ELK日志体系
agent
实际落地时,复用了集团现有的能力,开源可参考引入flume,filebeat。
kafka配置
1,分区数量;(需要根据实际数据消费能力进行分区数的调整) 2,topic创建:自动创建 3,对应的kafka管理平台搭建,可进行相关监控信息的查看以及分区数的调整等;
topic命名
命名规则:[业务场景(必选)].[来源服务(必选)].[日志类型(可选)].[所属域(可选)] log.${servicename}[.${module}][.${zone}] 举例:log.myservice.access.bj
logstash
安装
社区获取最新版本即可。https://www.elastic.co/cn/downloads/logstash
./logstash-7.6.2/config/logstash.conf
input {
kafka {
bootstrap_servers => "host0:9092,host1:9092,host2:9092"
topics => ["aaa","bbb"]
consumer_threads => 4 #性能调优关注
group_id => "logstash"
decorate_events => true
codec => plain { charset => "UTF-8" }
}
}
output {
elasticsearch {
hosts => ["http://host0:7000","http://host1:7000","http://host2:7000"]
index => "%{[@metadata][kafka][topic]}-email100-%{+YYYY.MM}"
template => "./qiye-log-logstash/config/templates/email100.json"
template_name => "*email100*"
template_overwrite => true
codec => plain { charset => "UTF-8" }
}
}
./logstash-7.6.2/config/jvm.options
-XX:+UseConcMarkSweepGC
-XX:CMSInitiatingOccupancyFraction=75
-XX:+UseCMSInitiatingOccupancyOnly
# 性能调优关注
-Xms6g
-Xmx6g
./logstash-7.6.2/config/logstash.yml
# 性能调优关注
pipeline.workers: 8
pipeline.batch.size: 10000
pipeline.batch.delay: 100
# 配置自动加载
config.reload.automatic: true
config.reload.interval: 60s
./logstash-7.6.2/config/templates/email100.json
{
"template": "*email100*",
"order": 1,
"settings": {
"index.number_of_shards": 100,
"number_of_replicas": 1,
"index.refresh_interval": "30s",
"analysis": {
"analyzer": {
"log_analyzer": {
"type": "custom",
"tokenizer": "ik_max_word"
},
"search_analyzer": {
"type": "custom",
"tokenizer": "ik_max_word",
"filter": [
"remove_letters"
]
}
},
"filter": {
"remove_letters": {
"type": "keep_types",
"mode": "exclude",
"types": [
"LETTER"
]
}
}
}
},
"mappings": {
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "text"
},
"message": {
"type": "text",
"analyzer": "log_analyzer",
"search_analyzer": "search_analyzer"
}
}
}
}
启动
nohup ./logstash -f ../config/logstash.conf --config.reload.automatic --config.reload.interval 60s --path.data=./qiye-log-logstash/datalg > output.log 2>&1 &
echo $! > .pid
重载配置
#!/bin/bash
kill -1 `cat .pid`
停止
#!/bin/bash
kill -TERM `cat .pid`
问题
- 429 es_rejected_execution_exception错误日志,为es写入速度跟不上导致,实际logstash的es插件会进行重试,数据不会丢失;
Elasticsearch配置
直接在logstash的template中配置,包括mapping,分词器,分片数,副本数等。具体分片数需要根据实际的日志量进行预估,通常单分片控制在50G以内。
kibana配置
安装
社区获取最新版本即可。https://www.elastic.co/cn/downloads/kibana
配置
./kibana-7.6.1-linux-x86_64/config/kibana.yml
server.port: 5601
server.host: "10.200.xxx"
server.name: "10.200.xxx"
elasticsearch.hosts: ["http://eshost:7000"]
i18n.locale: "zh-CN"
# 指定外部访问的contextpath
server.basePath: "/log/kibana"
# 对contextpath进行截断
server.rewriteBasePath: true
启动:
#!/bin/bash
nohup ./kibana-7.6.1-linux-x86_64/bin/kibana >out.log 2>&1 &
echo $! > .pid
停止:
#!/bin/bash
kill -9 `cat .pid`
索引模式配置
管理平台上配置索引模式,进而支持一个业务多个索引的查询。
Grafana配置
安装
官网下载:https://grafana.com/grafana/download
wget https://dl.grafana.com/oss/release/grafana-7.3.7.linux-amd64.tar.gz
tar -zxvf grafana-7.3.7.linux-amd64.tar.gz
启动配置
- 默认配置:/home/appops/grafana-7.3.7/conf/defaults.ini ——不建议修改
- 自定义配置:/home/appops/grafana-7.3.7/conf/custom.ini ——修改时需要将行首的“;“去掉
当前修改的内容:
#日志输出目录
logs = ./grafana-7.3.7/logs
#增加context path
root_url = %(protocol)s://%(domain)s:%(http_port)s/app/grafana/
serve_from_sub_path = true
#请求日志输出
router_logging = true
#数据代理日志输出
logging = true
#初始化账号/密码
admin_user = xxx
admin_password = xxx
#其他日志配置
mode = file
level = info
大盘配置
-
1,添加数据源 入口:http://$host/app/grafana/datasources
目前为es数据源,需要配置es地址:http://localhost:9200
认证策略:base 账号+密码 对应es索引名称
es版本选择:7.0+
最终通过save&test进行索引访问的验证 -
2,dashboard大盘创建 http://$host/app/grafana/dashboard/new?orgId=1
-
3,具体面板创建 选择需要的数据源即可