Skip to main content

elk 安装 bothub配置

· 3 min read

using

    logging:
driver: syslog
options:
syslog-address: 'tcp://10.1.0.123:5000'

修改密码 cant cat /etc/kibana/kibana.yml | grep -B 2 password

sed -ie 's/#elasticsearch.username: "user"/elasticsearch.username: "admin"/g' /etc/kibana/kibana.yml sed -ie 's/#elasticsearch.password: "pass"/elasticsearch.password: "12341234"/g' /etc/kibana/kibana.yml

elk 完整版

login

http://elk.bothub.ai/elk/
user
iruVkQ7L

sender filebeat

install

https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation.html

conf

vi /etc/filebeat/filebeat.yml

filebeat.prospectors:

- input_type: log
document_type: js_error
paths:
- /var/log/nginx/tracking.log

- input_type: log
document_type: laravel_error
paths:
- /var/www/rapture-api/storage/logs/laravel-error-*.log

output.logstash:
enabled: true
hosts: ["10.140.0.3:5044"]

restart

// test ok
filebeat.sh -configtest -e
/etc/init.d/filebeat restart

getter elk

docker

// 修改进程数
sysctl -w vm.max_map_count=262144
sysctl vm.max_map_count

// docker image sebp/elk:540
docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -it --name elk sebp/elk:540

server {
listen 80;

location / {
## 密码 http auth 密码生成
# htpasswd -c .espasswd user
# cat .espasswd
# user:$apr1$Siq.2MpE$GREX96Q0RgpAYBnB67kKf0
auth_basic "Protected Kibana";
auth_basic_user_file /.espasswd;
proxy_pass http://kibana:5601;
}
}

query

type:nginx_access AND agent: '' -GoogleHC
type:js_error AND err_json.project:"rapture-admin-fe"
fields.appid: 'bitdata-web_php' AND fields.scope:'error'

conf

cd /etc/logstash/conf.d
/opt/bitnami/ctlscript.sh restart logstash

input
{
beats
{
ssl => false
host => "0.0.0.0"
port => 5044
}
gelf
{
host => "0.0.0.0"
port => 12201
}
http
{
ssl => false
host => "0.0.0.0"
port => 8888
}
tcp
{
mode => "server"
host => "0.0.0.0"
port => 5010
}
udp
{
host => "0.0.0.0"
port => 5000
}
}

filter {
if [type] == "nginx_access" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
if [type] == "laravel_error" {
grok {
match => { "message" => "\[%{TIMESTAMP_ISO8601:my_logdate}\] %{DATA:env}\.%{DATA:severity}: %{DATA:message_old}$" }
}
mutate {
rename => {
"@timestamp" => "read_timestamp"
"message_old" => "message"
}
}
date {
match => [ "my_logdate", "yyyy-MM-dd HH:mm:ss" ]
remove_field => "my_logdate"
timezone => "Asia/Shanghai"
}
}
if [type] == "js_error" {
grok {
match => { "message" => "\] \"%{DATA:request}\" \"%{DATA:agent}\" \"%{DATA:extra_fields}\"$" }
}
mutate {
gsub => [
"extra_fields", "\"","",
"extra_fields", "\\x0A","",
"extra_fields", "\\x22",'\"',
"extra_fields", "(\\)",""
]
}
json {
source => "extra_fields"
target => "err_json"
remove_field => ["message", "extra_fields"]
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
}

output
{
// file { path => "/log_test/test-%{type}-%{+YYYY.MM.dd}.log" } // 调试用
if "_grokparsefailure" in [tags] {
file { path => "/log_test/error-%{type}-%{+YYYY.MM.dd}.log" }
}

elasticsearch
{
hosts => ["localhost"]
index => "logstash-%{+YYYY.MM.dd}"
}

}