:kibana]command=/data/ota_soft/kibana/bin/kibanaautostart=trueautorestart=trueuser=otastdout_logfile=/data/logs/kibana/kibana.logstderr_logfile=/data/logs/kibana/kibana.log#2.授权chown -R ota.wheel /data/ota_soft/kibana#3.启动supervisorctl start kibana#4.Nginx代理 location /kibana { proxy_pass http://ip:5601;rewrite ^/kibana/(.*)$ /$1 break;}

访问：
https://域名/kibana/login#?_g=()
http://ip:port/kibana/login#?_g=()
账号、密码： elastic/123