Elastic Stack (ELK Stack)


yum源

[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

下载安装

yum install java-1.8.0-openjdk-devel
服务器安装(端口):Elasticsearch(9200),Kibana(5601),Logstash(5044)
https://www.elastic.co/downloads
systemctl enable elasticsearch
systemctl enable logstash
systemctl enable kibana
vi /etc/elasticsearch/elasticsearch.yml
node.name: wl-es01
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
script.painless.regex.enabled: true



md5-8fac7b9624e43c19a693fbc18a87121a



vi /etc/kibana/kibana.yml
server.host: "0.0.0.0"
elasticsearch.url: "http://10.200.78.67:9200"
elasticsearch.requestTimeout: 120000
#i18n.defaultLocale: "cn"
tilemap.url: 'http://webrd02.is.autonavi.com/appmaptile?lang=zh_cn&size=1&scale=1&style=7&x={x}&y={y}&z={z}'



md5-8fac7b9624e43c19a693fbc18a87121a



es-jvm.options
#-Xms1g
#-Xmx1g
-Xms48g
-Xmx48g
## GC configuration
#-XX:+UseConcMarkSweepGC
#-XX:CMSInitiatingOccupancyFraction=75
#-XX:+UseCMSInitiatingOccupancyOnly
-XX:+UseG1GC
-XX:MaxGCPauseMillis=200



md5-f229ab4abd44f51691ec9926a30ccf3c



/usr/share/logstash/bin/logstash-plugin update logstash-filter-grok
/usr/share/logstash/bin/logstash-plugin update logstash-filter-geoip
/usr/share/logstash/bin/logstash-plugin update logstash-filter-useragent
/usr/share/logstash/bin/logstash-plugin update logstash-filter-date
/usr/share/logstash/bin/logstash-plugin update logstash-filter-mutate



md5-e790f003fd58ea28fa64b630bc9f6979



vi /etc/logstash/conf.d/gameclient.conf
input {
  beats {
    port => 5044
  }
}
output{
  stdout{
    codec => rubydebug
  }

}

/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/gameclient.conf



md5-9bc009891305a5173f8e307f71f55f74



./logstash-plugin install logstash-input-mongodb
./logstash-plugin install logstash-filter-xml

vi /etc/logstash/conf.d/mongodb
input {
  mongodb {
    uri => 'mongodb://test:123456@127.0.0.1:27017/test'
    placeholder_db_dir => '/opt/logstash-mongodb/'
    placeholder_db_name =>'test.db'
    collection => 'msgCont'
    batch_size => 1000
    generateId => true
  }
}

filter {

  mutate {
        rename => ["_id", "uid"]
    }

  xml {
       source => "msg"
       store_xml => false
       xpath => {"/message/*/*/text()" => "msg-content"}
   }
}

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "im_message"
  }
}



md5-76a989a4b20019c8f5a31026928ff6a3



vi /etc/logstash/conf.d/beats-nginx.conf
input {
  beats {
    port => 5044
  }
}
filter {
  grok {
    match => { "message" => "%{IPORHOST:remote_addr} - (%{USERNAME:remote_user}|-) \\[%{HTTPDATE:time_local}\\] (%{IPORHOST:http_host}|-) \\"%{WORD:method} %{DATA:request_url} HTTP/%{NUMBER:http_version}\\" %{NUMBER:response_code} %{NUMBER:body_sent} \\"%{DATA:referrer}\\" \\"%{DATA:user_agent}\\" \\"%{IPORHOST:x_forwarded_for}\\" “%{NUMBER:request_time}\\"" }
    remove_field => "message"
  }
  date {
    match => [ "time_local", "dd/MMM/YYYY:HH:mm:ss Z" ]
    target => "@timestamp"
    timezone => "-04:00"
    }
  useragent {
    regexes => "/etc/logstash/regexes.yaml"
    target => "ua"
    source => "user_agent"
  }
  mutate {
    convert => { "response_code" => "integer" }
    convert => { "body_sent" => "integer" }
    convert => { "request_time" => "float" }
  }
  if [x_forwarded_for] !~ "^127\\.|^192\\.168\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[01]\\.|^10\\.|^100.64\\." {
      geoip {
          source => "x_forwarded_for"
          target => "geoip"
          fields => ["city_name","region_name","country_name","location"]
      }
  if ! [geoip][region_name] and ! [geoip][city_name] {
      mutate {
          add_field => { "client_addr" => "%{[geoip][country_name]}" }
      }
  }
  else if ! [geoip][city_name] {
      mutate {
          add_field => { "client_addr" => "%{[geoip][country_name]},%{[geoip][region_name]}" }
      }
  }
  else if ! [geoip][region_name] {
      mutate {
          add_field => { "client_addr" => "%{[geoip][country_name]},%{[geoip][city_name]}" }
      }
  }
  else {
      mutate {
          add_field => { "client_addr" => "%{[geoip][country_name]},%{[geoip][region_name]},%{[geoip][city_name]}" }
      }
  }
  mutate {
      remove_field => ["[geoip][country_name]","[geoip][region_name]","[geoip][city_name]"]
}
}
}
output {
  elasticsearch {
    hosts => "localhost:9200"
    manage_template => false
    index => "nginx-%{+YYYY.MM.dd}"
#    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  }
}



md5-f6ff8f7d4faa65f70e31572a3953d9e5



vi /etc/logstash/regexes.yaml
https://github.com/ua-parser/uap-core/blob/master/regexes.yaml

  #######################
  - regex: 'iPhone'
    device_replacement: 'iPhone'
    brand_replacement: 'Apple'
    model_replacement: 'iPhone'
  - regex: 'Xiaomi_'
    device_replacement: 'XiaoMi'
    brand_replacement: 'XiaoMi'
    model_replacement: 'XiaoMi'
  #######################



  #######################
  - regex: 'Windows NT'
    device_replacement: 'PC'
    brand_replacement: 'PC'
    model_replacement: 'PC'
  - regex: 'Macintosh\\;'
    device_replacement: 'MAC'
    brand_replacement: 'Apple'
    model_replacement: 'MAC'
  ######################



md5-129525e9f05966d666be65ad32732a66



vi /etc/logstash/conf.d/syslog.conf
input {
  tcp {
    port => 10514
    type => "Juniper"
  }
  udp {
    port => 10514
    type => "Juniper"
  }
}
filter {
    grok {
    match => { "message" => "reason=(?<reason>([\\s\\S]*))" }
    }
    kv {
        source => "message"
    include_keys => [ "start_time", "src", "src_port", "dst", "dst_port", "sent", "rcvd", "duration", "session_id", "service" ]
#    remove_field => "message"
    }
    date {  
        match => [ "start_time", "yyyy-MM-dd HH:mm:ss" ]  
        target => "@timestamp"
      timezone => "+08:00"  
    }
    mutate {
        convert => { "src_port" => "integer" }
        convert => { "dst_port" => "integer" }
        convert => { "sent" => "integer" }
        convert => { "rcvd" => "integer" }
        convert => { "duration" => "integer" }
    convert => { "session_id" => "integer" }
    }
    if [dst] !~ "^127\\.|^192\\.168\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[01]\\.|^10\\.|^100.64\\." {
        geoip {
        source => "dst"
        target => "dstgeoip"
        fields => ["city_name","region_name","country_name"]
        }

    if ! [dstgeoip][region_name] and ! [dstgeoip][city_name] {
    mutate {
        add_field => { "dstname" => "%{[dstgeoip][country_name]}" }
    }
    }
    else if ! [dstgeoip][city_name] {
        mutate {
            add_field => { "dstname" => "%{[dstgeoip][country_name]},%{[dstgeoip][region_name]}" }
        }
    }
    else if ! [dstgeoip][region_name] {
        mutate {
            add_field => { "dstname" => "%{[dstgeoip][country_name]},%{[dstgeoip][city_name]}" }
        }
    }
    else {
        mutate {
            add_field => { "dstname" => "%{[dstgeoip][country_name]},%{[dstgeoip][region_name]},%{[dstgeoip][city_name]}" }
    }
    }
    mutate {
    remove_field => "dstgeoip"
   }
   }
}
output{
    elasticsearch {
        hosts => "localhost:9200"
        document_type => "Juniper"
        index => "juniper-%{+YYYY.MM.dd}"
    }
#    stdout{
#        codec => rubydebug
#    }
}



md5-a06cdcb7a71379d8b27b86f4e912aacc



input {
  beats {
    port => 5044
    type => "gameclient"
  }
}
filter {
     if [type] == "gameclient" {
          grok {
            match => { "message" => "%{TIMESTAMP_ISO8601:date} \\[%{DATA:level}\\] \\<%{DATA}\\>@%{DATA}\\:%{DATA}\\:%{NUMBER} (?<info>([\\s\\S]*))\\,other\\:(?<other>([\\s\\S]*))" }
          }
          kv {
            source => "info"
            prefix => "info_"
            field_split => ","
            value_split => ":"
          }
          kv {
            source => "other"
            prefix => "other_"
            remove_char_key => "\\"|\\{"
            remove_char_value => "\\"|\\}"
            field_split => ","
            value_split => ":"
          }
          date {
            match => [ "date", "yyyy-MM-dd HH:mm:ss.SSS" ]
            target => "@timestamp"
            timezone => "+08:00"
          }
     }
}
output{
     if [type] == "gameclient" {
        #  stdout{
        #    codec => rubydebug
        #  }
          elasticsearch {
            hosts => "localhost:9200"
            document_type => "gameclient"
            index => "gameclient-%{+YYYY.MM.dd}"
          }
     }
}



md5-d177fd8da50f7a0d0654ff7be5a6f6ad



systemctl enable filebeat
vi /etc/filebeat/filebeat.yml

path.home: /usr/share/filebeat
path.config: /etc/filebeat
path.data: /var/lib/filebeat
path.logs: /var/log/filebeat
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
#output.logstash:
#  hosts: ["10.100.77.60:5044"]
output.elasticsearch:
  hosts: ["10.100.77.60:9200"]
setup.kibana:
  host: "10.100.77.60:5601"



md5-8fac7b9624e43c19a693fbc18a87121a



cd /etc/filebeat
/usr/share/filebeat/bin/filebeat setup --template
/usr/share/filebeat/bin/filebeat setup --dashboards
/usr/share/filebeat/bin/filebeat modules enable nginx



md5-8fac7b9624e43c19a693fbc18a87121a



vi nginx.yml
- module: nginx
  # Access logs
  access:
    enabled: true
    var.paths: ["/home/wwwlogs/static.log"]
  # Error logs
  error:
    enabled: false
    #var.paths:
vi /etc/filebeat/filebeat.yml
path.home: /usr/share/filebeat
path.config: /etc/filebeat
path.data: /var/lib/filebeat
path.logs: /var/log/filebeat
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
output.logstash:
  hosts: ["10.100.77.60:5044"]
#output.elasticsearch:
#  hosts: ["10.100.77.60:9200"]
setup.kibana:
  host: "10.100.77.60:5601"



md5-8fac7b9624e43c19a693fbc18a87121a



#实例
cat /etc/filebeat/filebeat.yml    
path.home: /usr/share/filebeat
path.config: /etc/filebeat
path.data: /var/lib/filebeat
path.logs: /var/log/filebeat
#filebeat.config.modules:
#  path: ${path.config}/modules.d/*.yml

filebeat.prospectors:
- type: log
  enabled: true
  paths:
    - /home/huangliang/19090/log/info*
  fields_under_root: true
  fields:
    type: sit

- type: log
  enabled: true
  paths:
    - /home/huangliang/19091/log/info*
#  tags: ["pro"]
  fields_under_root: true
  fields:
    type: pro
#    logs_env: PRO

output.logstash:
  hosts: ["127.0.0.1:5044"]
setup.kibana:
  host: "localhost:5601"



md5-65b421824d53fc8081becb1bc6c26108



vi /tmp/elasticsearch.template.nginx.json
{
  "index_patterns" : ["nginx*"],
  "mappings" : {
    "doc" : {
      "properties" : {
        "geoip" : {
          "properties" : {
            "location" : {
              "type" : "geo_point"
            }
          }
        }
      }
    }
  }
}

curl -XPUT -H 'Content-Type: application/json' 'http://10.100.77.60:9200/_template/nginx?pretty' -d@/tmp/elasticsearch.template.nginx.json



md5-6fe5404ab4895913dde0fec4ed72ef0b



编辑kibana配置文件kibana.yml,最后面添加:

tilemap.url: 'http://webrd02.is.autonavi.com/appmaptile?lang=zh_cn&size=1&scale=1&style=7&x={x}&y={y}&z={z}'

重启kibana



md5-a897e5949d9af7dbb35b1a9096b23e58



curl localhost:9200/_cat/indices?v
curl 10.100.77.60:9200/_cat/templates
curl localhost:9200/filebeat-6.0.0-2017.12.01?pretty
curl 'http://localhost:9200/_template/nginx?pretty'
curl -XDELETE 'http://localhost:9200/filebeat-*'
curl localhost:9200/gameclient-2018.03.08/?pretty
curl http://10.100.77.60:9200/nginx-2017.12.01/_search?pretty



md5-105f0b472a714ae49183ff4102580fd7



curl -H "Content-Type: application/json" -XGET localhost:9200/gameclient-2018.06.10/doc/_search -d '{"query":{"match":{"gameName":{"query":"2277"}}}}'



md5-406eed5e2f40e3fcd02669c2f0414e61



curl -H "Content-Type: application/json" -XPOST localhost:9200/gameclient-2018.06.10/doc/_update_by_query -d '{"query":{"match":{"gameName":{"query":"2277"}}},"script":{"inline":"ctx._source.gameName='6666'","lang":"painless"}}'



md5-814fcd93b990ae09fc0ea5c5fbb25dd3



curl -H "Content-Type: application/json" -XPOST localhost:9200/gameclient-2018.06.10/doc/_update_by_query -d '{"query":{"match":{"gameName":{"query":"2277"}}},"script":{"inline":"ctx._source.gameName = params.last","params": {"last": "金球争霸"},"lang":"painless"}}'



md5-8fac7b9624e43c19a693fbc18a87121a



cat ch.sh
#!/bin/bash
set -x
cat list.txt|while read line
do
  id=`echo $line|awk '{print $1}'`
  name=`echo $line|awk '{print $2}'`
  cat gamedate.txt|while read line2
  do
    curl -H "Content-Type: application/json" -XPOST 10.200.77.45:9200/$line2/doc/_update_by_query -d "{\\"query\\":{\\"match\\":{\\"gameName\\":{\\"query\\": \\"$id\\"}}},\\"script\\":{\\"inline\\":\\"ctx._source.gameName = params.last\\",\\"params\\": {\\"last\\": \\"$name\\"},\\"lang\\":\\"painless\\"}}"
  echo ""
  done
done



md5-3f50f7881963e12ca038c3a737b51824



#!/usr/local/bin/python3
# -*- coding:utf-8 -*-
import time
from datetime import datetime
import sys
from elasticsearch import Elasticsearch
from elasticsearch.helpers import bulk
def set_mapping(es, index_name = "pointlogs", doc_type_name = "point"):
    my_mapping = {
        "mappings":{
            "point": {
                "properties": {
                "@timestamp" : {
                "type" : "date"
            },
                    "x": {
                        "type": "integer"
                    },
                    "y": {
                        "type": "float"
                    },
            "z": {
                        "type": "text"
                    }
                }
            }
        }
    }
    put_my_mapping = {
          "properties": {
                    "@timestamp" : {
                "type" : "date"
                },
            "x": {
                        "type": "integer"
                    },
                    "y": {
                        "type": "float"
                    },
                    "z": {
                        "type": "text"
                    }
                }
    }
    create_index = es.indices.create(index = index_name,body = my_mapping)
    mapping_index = es.indices.put_mapping(index = index_name, doc_type = doc_type_name, body = put_my_mapping,ignore=400)
#    if create_index["acknowledged"] != True or mapping_index["acknowledged"] != True:
#        print ("Index creation failed...")
def set_data(es, input_file, index_name = "pointlogs", doc_type_name="point"):
    i = 0
    count = 0
    ACTIONS = []
    with open(input_file,'r') as fd:
        for num,line in enumerate(fd):
            y = float(line)
            action = {
                "_index": index_name,
                "_type": doc_type_name,
                "_source": {
              "@timestamp" : datetime.now().strftime( "%Y-%m-%dT%H:%M:%S.%f+0800"),
                      "x": num,
                      "y": y,
              "z": "10w.txt",
                }
            }
            i += 1
            ACTIONS.append(action)
            if (i == 100000):
                success, _ = bulk(es, ACTIONS, index = index_name, raise_on_error = True)
                count += success
                print("insert %s lines" % count)
                i = 0
                ACTIONS = []
        success, _ = bulk(es, ACTIONS, index = index_name, raise_on_error=True)
        count += success
        print("ALL insert %s lines" % count)
if __name__ == '__main__':
    es = Elasticsearch(hosts=["127.0.0.1:9200"], timeout=5000)
    set_mapping(es)
    set_data(es,sys.argv[1])



md5-41fc0bdb2e5e37823663c78c9753e0cd



vi /etc/elasticsearch/elasticsearch.yml
script.painless.regex.enabled: true



md5-8fac7b9624e43c19a693fbc18a87121a



def m = /^(\\w+)\\ .*$/.matcher(doc['ua.device.keyword'].value);
if ( m.matches() ) {
   return m.group(1)
} else {
   return "null"
}



md5-3f2044d8e2d2cf8b7826d805a92ae27a



{
  "query": {
    "regexp": {
      "userID": "[0-9].+"
    }
  }
}
---
{
  "query": {
    "prefix": {
      "userID": "demo"
    }
  }
}



md5-0834f530e829501e3f49d4bc639fc9cd



cd /root/node_modules/elasticdump/bin/
./elasticdump --input=http://localhost:9200/.kibana --output=kibana_mapping.json --type=mapping
./elasticdump --input=http://localhost:9200/.kibana --output=kibana.json --type=data



md5-cb2799a30eeceee375a7a5fd86231b90



cd /root/node_modules/elasticdump/bin/
./elasticdump --input=kibana_mapping.json --output=http://localhost:9200/.kibana --type=mapping
./elasticdump --input=kibana.json --output=http://localhost:9200/.kibana --type=data



md5-54a16e0605279c65ca292cd294674e63



./elasticdump --input=http://localhost:9200/gameclient-2018.06.30 --output=gameclient-2018.06.30-2.json --type=data --limit 10000